On Fri, Mar 27, 2015 at 6:46 PM, Jeff Burdges <[email protected]> wrote: > > Pond clients are identified to the server by a Curve25519 key pair called the > identify key, stored in client.identityPublic and client.identity. > > At present, your contacts all know your identity key, stored in > Contact.theirIdentityPublic. An adversary who both hacks the pond server and > compromises any of your contacts thus learns when you receive messages, when > you collect messages, and message sizes. I suppose the group signature > scheme necessitated this, but..
Hi Jeff, I'm not following - your Pond mailbox server already learns "when you receive messages, [and] when you collect messages". Delivery tokens control whether the server accepts a mail for your inbox, but I don't see how they affect the server's knowledge of when mails arrive in that inbox, or when they're retrieved. I also had trouble following below, I don't have the details of Pond's key management fresh in mind, so a slower explanation with more background would help. > Pond will eventually replace the group signature scheme for delivery > authentication with an HMAC token based scheme : > https://moderncrypto.org/mail-archive/messaging/2014/000409.html > > At that point, there is no need to expose this identity key to your contacts > any longer. > > Instead, clients could hide identityPublic inside the tokens they give to > their contacts. I expect this necessitates a larger token than merely {x, > HMAC(k, y)} because the server must know k to efficiently locate the mailbox. > Clients could however encrypt the z ++ client.identityPublic to the server > identity key returned by parseServer(..) where z is HMAC(k, y), y++HMAC(k,y), > or even just y, eliminating the need to communicate y elsewhere. > > At present, newRatchet does use contact.theirIdentityPublic but it could > easily be modified to use a key derived from theirPub using > extra25519.PrivateKeyToCurve25519(..) and > extra25519.PublicKeyToCurve25519(..). Trevor _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
