On Wed, 2015-09-09 at 21:57 +0200, Katriel Cohn-Gordon wrote: > I'm not sure I fullow that argument. Could you clarify why such > messages would violate deniability?
If your Axolotl ratchet runs a 2DH or 3DH to advances the root key, then : (a) an adversary who gains temporary access to one device to MITM your connection must obtain both user's identity keys, but (b) an adversary who gains possession of one device can partially violate the other user's deniability by enticing them to reply once or twice to advance the ratchet. I suppose one could protect against (a) while largely protecting against (b) by creating per contact identity keys. In fact, one could force an adversary to interact more by using some previous ephemeral key in a 2DH to advance the root key. Jeff
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
