-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 20/02/13 02:49, Jonathan Warren wrote:
> Suppose when Alice firsts sends a message to Bob she also includes
> a short term public key. Bob takes the short term public key and
> encrypts symmetric_key_1 ("SK1") and also encrypts a message with
> SK1 and sends the encrypted SK1 and the encrypted message to Alice.
> Alice decrypts the encrypted SK1 with her short term private key
> and then uses SK1 to decrypt the message. The short term public key
> pair can now be deleted. When Alice replies, she sends the message
> and a new SK2, encrypted with SK1, to Bob. Bob will decrypt with
> SK1 and store SK2. When he sends a message, he encrypts his message
> along with a new key, SK3, with SK2. This continues with a new
> symmetric key each time. Both parties must remember the last SK
> that they suggested to the other party, and also the last SK that
> they received from the other party. All others can be deleted.
This is quite close to what OTR does, except that instead of sending a
public encryption key, OTR sends a public DH key and derives the
encryption and MAC keys from the most recently received DH keys. You
could do the same here, and make the first and last messages forward
secret by adding setup and teardown phases. In fact you could reuse
OTR in a store-and-forward context, as far as I can see.
Like OTR, the forward secrecy properties of what you desrcibe depend
on the frequency of communication in both directions: if Alice sends
messages to Bob but Bob never replies, Alice doesn't receive any new
keys for Bob, so she can't delete Bob's public key and he can't delete
his private key. I didn't like that constraint when I was designing
the transport protocol for Briar, so I opted for a design based on
periodic replacement of symmetric keys using a one-way key derivation
function instead:
https://fulpool.org/btp.pdf
Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJRJKpwAAoJEBEET9GfxSfMg4oH/AjIu3pblvnC1nbY7RNy+rzH
88jm74jBi9Bp2OEBFnrA4cMqsJTmxwhCrB31GoT0EohU98BDsLDdgmWjJNxki1+2
1+cy29cxX6ySZiLgw39n1oO88RAqfK2N3zmd6kH933T0GYkjWH74Rcnp5/PUi/iy
nlw0qXsdwW5iMoeiVhN44pzBjqlIyeNlBslu+gfNBC66ab2rbjHPkW8iNsjBz6yE
fAB5xtnlznVY5DmNsqGsleDOD5tRE0pCjKE5ZO36WFo3jcelwtyPXuIheuggVq1Y
kZZp+cRigLUCqPGkv6HodUDk9QRDt0Edc2qvOk2K2nLNAomA6OQGWeMRC4dKEi0=
=YiEQ
-----END PGP SIGNATURE-----
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
