[messaging] How secure is TextSecure?
David Leon Gil
coruus at gmail.com
Fri Oct 31 21:56:42 PDT 2014
A new paper by Frosch et al. here: http://eprint.iacr.org/2014/904
They present an unknown key-share attack on TextSecure; this is rather
serious, to say the least.
Rather puzzling, however:
1. They claim that HMAC(key=constant, message=secret) is not provably
a PRF. The security reduction of, e.g., [nested_macs] seems
symmetrical if the hash functions is one-way; am I missing something
(HMAC is insecure if *both* inputs can be controlled by the attacker;
this manifestly isn't the case here.)
2. They also claim that the security of truncated SHA2-256, as used in
TextSecure tags, is unknown. (This is likely true for non-generic
attacks: there are good distinguishers on reduced round SHA2-256.)
But the story is very different for non-generic attacks; the
"how-to-hash" indifferentiability proof works here.
More concerning re tags: TextSecure is only using an 8 byte tag.
64-bit authenticity is plainly insufficient. (This really should be
128 bits of SHA2-256's output, or, preferably 160-256 bits of
More information about the Messaging