[messaging] X3DH: why put OTPKs on the server?

Ron Garret ron at flownet.com
Sat Feb 4 15:26:00 PST 2017

On Feb 4, 2017, at 1:53 PM, Nadim Kobeissi <nadim at nadim.computer> wrote:

> Forward secrecy relies much more on SPKs than OTPKs. Rather, OTPKs are there to provide some notion of “freshness” to a authenticated key exchange/agreement, so that two successive sessions between two people aren’t more stale on the shared secret front due to SPK and identity key re-use.

I thought that was what Alice’s ephemeral key was for?

Actually, I think I’ve figured it out.  I had this idea in my head that the OTPKs were like nonces, that re-using them would compromise security, that is why the server had to be careful to only hand them out once (hence the OT part of OTPK).  But that is not the case at all.  The OTPKs are OT because Bob is going to destroy the corresponding secret key as soon as he receives a message encrypted using a particular OTPK in order to close the window of opportunity for an adversary as quickly as possible.  So it actually does make sense to look at them as an add-on to X3DH and not as a completely separate protocol.

This still leave a couple of operational concerns (OTPKs must be refreshed fairly often, and I think they need an expiration date).  But it not the case that a server compromise leads to a security breach.  (The PK in OTPK should have been a clue!)

Thanks for the help,

More information about the Messaging mailing list