-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 4/22/14, 9:17 AM, Brian Warner wrote: > > My coworker Graydon (inventor of Monotone and Rust, and absolutely > brilliant all-around genius, IMHO), asked me to forward along this > description of an encrypted group-messaging system he's been > working on, originally named "sneakertext" but now abbreviated to > "stxt" There may be ideas here relevant to the multiparty message order / transcript consistency discussion (and "KleeQ", which this is based on, seems also relevant [0]). But this simplifies the authentication from KleeQ in a way that seems insecure to me. In particular, there are no long-term public keys. Group key agreement is done using unauthenticated DH [1]. So an active attacker could easily become a MITM between participants. For authentication, there's mention of "triangulation" [2] where Alice authenticates Bob by sending a nonce to Charlie and asking him to forward it to Bob, who then sends it back to her. This is intended to confirm that Charlie's Bob is the same as Alice's Bob. But a MITM could simply forward the nonces. The "traditional" approach is probably better: use identity public keys and authenticated key agreement, and have parties corroborate Bob by comparing their view of Bob's public key. Another issue, inherited from KleeQ, is that messages within a group are authenticated using only the group symmetric key [3]. So I think any member within a group could forge messages claiming to come from another member. For message authentication, it's probably better to either: (a) Use an ephemeral/deniable signing key to sign messages encrypted with the group symmetric key (like mpOTR); or (b) Use pairwise symmetric keys between participants (like TextSecure). Trevor [0] http://cacr.uwaterloo.ca/techreports/2007/cacr2007-03.pdf [1] https://github.com/graydon/stxt/blob/master/src/key.js [2] https://github.com/graydon/stxt/blob/master/DESIGN.md [3] https://github.com/graydon/stxt/blob/master/src/msg.js -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNeX6sACgkQg3PdFU1CSL2+pQCgx67uLrAJyTTG1jxL42pCxGJs IgwAoOC952K/7B8V2PRsm/EJZJ6uzlc6 =+yTY -----END PGP SIGNATURE----- _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
