[messaging] saltpack spec and library
Trevor Perrin
trevp at trevp.net
Tue Feb 2 11:36:50 PST 2016
Nice! Looks carefully thought out. Saltpack is similar to miniLock
[1], it would be interesting to see a comparative analysis.
(I have a framework called "Noise" [2] that tackles a few of the same
things, but is less similar - it's for DH-based protocols, but doesn't
have multi-recipient support as a core feature).
Some small observations:
(1) If two recipient public keys are identical, this fact would leak
in the ciphertext. If I'm one of the recipients I could possibly use
this to confirm guesses as to other recipients, by providing their
public keys as mine.
(2) The MAC keys only depend on the static-static DH output, not the
ephemeral-static DH output. So if I compromise Alice's private key, I
can tamper with the ciphertext of messages she's previously produced.
This would be easy to avoid, if the ephemeral-static DH outputs
contributed to the MAC keys.
(3) On a similar note, it wouldn't hurt if the static-static DH
outputs contributed to the key used for encrypting payloads. That
*might* help in the case where a weak RNG is generating bad ephemeral
private keys, but somehow the sender's static private key was good.
But that's a pretty weird case.
Trevor
[1] https://github.com/kaepora/miniLock
[2] https://github.com/trevp/noise
On Tue, Feb 2, 2016 at 7:35 AM, Maxwell Krohn <max at keybase.io> wrote:
> Hi folks, We at keybase.io have taken a stab at the problem Adam Langley
> mentioned in his blog post on AEADs [1]: a simple and modern format for
> encryption or signing of large messages, that works well when streaming. It
> uses NaCl for Crypto and MessagePack for packing/unpacking binary
> structures. Additionally, we chose a base62 ASCII armoring to avoid the
> common manglings we’ve seen pasting PGP messages into various Web forms. We
> have a spec, library and implementations (in Go and Python) if anyone wants
> to take a look [2]. Not much non-testing code, only 2.5kLOC in Go. Comments
> and feedback are greatly appreciated. Otherwise, feel free to use it in your
> applications. The library is designed for easy integration, punting entirely
> on key management. Many thanks, Max & Jack
>
> [1] https://www.imperialviolet.org/2015/05/16/aeads.html
> [2] https://saltpack.org
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>
More information about the Messaging
mailing list