[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Unreliable Delivery, Ratcheting, and Secret Reuse?
|
From: |
Christian Grothoff |
|
Subject: |
Re: Unreliable Delivery, Ratcheting, and Secret Reuse? |
|
Date: |
Fri, 10 Jul 2020 08:44:12 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 |
Hi Cy,
Please read up on the Axolotl/Signal protocol. It explains nicely how to
forget about secrets in the case of unreliable, out-of-order delivery.
This is also what CADET implements.
Happy hacking!
Christian
On 7/10/20 6:03 AM, Cy wrote:
> If I have a shared secret ratchet going on, and I send something encrypted
> with secret 1,
> I can't get rid of secret 1, can I? I need to wait until the peer sends me
> something
> encrypted with secret 2, before I know we've both gone past secret 1. But
> waiting
> is dumb. If I want to send multiple messages in a row, can't I continue using
> secret 1?
> Usually I'll just wait for a reply, but just if there are like, updates or
> typoes, or
> something.
>
> I can't think of a scenario where I'd send a message, and then send another
> one, and the first would be more incriminating than the second. Worst comes
> to worst I
> could have a special "Abort" message that says I threw away all secrets
> because I sent a
> message I regret. But if the Abort message itself is lost and never
> delivered...
>
> Sorry this is really confusing me. Because if I send S1(M1) then discard S1
> for S2, with
> unreliable delivery, S1(M1) might never reach you, so when you wanted to send
> me a
> message you'd use S1 too, and I wouldn't be able to decrypt it anymore. But
> if I hold
> onto S1, and only discard it when you use S2 or S3, then we won't have to
> re-establish
> the conversation, in a way that seems much easier to monitor than the reuse
> of a shared
> secret.
>
0x939E6BE1E29FC3CC.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature