------ Original Message ------
From: "David Leon Gil" <[email protected]>
To: "[email protected]" <[email protected]>
Sent: 2014-11-01 12:56:42 AM
Subject: [messaging] How secure is TextSecure?
A new paper by Frosch et al. here: http://eprint.iacr.org/2014/904
--
They present an unknown key-share attack on TextSecure; this is rather
serious, to say the least.
I disagree that this is a serious attack. When I read the paper, I was
surprised that this was even considered a TextSecure-specific attack to
begin with. I'm sure someone else could write a paper ascribing this
attack to half the in-production public-key cryptography systems on the
Internet.
It's a cool paper though, good on TextSecure for surviving the scrutiny.
Also, Cryptocat got a mention, that was nice to see. :-)
NK
Rather puzzling, however:
1. They claim that HMAC(key=constant, message=secret) is not provably
a PRF. The security reduction of, e.g., [nested_macs] seems
symmetrical if the hash functions is one-way; am I missing something
here?
(HMAC is insecure if *both* inputs can be controlled by the attacker;
this manifestly isn't the case here.)
2. They also claim that the security of truncated SHA2-256, as used in
TextSecure tags, is unknown. (This is likely true for non-generic
attacks: there are good distinguishers on reduced round SHA2-256.)
But the story is very different for non-generic attacks; the
"how-to-hash" indifferentiability proof works here.
More concerning re tags: TextSecure is only using an 8 byte tag.
64-bit authenticity is plainly insufficient. (This really should be
128 bits of SHA2-256's output, or, preferably 160-256 bits of
SHA2-512's.)
--
[nested_macs]:
http://cacr.uwaterloo.ca/~ajmeneze/anotherlook/papers/nestedMACs.pdf
_______________________________________________
Messaging mailing list
[email protected]
https://moderncrypto.org/mailman/listinfo/messaging
_______________________________________________
Messaging mailing list
[email protected]
https://moderncrypto.org/mailman/listinfo/messaging
