On Tue, Sep 22, 2015 at 2:57 PM, Sebastian Verschoor <[email protected]> wrote: > I thought of an attack on Axolotol that I believe is pointless, but maybe > one of you sees an application for an adversary that I didn't think of. [...] > Bob acts as if he had never received her latest > messages [...] > > Even though it seems like a useless attack, the fact that you have to rely > on the honesty of the other party to forward the ratchet seems like an > unwanted property...
Not an attack, and Alice doesn't have to rely on the other party to "forward the ratchet". The algorithm uses "symmetric-key ratcheting" and "DH ratcheting". Alice can advance her symmetric-key ratchet just by deriving the next chain key and deleting the previous. This requires no cooperation from Bob, and protects the messages she sends against a later compromise. The "DH ratchet" can add new entropy into Alice and Bob's keys, to help recover from a compromise. This necessarily involves Bob's cooperation. Alice can't force Bob to participate in the next DH step if he doesn't want to. (She also can't force him to choose secure keys, or keep secrets, etc; in an Alice-to-Bob secure channel, Alice and Bob are necessarily trusted parties). Trevor _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
