> https://whispersystems.org/blog/asynchronous-security/ > Since these key exchange parts are ephemeral, recording ciphertext traffic > doesn’t help a would-be adversary, since there is no durable key for them to > compromise in the future.
I disagree. PFS traffic today protected with 1024-bit DH will be readable in 10 years, if not sooner, to organizations like the NSA. In twice that time it may be cheap enough to be decryptable on a mass scale. Anyway, that's a nit. My first thought is that the nastiest part of this protocol is that Bob (a client) is trusting the server to give it legitimate keys for Alice (the other client.) The server can lie, and hand out fradulent keys (I'll call one KeyF as opposed to a legit one KeyA). If the server lies, Bob will send a message to Alice, encrypted to KeyF. If the message makes it's way to Alice, she'll be confused, because she can't decrypt it. The server won't see it. If the server colludes with a network attacker, Bob will send a message encrypted to KeyF, which the network attacker sees. The network attacker gives the ciphertext to the server who decrypts it, and the network attacker also blocks the message from being sent to Alice, so Alice is non the wiser. If the server is compelled to provide fraudulent keys for Alice, then the network attacker presumably has the private key, decrypts it, and doesn't deliver it. The server introduces a central component in this network. A component that must be secured quite thoroughly, trusted by all the participants, and ultimately if it's Denial-of-Serviced takes down all users' chats*. It would be possible to build a protocol such that the server is federated (e.g. I run my own server, and there's an open protocol for all OTR apps [or all TextSecure-OTR apps] to know how to query to find my server.) Even if Moxie didn't want to build that into TextSecure, there's no reason other OTR apps couldn't follow a similar prekeying design with a federated prekey server. *Of course there ways to resist DoS, but they add engineering cost. -tom -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
