On 22/09/15 23:57, Sebastian Verschoor wrote: > Even though it seems like a useless attack, the fact that you have to rely on > the honesty of the other party to forward the ratchet seems like an unwanted > property... >
Intuitively, something is "an attack" if it allows the executor to do something we don't want them to be able to do. Is this the case here? The DH ratchet is meant to help the case where an attacker Mallory compromises Alice's session secrets, thereby gaining the ability to (1) authenticate as Alice, (2) encrypt to Bob, (3) decrypt incoming messages from Bob and (4) verify them. The DH ratchet helps Alice to force the attacker to lose these abilities for future messages. If Bob is co-operating with Mallory then he can prevent this recovery from happening, and retain these abilities. But what does that gain him? He can already read Alice's messages and authenticate as himself (2, 4); Mallory retains (1, 3). So I guess him and Mallory can have a fun game where they pretend that Mallory is Alice, and she is talking to Bob. :) In the group case, suppose that everyone is talking with each other across pairwise Axlotl sessions. Suppose Mallory compromises Alice, gaining (1, 2, 3, 4) paired with each other group member. Everyone else DH ratchets as normal, so Mallory loses those abilities, except for Bob. Now they can continue playing this fun game, but everyone else is unaffected. X -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
