[messaging] How secure is TextSecure?
Trevor Perrin
trevp at trevp.net
Sat Nov 1 00:50:16 PDT 2014
On Sat, Nov 1, 2014 at 12:24 AM, Moxie Marlinspike
<moxie at thoughtcrime.org> wrote:
>> Rather puzzling, however: 1. They
>> claim that HMAC(key=constant, message=secret) is not provably a PRF.
>
> What's more puzzling is that we're not doing that. We do
> HMAC(key=secret, message=constant).
They're talking about HKDF and the constant salt. This is standard -
TextSecure does not have signed nonces to serve as an HKDF salt, so
the salt is constant (all zeros), per RFC 5869 or Hugo Krawczyk's
paper.
Moxie had good explanations of the other issues.
Trevor
More information about the Messaging
mailing list