Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

2017-03-30 Thread Kevin Smith
> On 30 Mar 2017, at 17:30, Florian Schmaus wrote: > > On 30.03.2017 18:24, Kevin Smith wrote: >> OMEMO’s initial publication was delayed for some time, in large part because >> of the need to move away from a situation where it can only be practically >> implemented by

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

2017-03-30 Thread Florian Schmaus
On 30.03.2017 18:24, Kevin Smith wrote: > OMEMO’s initial publication was delayed for some time, in large part because > of the need to move away from a situation where it can only be practically > implemented by using a single library. It’s a shame if we’ve still not > resolved that

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

2017-03-30 Thread Kevin Smith
On 30 Mar 2017, at 17:13, Florian Schmaus wrote: > > On 30.03.2017 18:02, Dave Cridland wrote: >> On 30 March 2017 at 16:00, Florian Schmaus wrote: >>> On 30.03.2017 15:54, Remko Tronçon wrote: On 30 March 2017 at 15:10, Andreas Straub

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

2017-03-30 Thread Florian Schmaus
On 30.03.2017 18:02, Dave Cridland wrote: > On 30 March 2017 at 16:00, Florian Schmaus wrote: >> On 30.03.2017 15:54, Remko Tronçon wrote: >>> On 30 March 2017 at 15:10, Andreas Straub >> > wrote: >>> You raise a valid point. I agree

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

2017-03-30 Thread Dave Cridland
On 30 March 2017 at 16:00, Florian Schmaus wrote: > On 30.03.2017 15:54, Remko Tronçon wrote: >> On 30 March 2017 at 15:10, Andreas Straub > > wrote: >> You raise a valid point. I agree that this construction seems >> cleaner from a

[Standards] Interaction between Last Message Correction (XEP-0308) and Client State Indication (XEP-0352)

2017-03-30 Thread Thibaut Girka
Hi, As a Conversations user, I was surprised by it not supporting Last Message Correction in anonymous Multi-User Chatrooms. And indeed, it performs checks different to those recommended in the “Security Considerations” of XEP-0308. In particular, it requires real JIDs to match in MUCs, thus not

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

2017-03-30 Thread Florian Schmaus
On 30.03.2017 15:54, Remko Tronçon wrote: > On 30 March 2017 at 15:10, Andreas Straub > wrote: > You raise a valid point. I agree that this construction seems > cleaner from a purely theoretical standpoint. > > Permissible implementations of XEdDSA

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

2017-03-30 Thread Remko Tronçon
Hi Andy, Thanks for responding! On 30 March 2017 at 15:10, Andreas Straub wrote: > You raise a valid point. I agree that this construction seems cleaner from > a purely theoretical standpoint. > Actually, it's the practical standpoint that worries me most, in that this is not

Re: [Standards] OMEMO (XEP-0384) Crypto Questions/Remarks

2017-03-30 Thread Travis Burtrum
On 03/30/2017 08:47 AM, Andreas Straub wrote: > GCM also isn't > quite as easily available on some platforms as we'd like, whereas CBC > and HMAC are pretty much ubiquitous. The HTTP/2 spec mandates support of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [1] and I'd guess HTTP/2 is already supported

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

2017-03-30 Thread Kevin Smith
On 30 Mar 2017, at 14:10, Andreas Straub wrote: >> So, I'm wondering whether it wouldn't make more sense to not carry the >> Signal legacy around in OMEMO, use Ed25519 keys as identity keys, and >> adapt X3DH to use these for creating an initial shared secret (with the >> same

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

2017-03-30 Thread Andreas Straub
Hi Remko, So, I'm wondering whether it wouldn't make more sense to not carry the Signal legacy around in OMEMO, use Ed25519 keys as identity keys, and adapt X3DH to use these for creating an initial shared secret (with the same properties). The rest of the protocol can stay the same, since

Re: [Standards] OMEMO (XEP-0384) Crypto Questions/Remarks

2017-03-30 Thread Andreas Straub
Hi Remko, thanks for taking a look. Should AES-GCM be considered as an AEAD scheme instead of AES-CBC+HMAC? As far as I can tell, it is more convenient to use, and more efficient (but I'm no crypto expert, maybe there are other reasons against/for it). We're using AES-CBC/HMAC in ODR,

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

2017-03-30 Thread Remko Tronçon
Hi Daniel, On 30 March 2017 at 10:31, Daniel Gultsch wrote: > Are you looking for this: https://whispersystems.org/ > docs/specifications/xeddsa/ > No, I've seen the spec, thanks. I'm looking for implementations of it. This is low-level crypto, I would think you don't want

Re: [Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

2017-03-30 Thread Daniel Gultsch
Hi, 2017-03-30 10:09 GMT+02:00 Remko Tronçon : > X3DH relies on XEdDSA to be able to use Curve25519 keys to create > EdDSA-signatures. As far as I can tell, this solved a problem where all > long-standing identity keys in Signal were X25519, and they needed them to > create

[Standards] OMEMO (XEP-0384) use of X3DH / XEdDSA

2017-03-30 Thread Remko Tronçon
Hi, The upcoming version of the OMEMO XEP relies on X3DH for establishing an initial shared secret. In my extremely limited understanding of it, I'm wondering whether this is the best approach for OMEMO. X3DH relies on XEdDSA to be able to use Curve25519 keys to create EdDSA-signatures. As far