[messaging] Key comparison [TextSecure] (Jeff Burdges)

Jeff Burdges burdges at gnunet.org
Wed Sep 9 14:04:02 PDT 2015

On Wed, 2015-09-09 at 21:57 +0200, Katriel Cohn-Gordon wrote:
> ​I'm not sure I fullow that argument. Could you clarify why such
> messages would violate deniability?​

If your Axolotl ratchet runs a 2DH or 3DH to advances the root key,
then :

(a) an adversary who gains temporary access to one device to MITM your
connection must obtain both user's identity keys, but 

(b) an adversary who gains possession of one device can partially
violate the other user's deniability by enticing them to reply once or
twice to advance the ratchet. 

I suppose one could protect against (a) while largely protecting against
(b) by creating per contact identity keys.  In fact, one could force an
adversary to interact more by using some previous ephemeral key in a 2DH
to advance the root key.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150909/5dd343e0/attachment.sig>

More information about the Messaging mailing list