-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 20/02/13 02:49, Jonathan Warren wrote: > Suppose when Alice firsts sends a message to Bob she also includes > a short term public key. Bob takes the short term public key and > encrypts symmetric_key_1 ("SK1") and also encrypts a message with > SK1 and sends the encrypted SK1 and the encrypted message to Alice. > Alice decrypts the encrypted SK1 with her short term private key > and then uses SK1 to decrypt the message. The short term public key > pair can now be deleted. When Alice replies, she sends the message > and a new SK2, encrypted with SK1, to Bob. Bob will decrypt with > SK1 and store SK2. When he sends a message, he encrypts his message > along with a new key, SK3, with SK2. This continues with a new > symmetric key each time. Both parties must remember the last SK > that they suggested to the other party, and also the last SK that > they received from the other party. All others can be deleted.
This is quite close to what OTR does, except that instead of sending a public encryption key, OTR sends a public DH key and derives the encryption and MAC keys from the most recently received DH keys. You could do the same here, and make the first and last messages forward secret by adding setup and teardown phases. In fact you could reuse OTR in a store-and-forward context, as far as I can see. Like OTR, the forward secrecy properties of what you desrcibe depend on the frequency of communication in both directions: if Alice sends messages to Bob but Bob never replies, Alice doesn't receive any new keys for Bob, so she can't delete Bob's public key and he can't delete his private key. I didn't like that constraint when I was designing the transport protocol for Briar, so I opted for a design based on periodic replacement of symmetric keys using a one-way key derivation function instead: https://fulpool.org/btp.pdf Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRJKpwAAoJEBEET9GfxSfMg4oH/AjIu3pblvnC1nbY7RNy+rzH 88jm74jBi9Bp2OEBFnrA4cMqsJTmxwhCrB31GoT0EohU98BDsLDdgmWjJNxki1+2 1+cy29cxX6ySZiLgw39n1oO88RAqfK2N3zmd6kH933T0GYkjWH74Rcnp5/PUi/iy nlw0qXsdwW5iMoeiVhN44pzBjqlIyeNlBslu+gfNBC66ab2rbjHPkW8iNsjBz6yE fAB5xtnlznVY5DmNsqGsleDOD5tRE0pCjKE5ZO36WFo3jcelwtyPXuIheuggVq1Y kZZp+cRigLUCqPGkv6HodUDk9QRDt0Edc2qvOk2K2nLNAomA6OQGWeMRC4dKEi0= =YiEQ -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography