On 10/31/2014 08:00 AM, Ximin Luo wrote: > But if you want a scheme where any device that you might want to > connect to your account (in the future) can decrypt old history, then > I don't think you can get true forward secrecy, since this would > likely involve storing the history somewhere with a key that doesn't > get destroyed. There's no impossibility result that I know of, but no > "breakthrough" yet either..
The way we handle multi-device for TextSecure is this: 1) You have an existing device 'A'. 2) You 'provision' an additional device 'B' using an authorization process that involves scanning a QR code. This securely communicates the identity key to the new device using a PFS scheme. 3) The server now knows there are two physical devices registered for the same logical user. Each device has its own set of prekeys, but the same identity key. 4) Device 'A' can use a regular axolotl session to transmit existing message history to device 'B'. 5) The server enforces that new incoming messages are encrypted to both devices. Both devices essentially have their own axolotl session with the sender. 6) Each device sends the other device a copy of outgoing messages using a regular axolotl session. This way all new incoming messages are naturally synchronized across devices, since each device will get their own copy. Outgoing messages are visible across all devices. And existing message history can be synchronized across all devices during the provisioning process. Everything sits on top of axolotl under the hood, so everything is transmitted with the properties that axolotl gets you. - moxie -- http://www.thoughtcrime.org _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
