On 09/07/2013 07:51 PM, John Kelsey wrote:

Pairwise shared secrets are just about the only thing that scales
worse than public key distribution by way of PGP key fingerprints on
business cards.  ....
If we want secure crypto that can be used by everyone, with minimal
trust, public key is the only way to do it.

One pretty sensible thing to do is to remember keys established in
previous sessions, and use those combined with the next session.

You've answered your own conundrum!

Of course the idea of remembering keys established in previous
sessions and using them combined with keys negotiated in the next
session is a scalable way of establishing and updating pairwise
shared secrets.

In fact I'd say it's a very good idea.  One can use a distributed
public key (infrastructure fraught with peril and mismanagement)
for introductions, and thereafter communicate using a pairwise
shared secret key (locally managed) which is updated every time
you interact, providing increasing security against anyone who
hasn't monitored and retained *ALL* previous communications. In
order to get at your stash of shared secret keys Eve and Mallory
have to mount an attack on your particular individual machine,
which sort of defeats the "trawl everything by sabotaging vital
infrastructure at crucial points" model that they're trying to

One thing that weakens the threat model (so far) is that storage
is not yet so cheap that Eve can store *EVERYTHING*. If Eve has
to break all previous sessions before she can hand your current
key to Mallory, first her work factor is drastically increased,
second she has to have all those previous sessions stored, and
third, if Alice and Bob have ever managed even one secure exchange
or one exchange that's off the network she controls (say by local
bluetooth link)she fails. Fourth, even if she *can* store everything
and the trawl *has* picked up every session, she still has to guess
*which* of her squintillion stored encrypted sessions were part
of which stream of communications before she knows which ones
she has to break.


The cryptography mailing list

Reply via email to