On 2013-12-18 04:38, Joseph Birr-Pixton wrote:
In very general terms, you cannot hope to achieve confidentiality
without authenticity.
Your key exchange does not offer authenticity. I would suggest instead
having the user's keys be signing keys, and do straightforward signed
ephemeral ECDH. This should also gain you forward secrecy.
Unfortunately this will introduce a data dependency in your protocol,
which may cause an unacceptable extra round trip.
With that assumed fixed, your protocol relies entirely on a third
party (the 'public key server') for authenticity of the key exchange.
If the overall aim is to avoid having to trust a third party
(Facebook) to keep messages secret, adding more third parties to the
problem doesn't seem a great solution.
Google solution: Implement a protocol such that the key server cannot
tell the owner of the name on thing, and someone else trying to contact
the owner of the name a different thing, and cannot rewrite the past.
Bittorrent serves immutable files globally, such that the file must be
the same for all. Need a bittorent like algorithm for serving slowly
mutable tree structures. Viewed as a history, it is a grow only data
structure with an ever increasing immutable past. The history, however,
is kind of like a git history, representing a fully mutable but slowly
changing present.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
