[messaging] Forward secrecy and multiple devices
Nadim Kobeissi
nadim at nadim.computer
Fri Oct 31 07:41:22 PDT 2014
Dear Ximin,
Thanks very much for your explanation. Unfortunately, it only confirms
my pessimistic assumptions regarding the possibility of true forward
secrecy on multiple devices. I was hoping this list would be aware of
some kind of breakthrough I've missed out on, but that doesn't seem to
be the case.
Hope you're doing well. :-)
NK
------ Original Message ------
From: "Ximin Luo" <infinity0 at pwned.gg>
To: "messaging" <messaging at moderncrypto.org>
Sent: 2014-10-31 10:14:04 AM
Subject: Re: [messaging] Forward secrecy and multiple devices
>Forward secrecy is the inability to decrypt ciphertext after it's been
>decrypted the first time, by throwing away (enough of) the decryption
>key-material. If you want to be able to decrypt it indefinitely
>onwards, it defeats the point.
>
>If you want to encrypt a message to multiple devices in a
>forward-secret way, the maximum you can achieve is to have it
>decryptable (i.e. not forward secret) until the last device that reads
>the message throws away its ephemeral decryption key, at which point
>you gain the property of "forward secrecy".
>
>As long as key material exists somewhere to be able to decrypt whatever
>ciphertext you store wherever, *by definition* this situation is not
>forward-secret. Sorry...
>
>The schemes other people described are forward-secret for only *part*
>of the message lifetime. It may be the case that these "partial"
>forward-secrecy schemes make sense for certain use cases. For example,
>if the (re-encrypted) ciphertext is only exposed on private
>infrastructure e.g. locally on each target device, or on "trusted
>third-party infrastructure" (lol), this may arguably be a bit safer
>than simply storing the original ciphertext (that was seen by the
>adversary) and ephemeral key. This is dangerous territory to go into,
>though.
>
>X
>
>On 31/10/14 13:04, Nadim Kobeissi wrote:
>> Hi everyone,
>> I've been wondering about how to make asynchronous forward-secret
>>messaging systems work when the user is accessing message history from
>>multiple devices.
>>
>> Say I send a bunch of messages from computer A to another user's
>>computer U.
>> Later, I buy myself a new computer B on which I want to download and
>>decrypt my message history.
>>
>> If the messages I sent all relied on my long-term identity, then I
>>can just use my long-term key pair to decrypt the messages on computer
>>B and there wouldn't be a problem.
>>
>> However, I am wondering how that would work in case I was using
>>forward-secret session keys that changed message by message. How would
>>the session secrets be communicated across devices? How would computer
>>B be able to decrypt my forward-secret messages sent from computer A?
>>
>> It would be great to hear the opinion of the many experts on this
>>list regarding this matter.
>>
>> Regards,
>> NK
>>
>
>--
>GPG: 4096R/1318EFAC5FBBDBCE
>git://github.com/infinity0/pubkeys.git
>
More information about the Messaging
mailing list