[messaging] Multiple devices and key synchronization: some thoughts

Sam Lanning sam at samlanning.com
Sat Jan 3 16:39:05 PST 2015

On 03/01/15 23:31, David Gil wrote:
> Re Sam's proposal, essentially.
> I thought it might be worthwhile to be more explicit about my models for device compromise:
> Ephemeral compromise: The adversary can read the contents of some (possibly limited) set of memory locations, including the location where the key is stored.
> (E.g., some browser security bugs, Heartbleed.)
> Temporary compromise:
> t=day 0. Adversary uses a vulnerability to establish persistent presence (formerly hard in-browser, but now possible via, e.g., ServiceWorkers...)
> t=... malicious software uses other vulnerabilities to read keys
> t=n days. The bug is fixed and platform-level protection mechanisms eliminate the malicious software.
> Permanent compromise: The adversary replaces part of the platform's trusted computing base (be it hardware or software) with code it controls.
> Keeping private keys unencrypted in memory for only a short period of time is an okay way to protect against ephemeral compromise. It does nothing to protect against temporary compromise.

Unless the temporary compromise does not coincide with a requirement for
a master key to be in memory. So if, for example, a master key is used
only when enrolling a new device (and only on that device), when
activating a new service, and when changing public metadata, then that
is probably going to be not very often.

> (And nothing we do can protect against permanent compromise; for code
running in a browser, that's the browser's responsibility.)

If the compromise happens when the key is not currently in use, and when
it is unlikely to be used again, for example if lost / stolen, then
there is protection.

Also I should note that my main focus for the system idea was for
preventing mass (passive / MITM) surveillance for the general population
rather than device compromise, along with having safeguards in place
when a device is lost / stolen with data accessible.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150104/d1a479ce/attachment.sig>

More information about the Messaging mailing list