----- Forwarded message from zooko <[email protected]> ----- Date: Fri, 27 Sep 2013 00:08:32 +0400 From: zooko <[email protected]> To: Michael Rogers <[email protected]> Cc: Randombit List <[email protected]> Subject: Re: [cryptography] Asynchronous forward secrecy encryption User-Agent: Mutt/1.5.21 (2010-09-15)
Let me just mention that this conversation is AWESOME. I only wish the folks over at Perry's Crypto List (http://www.metzdowd.com/pipermail/cryptography/) knew that we were having such a great conversation over here. On Thu, Sep 19, 2013 at 09:20:04PM +0100, Michael Rogers wrote: > > The key reuse issue isn't related to the choice between time-based and > message-based updates. It's caused by keys and IVs in the current design > being derived deterministically from the shared secret and the sequence > number. If an endpoint crashes and restarts, it may reuse a key and IV with > new plaintext. Not good. Another defense against this is to generate the IV from the plaintext, possibly from the plaintext in addition to other stuff. There are three things that you might want to throw into your IV generator: 1. the plaintext, 2. a persistent secret key used only for this purpose and known only to this client, 3. a random nonce read from the operating system. I would suggest including 1 and 2 but not 3. This *could* be seen as an alternative to the defense you described: > In the new design, the temporary keys are still derived deterministically > from the shared secret, but the IVs and ephemeral keys are random. Or it could be used as an added, redundant defense. I guess if it is an added, redundant defense then this is the same as including the random nonce -- number 3 from the list above. Regards, Zooko _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
signature.asc
Description: Digital signature
_______________________________________________ The cryptography mailing list [email protected] http://www.metzdowd.com/mailman/listinfo/cryptography
