TextSecure clients are storing a trusted identity key per TextSecure identifier (currently phone numbers, but nothing prevents us from using email identifiers in the future).
When a message is received, the clients are verifying that the message belongs to a session for that TextSecure identifier and then checks public keys for that identifier. The UKS attack doesn’t seem to work in practice, but I guess that what the authors wanted to point out is that there is no cryptographic guarantee that the key belongs to the people you’re talking to. > On 20 Dec 2014, at 00:09, Trevor Perrin <[email protected]> wrote: > > On Fri, Dec 19, 2014 at 2:47 PM, Joseph Bonneau <[email protected]> wrote: >> >> On Fri, Dec 19, 2014 at 5:35 PM, Trevor Perrin <[email protected]> wrote: >>> >>> If Bob lies to his girlfriend Alice and give her Charlie's fingerprint >>> and phone number, Bob doesn't need to register anything. >> >> I guess there are two types of attack: >> >> In the first one Bob and Charlie both have accounts (separate usernames), >> and Bob changes to have Charlie's key fingerprint then tries to redirect >> Alice's message to Charlie. I was arguing you can prevent this version >> fairly cheaply in a centralized service by preventing key fingerprint >> collisions. > > A service can prevent this even more cheaply by not allowing Bob to > redirect Alice's messages. > > >> In the second, Bob has no account. He tells Alice that Charlie's username X >> is really his (and perhaps even has Charlie's QR code on his screen so Alice >> is convinced she's "verified" that Bob really owns X). Fixing that probably >> requires the verification is a challenge-response proving knowledge of the >> private keys as the authors of the paper suggested and I agree that's >> probably not worth it. > > Yeah, it's not worth it (IMO) and isn't a certain fix (Bob can relay > the challenge-response through someone else querying Charlie). > > > Trevor > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
