[messaging] Reduce identity key exposure in Pond
Jeff Burdges
burdges at gmail.com
Fri Mar 27 18:46:01 PDT 2015
Pond clients are identified to the server by a Curve25519 key pair called the identify key, stored in client.identityPublic and client.identity.
At present, your contacts all know your identity key, stored in Contact.theirIdentityPublic. An adversary who both hacks the pond server and compromises any of your contacts thus learns when you receive messages, when you collect messages, and message sizes. I suppose the group signature scheme necessitated this, but..
Pond will eventually replace the group signature scheme for delivery authentication with an HMAC token based scheme :
https://moderncrypto.org/mail-archive/messaging/2014/000409.html
At that point, there is no need to expose this identity key to your contacts any longer.
Instead, clients could hide identityPublic inside the tokens they give to their contacts. I expect this necessitates a larger token than merely {x, HMAC(k, y)} because the server must know k to efficiently locate the mailbox. Clients could however encrypt the z ++ client.identityPublic to the server identity key returned by parseServer(..) where z is HMAC(k, y), y++HMAC(k,y), or even just y, eliminating the need to communicate y elsewhere.
At present, newRatchet does use contact.theirIdentityPublic but it could easily be modified to use a key derived from theirPub using extra25519.PrivateKeyToCurve25519(..) and extra25519.PublicKeyToCurve25519(..).
Thoughts?
Best,
Jeff
p.s. I’m actually using theirIdentityPublic in the introduction’s pull request https://github.com/agl/pond/pull/161 because I wanted to deduplicate introductions using information from theirPub, which makes sense as a fingerprint https://github.com/agl/pond/pull/175 since the server does not know it. We could however hash theirPub with different values to produce the fingerprint and deduplication value.
More information about the Messaging
mailing list