[messaging] saltpack spec and library

Trevor Perrin trevp at trevp.net
Tue Feb 2 11:36:50 PST 2016

Nice!  Looks carefully thought out.  Saltpack is similar to miniLock
[1], it would be interesting to see a comparative analysis.

(I have a framework called "Noise" [2] that tackles a few of the same
things, but is less similar - it's for DH-based protocols, but doesn't
have multi-recipient support as a core feature).

Some small observations:

(1) If two recipient public keys are identical, this fact would leak
in the ciphertext.  If I'm one of the recipients I could possibly use
this to confirm guesses as to other recipients, by providing their
public keys as mine.

(2) The MAC keys only depend on the static-static DH output, not the
ephemeral-static DH output.  So if I compromise Alice's private key, I
can tamper with the ciphertext of messages she's previously produced.
This would be easy to avoid, if the ephemeral-static DH outputs
contributed to the MAC keys.

(3) On a similar note, it wouldn't hurt if the static-static DH
outputs contributed to the key used for encrypting payloads.  That
*might* help in the case where a weak RNG is generating bad ephemeral
private keys, but somehow the sender's static private key was good.
But that's a pretty weird case.


[1] https://github.com/kaepora/miniLock
[2] https://github.com/trevp/noise

On Tue, Feb 2, 2016 at 7:35 AM, Maxwell Krohn <max at keybase.io> wrote:
> Hi folks, We at keybase.io have taken a stab at the problem Adam Langley
> mentioned in his blog post on AEADs [1]: a simple and modern format for
> encryption or signing of large messages, that works well when streaming. It
> uses NaCl for Crypto and MessagePack for packing/unpacking binary
> structures. Additionally, we chose a base62 ASCII armoring to avoid the
> common manglings we’ve seen pasting PGP messages into various Web forms. We
> have a spec, library and implementations (in Go and Python) if anyone wants
> to take a look [2]. Not much non-testing code, only 2.5kLOC in Go. Comments
> and feedback are greatly appreciated. Otherwise, feel free to use it in your
> applications. The library is designed for easy integration, punting entirely
> on key management. Many thanks, Max & Jack
> [1] https://www.imperialviolet.org/2015/05/16/aeads.html
> [2] https://saltpack.org
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging

More information about the Messaging mailing list