[messaging] libforwardsec: forward secure encryption for email and asynchronous messaging

Ian Miers imiers at cs.jhu.edu
Sat Sep 5 13:17:51 PDT 2015


Yep. There definitely is that issue. At some point, you should delete
interval keys to protect you from a TLA dropping your messages in transit
and then sending a black bag team into your house/cave/press office or
grabbing your computer at the border.   At  least  that decision is
completely an OPSEC consideration  and one that varies considerably between
users. For some, an hour is probably too long. For others, 24 hours might
be on the short side. But it's a completely free choice (you can even
change it after making your keys) for individuals or for application
developers using libforwardsec. And unlike previous schemes, if you choose
a long window you are not exposing messages you did receive.

I think this is an inherent problem with the intersection of  offline
delivery and forward security.  If I recall correctly, TextSecure faces a
similar trade off on when to delete  prekeys.

- Ian (apparently that one)

On Sat, Sep 5, 2015 at 3:28 PM, Ian Goldberg <ian at cypherpunks.ca> wrote:

> Ian,
>
> Overall, a very nice scheme, and it's great you're producing
> production-quality code for it!
>
> There's still the potential issue I asked about at the end of your
> Oakland talk, though: the forward secrecy only kicks in if the intended
> recipient actually _receives_ the original message, which is a slightly
> different property than "traditional" forward secrecy.  If the TLA
> (three-letter agency) doesn't just snoop the message, but actually
> intercepts (blocks) it, they can come a-knocking an arbitrary(*) time
> later to the intended recipient to compel the key that will decrypt it.
>
> (*) Up to when you _do_ decide to delete old keys, which is when you
> give up on any messages that arrive late/desynchronized.
>
>    - Ian (not that one)
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150905/74b53aca/attachment.html>


More information about the Messaging mailing list