-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 30/09/13 23:40, Trevor Perrin wrote: > It'd be nice if Alice and Carol could use some additional, > out-of-band channel to authenticate the ephemeral DH exchange.
To fill in some background: the use case for this feature is introducing two people who aren't face-to-face right now and don't share an authenticated channel, but who each share a confidential and authenticated channel with a third party. Users aren't assumed to know which channels are confidential or authenticated, so we shouldn't create any opportunities for mistakes in that regard. I think that rules out PAKE. > Best I can think of are short auth strings (SAS), public-key > fingerprints (if you added long-term "identity keys"), and PAKE. > > The tradeoffs are something like: * Key fingerprints and SAS are > non-secret (unlike PAKE passwords) * SAS and PAKE can use short > strings of several chars (unlike fingerprints) * Fingerprints can > be exchanged before *or* after the ephemeral DH handshake (unlike > PAKE passwords or SAS) * Fingerprints can be confirmed with 3rd > parties or public records (unlike PAKE passwords or SAS) * > Fingerprints and PAKE can be compatible with a single, unordered > handshake exchange of ephemeral DH values, unlike SAS Thanks, this is a really useful comparison. Perhaps we can combine some of the advantages of fingerprints and SAS: * The introducees exchange single-use public keys, signed with their long-term private keys, via the introducer * The introducees derive a shared secret, destroy their single-use private keys, and start key rotation * The introducees exchange acks via the introducer * The introducees can optionally obtain each other's long-term public keys from other third parties, before or after the introduction * If the introducees meet face-to-face, they can confirm each other's long-term public keys using SAS: - The users verbally exchange short codes to enable their devices to find each other over a short-range transport such as wifi - The devices exchange hash commitments and ephemeral public keys - The users verbally exchange short authentication strings - If the strings match, the devices derive symmetric encryption and authentication keys from the ephemeral shared secret - Within the ephemeral secure channel, the devices exchange long-term public keys and a value derived from the current temporary secret, signed with their long-term private keys, as verification that they own those keys and have the same shared secret * Nobody signs anything that proves who their contacts are Any thoughts on cryptographic or usability aspects? Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSTYr1AAoJEBEET9GfxSfMYx8H/0RxYl3gEqu7KUz/D5053o2T 2cZIUopdSiZs6SYH2gnTzrGPXAyd3xvGMmTFKV40EAWdix1+ZHpg6fs1i7wWZ6Q9 NbUNX5C1L8hbmMI4aK0ebq69J54N/iZqiQte/utQ3fwjq28U0xARuwq5VqPuJRlS 2TGt5tZG9tN5vAtb3R8I94OGwpF1PwFYEpUlyhG7LRRSoQBV5Xw5QwDaf7VKkeBM UoZ6JlAjI0wl17U01E6dYHmZpcq10EZ+BTomD+Kw1lioPGj15S97a4odOo0y2gd+ 0uW+yXoVRhRO4Hq2f9HPfMhoNE34eXt9ube1a6PrOmXMT2Dan/g10cVSOowZRMw= =O6PJ -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography