>If store and forward, cannot be forward secrecy. >Suppose that human readable messages, messages that might contain important secrets, are only exchanged when the sender and the final recipient are both online at the same time, then forward secrecy no problem. Both parties set up a shared transient secret session key, as usual, which goes away when offline, reboot, or timeout.
Suppose when Alice firsts sends a message to Bob she also includes a short term public key. Bob takes the short term public key and encrypts symmetric_key_1 ("SK1") and also encrypts a message with SK1 and sends the encrypted SK1 and the encrypted message to Alice. Alice decrypts the encrypted SK1 with her short term private key and then uses SK1 to decrypt the message. The short term public key pair can now be deleted. When Alice replies, she sends the message and a new SK2, encrypted with SK1, to Bob. Bob will decrypt with SK1 and store SK2. When he sends a message, he encrypts his message along with a new key, SK3, with SK2. This continues with a new symmetric key each time. Both parties must remember the last SK that they suggested to the other party, and also the last SK that they received from the other party. All others can be deleted. One might call the symmetric keys 'one time use' keys except that they can be used several times if one person replies to the other several times in a row. Thus the first initial message from Alice to Bob is not forward-secret, and the last several messages between them are not forward-secret, but all other messages are. Am I mistaken? Although I think I'd rather work on piggy-backing on an existing anonymity network to do forward secret instant messaging before all of that above. -Jonathan _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography