Trevor Perrin: > On Wed, Jan 17, 2018 at 5:40 PM, Ximin Luo <infini...@pwned.gg> wrote: >> >> On the ART paper near the end it mentions: "we use the X3DH paper [..] >> extended to include the static-static DH key in order to prevent UKS and KCI >> attacks". >> >> After some digging we came across this part from [1]: "When [..] Bob’s >> long-term secret key [..] [and] pre-key is also compromised, ProVerif finds >> [..] a novel key compromise impersonation attack" >> >> Indeed, in this case the attacker can generate a new fake A-eph "from Alice" >> and compute X3DH(Alice, Bob) via >> >> Alice[public static] ^ Bob[private prekey] || >> Fake-Alice[public eph] ^ Bob[private static] || >> Fake-Alice[private eph] ^ Bob[public prekey] >> >> The defence is to turn X3DH into "X4DH", with an additional >> DH(Alice[static], Bob[static]) in there. > > If Bob's static key is compromised, adding a static-static DH > obviously will not help anything. > > The only case it might help is if ephemerals are compromised but > static keys are *NOT* compromised. That isn't a likely case, so > doesn't seem worth the computational expense. >
You're right, I had reached the same conclusion thinking it through in the meantime and was just about to post that. I wonder what their reasoning behind this addition was, then. (One could imagine a scenario where private key operations of one's static key is delegated to another more secure device like a smartcard, then this might help. But this is a pretty specific case and from the wording in the paper it doesn't sound like that's what they're referring to here.) X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git _______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
