-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/10/13 17:40, Trevor Perrin wrote: > Having each party sign an ephemeral public key with a long-term > signing key is not, by itself, a good key agreement protocol, due > to: > > * The "identity misbinding" possibility of an an attacker signing > a victim's ephemeral key, tricking others into thinking the > victim's communications originated from the attacker. > > * The lack of freshness on the authentication - if an attacker > compromises one ephemeral private key, it can be reused without > needing additional signatures. > > Earlier I was suggesting "triple Diffie-Hellman" as a better > option. [snip] > If you care about deniability I would avoid signatures entirely > (e.g. use Diffie-Hellman based protocols).
Great points, thanks! I'd forgotten about triple Diffie-Hellman (already, tut tut). Has it received any peer review other than being adopted by Moxie? Have you patented it? ;-) So a triple-DH version of the protocol would look like this: * The introducees exchange single-use public keys and long-term public keys via the introducer * The introducees use triple-DH to derive a shared secret, destroy their single-use private keys, and start key rotation * The introducees exchange acks via the introducer * The introducees can optionally obtain each other's long-term public keys from other third parties, before or after the introduction * If the introducees meet face-to-face, they can confirm each other's long-term public keys using SAS: - The users verbally exchange short codes to enable their devices to find each other over a short-range transport such as wifi - The devices exchange hash commitments and ephemeral public keys - The users verbally exchange short authentication strings - If the strings match, the devices derive symmetric encryption and authentication keys from the ephemeral shared secret - Within the ephemeral secure channel, the devices exchange long-term public keys and a value derived from the current temporary secret as verification that they have the same shared secret * Nobody signs anything at all I've avoided triple-DH in the confirmation protocol so that long-term public keys aren't sent in the clear. Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSTaIHAAoJEBEET9GfxSfMpLwH/iUKyMq7Dk3id2tQBip0H7mL nNeCgv4SPb7IgdIMExlRxl08j/TXCR9jGtQUJCBkKUTv+VSBct1oCeIXYFrH2GUa EPG/5uIoBJR4n3Yv+5s23HD0Glh2NEfs4/qCasjinLcB383dbJgIEnYHbrYfyj8q 4wI9fwAhLoCaPlDRNwAdTvwKqbCtTMiJpc1ygqh1TH20CTaonNr14RgrrnK5nZtX SNP07k2uV8cZspUkqDGFxTIqOq4U9K+dSRKZLh1I89DgPd/m5LtNlNJOOHjlC+tO VO7JCC2rggvuxS4OilXxk2S7K8tg1ZEHoMjOHFWe9Dpm2sJ4cUdN4MlSa219HFY= =eITn -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
