[messaging] Forward secrecy and multiple devices

Wasa Bee wasabee18 at gmail.com
Fri Oct 31 09:08:59 PDT 2014

maybe this [0] could give u ideas on how to wrap keys in a way that
provides forward secrecy. The paper comes up with a certain graph with nice
properties so that wrapped keys cannot compromise both last and future
(session) keys... it is applied to secure deletion in the paper though. It
may be possible to cherry-pick certain key ideas - i forgot the details but
off the top of my head there seems to be a common theme with ur pb.

[0] http://www.syssec.ethz.ch/people/reardonj/btree

On Fri, Oct 31, 2014 at 3:50 PM, Moxie Marlinspike <moxie at thoughtcrime.org>

> On 10/31/2014 08:00 AM, Ximin Luo wrote:
> > But if you want a scheme where any device that you might want to
> > connect to your account (in the future) can decrypt old history, then
> > I don't think you can get true forward secrecy, since this would
> > likely involve storing the history somewhere with a key that doesn't
> > get destroyed. There's no impossibility result that I know of, but no
> > "breakthrough" yet either..
> The way we handle multi-device for TextSecure is this:
> 1) You have an existing device 'A'.
> 2) You 'provision' an additional device 'B' using an authorization
> process that involves scanning a QR code.  This securely communicates
> the identity key to the new device using a PFS scheme.
> 3) The server now knows there are two physical devices registered for
> the same logical user.  Each device has its own set of prekeys, but the
> same identity key.
> 4) Device 'A' can use a regular axolotl session to transmit existing
> message history to device 'B'.
> 5) The server enforces that new incoming messages are encrypted to both
> devices.  Both devices essentially have their own axolotl session with
> the sender.
> 6) Each device sends the other device a copy of outgoing messages using
> a regular axolotl session.
> This way all new incoming messages are naturally synchronized across
> devices, since each device will get their own copy.  Outgoing messages
> are visible across all devices.  And existing message history can be
> synchronized across all devices during the provisioning process.
> Everything sits on top of axolotl under the hood, so everything is
> transmitted with the properties that axolotl gets you.
> - moxie
> --
> http://www.thoughtcrime.org
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141031/0b0167e2/attachment.html>

More information about the Messaging mailing list