On 28/11/14 04:24, Stephen wrote: > This all side steps the core contention. The more interlocutors, the larger > profile for endpoint based attacks, and therefore the less security. If I can > break one device then all communications are compromised for the entire group. > > How is this supposed to be dealt with? Is this an intrinsic constraint? If > so, this needs to be communicated appropriately. >
If you break one device, then the communications are compromised for that session, since the device has all the secret material needed to participate in the session. As you point out this risk increases with the size of the group. However, one can devise a key agreement where the long-term keys are needed only at the start. Then, in principle, one can remove long-term keys from the device *during a session*, such that if the device is compromised, only the active sessions are compromised and no other existing sessions (on different devices) are affected, and no new sessions can be started (without compromising the long-term key). I can't remember if Axolotl has this property. If any future messages in the ratchet need the long-term key to derive more messages/secrets, then it doesn't. I remember we were playing with other ratchets and trying to add this property in there, at last year's RWC though - it is definitely possible in principle. However, this property is somewhat secondary if you have a weak endpoint like the current generation of mobile phones. To solve this problem effectively, we need to push for verifiably-secure software and hardware at the endpoints. I don't think it's something that can be fixed on the protocol layer. X -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
