[messaging] Key comparison [TextSecure]

Linus Lotz linus at lotz.li
Tue Sep 1 04:17:14 PDT 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,
You should have a look at the 3 way DH in the axolotl ratchet[1]:
master_key = HASH( DH(A, B0) || DH(A0, B) || DH(A0, B0) )

Where 'A' and 'B' are the identity keys and 'A0', 'B0' are the
ephemeral keys.
For Textsecure the prekey is just the ephemeral key of the recipient.

Now let's assume an attacker Charlie can exchange the public prekey B0
with his prekey C0, but does not modify any of the identity keys
(since this would be detected by comparing the fingerprints). Now if
Alice(A) wants to write Bob(B) a message, she would generate the
master_key as follows:

HASH( DH(A_priv, C0_pub) || DH(A0_priv, B_pub) || DH(A0_priv, C0_pub) )

If Charlie now intercepted a message that is encrypted with a key
derived from this master_key he could not decrypt it, since he does
not know B_priv or A0_priv:
HASH( DH(A_pub, C0_priv) || DH(A0_pub, B_priv) || DH(A0_pub, C0_priv) )
                                       ^^^^^^
(A0_pub would be attached to the message)
And Bob cannot decrypt it either, because he does not know C0_priv.
So in order to do the MitM attack Charlie has to get either get the
private ephemeral key from Alice or modify the identity keys.

Best Regards,
Linus

[1]https://github.com/trevp/axolotl/wiki


Am 01.09.2015 um 09:54 schrieb N A:
> Hi,
> 
> I have a question regarding the comparison of key fingerprints in
> the context of TextSecure. According to [1] TextSecure offers the
> ability for two users to compare fingerprints of their identity key
> out of band to detect a man in the middle attack. I was wondering
> why the prekey which was used to start the session is not part of
> the fingerprint? If the identity key of a user is compromised,
> prekeys on the server could be replaced with forged ones by an
> attacker who possesses the complete identity key. The comparison of
> identity key fingerprints would not be able to detect this.
> Including the prekey during key comparison would ensure that users
> know for sure that―even in the presence of compromised identity
> keys―no one posed as a man in the middle. Am I missing something 
> obvious?
> 
> Many thanks in advance for your answers!
> 
> --- [1] "How secure is TextSecure"
> [https://eprint.iacr.org/2014/904.pdf] 
> _______________________________________________ Messaging mailing
> list Messaging at moderncrypto.org 
> https://moderncrypto.org/mailman/listinfo/messaging
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV5Yk1AAoJEEsWX/59L3NtXlYQAOk8qiXToyF1qmIt3IcO3kaL
6aveYsd113wjKeqlYv4dKYMhKyQ49hHQBu2kNsv8OFj416m5Yl3+21iocogxDBfT
DY1ugHdNtVOgR5tZaZ89i8366+YCd/3feIQuO3h0+lmFgJpm07x11JKgaBLpIZ/V
scaCRu3E1rj8wRdNTh6xsf5kRUddR9/JkoGzFKws5ZN2Y3f3oNCvy8C7J953Ohif
Gs0SmG/oCUKJBDFZ+OKZXdA4+xY4ueapFSF8Xk/Dgme7PmmtypII9eDqoVTmSq1Y
1iyYtyGUfXUwNvAvfhfa0iZq7eXB9zerZsOqbN6kt3P2Xi75xEAH6v9Kopzoy47R
C9iE0ZUdREObF0YnBKxnDzkcrX1HBTYt/YF9YrvrOQpAYoG0o7Dsw9f/+qd2AbBu
NruNztQ2pNP+x7H8aZ+9eUEXylvYSIJW7BgYEVNz+M0dnecYC8vlG/ZzVKs3uQYN
rEme2hNDQ+ozWTNU+FdCMcFfhRVZXfbsujKSTtaNjuRJYF3NoIx9FhG3MEd9KdvY
Vqml3+NyjSTdWlhPTUOOPOtWl3zhdjiI+GGoMWFJhPssxo4Rq5K6ZK4YLFCB5Qdu
ZOLzCS/DlZN4PnFpDSgOq/aYve88aQgwme2wZWFLGqZzEvIoIIqPEdm4x1dHpcQD
RYYo629lG/fyEuhJEFBx
=SzLl
-----END PGP SIGNATURE-----

More information about the Messaging mailing list