Depending on what you're using this protocol for you maybe should try to
make it so that an attacker cannot tell that two messages are for the same
recipient, nor which message comes before another even with access to long
term keys of one or both parties after the fact. (Forward-anonymity
property).
Otherwise it may not be safe for use via remailers (when the exit is to a
public drop box like alt.anonymous.messages). And being able to prove who
sent which message to who after the fact is not good either, if that can be
distinguished with access to either parties long term keys (missing
forward-anonymity).
Adam
On Thu, Sep 19, 2013 at 09:20:04PM +0100, Michael Rogers wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 19/09/13 08:04, Trevor Perrin wrote:
I'd have to see a writeup to have real comments. But to address
the issue of "fragility":
It seems you're worried about per-message key updates because in
the (infrequent?) case that a sender's write to storage fails, an
old key would be reused for the next message.
What happens in that case? You mentioned random IVs, so I assume
the only problem is that the recipient can't decrypt it (as she's
already deleted the old key on receipt of the previous message).
The key reuse issue isn't related to the choice between time-based and
message-based updates. It's caused by keys and IVs in the current
design being derived deterministically from the shared secret and the
sequence number. If an endpoint crashes and restarts, it may reuse a
key and IV with new plaintext. Not good.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
