[messaging] Reduce identity key exposure in Pond

Trevor Perrin trevp at trevp.net
Mon Mar 30 17:17:46 PDT 2015

On Fri, Mar 27, 2015 at 6:46 PM, Jeff Burdges <burdges at gmail.com> wrote:
> Pond clients are identified to the server by a Curve25519 key pair called the identify key, stored in client.identityPublic and client.identity.
> At present, your contacts all know your identity key, stored in Contact.theirIdentityPublic.  An adversary who both hacks the pond server and compromises any of your contacts thus learns when you receive messages, when you collect messages, and message sizes.  I suppose the group signature scheme necessitated this, but..

Hi Jeff,

I'm not following - your Pond mailbox server already learns "when you
receive messages, [and] when you collect messages".  Delivery tokens
control whether the server accepts a mail for your inbox, but I don't
see how they affect the server's knowledge of when mails arrive in
that inbox, or when they're retrieved.

I also had trouble following below, I don't have the details of Pond's
key management fresh in mind, so a slower explanation with more
background would help.

> Pond will eventually replace the group signature scheme for delivery authentication with an HMAC token based scheme :
> https://moderncrypto.org/mail-archive/messaging/2014/000409.html
> At that point, there is no need to expose this identity key to your contacts any longer.
> Instead, clients could hide identityPublic inside the tokens they give to their contacts.  I expect this necessitates a larger token than merely {x, HMAC(k, y)} because the server must know k to efficiently locate the mailbox.  Clients could however encrypt the z ++ client.identityPublic to the server identity key returned by parseServer(..) where z is HMAC(k, y), y++HMAC(k,y), or even just y, eliminating the need to communicate y elsewhere.
> At present, newRatchet does use contact.theirIdentityPublic but it could easily be modified to use a key derived from theirPub using extra25519.PrivateKeyToCurve25519(..) and extra25519.PublicKeyToCurve25519(..).


More information about the Messaging mailing list