> On Feb 5, 2017, at 12:26 AM, Ron Garret <[email protected]> wrote: > > > On Feb 4, 2017, at 1:53 PM, Nadim Kobeissi <[email protected]> wrote: > >> Forward secrecy relies much more on SPKs than OTPKs. Rather, OTPKs are there >> to provide some notion of “freshness” to a authenticated key >> exchange/agreement, so that two successive sessions between two people >> aren’t more stale on the shared secret front due to SPK and identity key >> re-use. > > I thought that was what Alice’s ephemeral key was for? > > Actually, I think I’ve figured it out. I had this idea in my head that the > OTPKs were like nonces, that re-using them would compromise security, that is > why the server had to be careful to only hand them out once (hence the OT > part of OTPK). But that is not the case at all. The OTPKs are OT because > Bob is going to destroy the corresponding secret key as soon as he receives a > message encrypted using a particular OTPK in order to close the window of > opportunity for an adversary as quickly as possible. So it actually does > make sense to look at them as an add-on to X3DH and not as a completely > separate protocol.
Yes, that’s correct. > > This still leave a couple of operational concerns (OTPKs must be refreshed > fairly often, and I think they need an expiration date). But it not the case > that a server compromise leads to a security breach. (The PK in OTPK should > have been a clue!) Yup! > > Thanks for the help, You’re welcome! > rg > _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
