[messaging] Naming and classifying a security property
Ximin Luo
infinity0 at pwned.gg
Sun Sep 13 09:15:10 PDT 2015
On 13/09/15 17:50, Ximin Luo wrote:
> - chain-based ratcheting has this property - as the sender, you encrypt m[i] using k, then hash it and delete the original for m[i+1]. the recipient will need to keep extra state around if they want to handle out-of-order messages.
Whoops, this is wrong. It *doesn't* have the aforementioned property - someone that compromises the encryptor here can still decrypt all future ciphertexts.
It's not exactly Axolotl's so-called "future secrecy" [2] either. For example:
> - public key encryption has this property, if you don't also encrypt-to-yourself (which is a common default for GPG encryption :()
OTOH with this scheme, if the decryptor is compromised, then the attacker can here also decrypt all future ciphertexts, so it's not strictly "future secrecy".
I am wondering if we need more precise terms; compromise on the decryptor vs encryptor side can make a big difference. Arguably you want protection against both, but with a term like "future secrecy" you can argue/market that you have this property even if it applies only to one side.
X
[2] https://whispersystems.org/blog/advanced-ratcheting/
--
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150913/b8806241/attachment.sig>
More information about the Messaging
mailing list