[messaging] Hold the Axolotl ratchet
Trevor Perrin
trevp at trevp.net
Tue Sep 22 17:09:13 PDT 2015
On Tue, Sep 22, 2015 at 2:57 PM, Sebastian Verschoor
<s.r.verschoor at student.tue.nl> wrote:
> I thought of an attack on Axolotol that I believe is pointless, but maybe
> one of you sees an application for an adversary that I didn't think of.
[...]
> Bob acts as if he had never received her latest
> messages
[...]
>
> Even though it seems like a useless attack, the fact that you have to rely
> on the honesty of the other party to forward the ratchet seems like an
> unwanted property...
Not an attack, and Alice doesn't have to rely on the other party to
"forward the ratchet".
The algorithm uses "symmetric-key ratcheting" and "DH ratcheting".
Alice can advance her symmetric-key ratchet just by deriving the next
chain key and deleting the previous. This requires no cooperation
from Bob, and protects the messages she sends against a later
compromise.
The "DH ratchet" can add new entropy into Alice and Bob's keys, to
help recover from a compromise.
This necessarily involves Bob's cooperation. Alice can't force Bob to
participate in the next DH step if he doesn't want to. (She also
can't force him to choose secure keys, or keep secrets, etc; in an
Alice-to-Bob secure channel, Alice and Bob are necessarily trusted
parties).
Trevor
More information about the Messaging
mailing list