-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Marco,
This is a problem we're working on as part of the Briar project. Our approach is pretty simple: establish a shared secret when you first communicate, periodically run that secret through a one-way function to get a new shared secret, and destroy the old one. Symmetric keys for encryption and authentication are derived from the current shared secret. The rotation period depends on the latency of the underlying communication channel. For example, if you're communicating by email, you might rotate to a new shared secret once a week, to allow the other party to spend a week offline without losing any messages. On the other hand if you're communicating by SD cards attached to migrating geese, you might rotate less often. Cheers, Michael On 16/09/13 12:45, Marco Pozzato wrote: > Hi all, > > I'm looking for an asynchronous messaging protocol with support > for forward secrecy: I found some ideas, some abstract paper but > nothing ready to be used. > > OTR seems the preeminent protocol, but does not have support for > asynchronous communication. This post > https://whispersystems.org/blog/asynchronous-security/ describes an > interesting variation on OTR: the basic idea is to precalculate 100 > Diffie-Hellman and consume one at every new message. > > On the opposite side, for OpenPGP lovers, I found an old extension > http://tools.ietf.org/html/draft-brown-pgp-pfs-01 which adopt the > same approach, using many short-lived keys, which frequently > expire (eg: every week) and are deleted. > > They are both clever ideas to provide PFS, but what does it mean to > the average user? Let say that today I discover an attack run on > 1st of August: > > * OTR variation: I do not know which messages were wiretapped. 100 > messages could spawn few hours or two months. * OpenPGP: I know I > lost messages sent in the first week of August. > > > What do you think about it? > > Marco > > > > > _______________________________________________ cryptography > mailing list cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSOMMvAAoJEBEET9GfxSfMMXsIALX0SicIJ0iY7E5OtAskHmRB h0YsOOzx/WzSDJS1zHt/5zwYgywb1NbexDD08nKwq2hpT8E1mckrQN84xVc60NTh vtBYQCgKaKs+Wk1htGlRK0LDlOkn+c3q5JkGMsor8BAYp86f20HbG0QJet/b7Ls6 Qq2u+LkaNyHo2n0UgVe4BQgjHw/m/2nIEh1IPN060hS3J43jBbdNRhxhKp5/iHEK ciXXPagxJ1DNtE0BE0UyeTeu/I0jCp7e8Kwpy48ziuGs2yn9aawHLbo/YbkTZtKU LBar68P8fmdx/9K9yVC1DXBSJCBRQjBOt5hhud+JxXAarqMi7K5ISgu8fsF2KeE= =uGru -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
