[guardian-dev] ChatSecure

Tom Ritter tom at ritter.vg
Wed Aug 28 22:37:32 EDT 2013


On 28 August 2013 13:22, Michael Rogers <michael at briarproject.org> wrote:
> On 28/08/13 01:41, Tom Ritter wrote:
>> In Guardian does move forward with a prekeying approach (and I
>> think it makes sense), I would love to see it support Federation,
>> so I can give my prekeys to a server I control, and not rely on the
>> prekey server you run. [1]  However, as elijah pointed out [2], my
>> concern goes away if we can check a signature on the prekey from a
>> longterm key we trust.  That key could be PGP, or an Identity Key
>> for OTR.
>
> Even if the keys are signed, forward secrecy can be lost if the server
> misbehaves. (This may require the cooperation of the chat server or a
> network attacker if the chat server's separate from the prekey server.)
>
> Attack: The server hands out a prekey and then keeps the encrypted
> message instead of delivering it to the recipient.

The prekey server is not necessarily the server who receives the
message however.  (Moxie's prekey server doesn't receive the messages
at all.)  The messages are delivered to the XMPP server if the contact
is offline, or in the case of SMS, stored by the telco.

> The recipient
> doesn't know the prekey has been used and therefore doesn't delete the
> corresponding private key, which may be recovered at a later time,
> breaking forward secrecy.

What I said above notwithstanding, messages encrypted to prekeys
definitely do not have as much 'forward secrecy' as others.
Rephrasing your attack, if Alice sends a message to Bob encrypted to a
prekey, the government-run telco pauses the SMS in transit, and then
compels Bob to hand over the private key, which Bob is hanging onto
waiting to receive a message encrypted to it.

> Defence: The recipient numbers the prekeys before signing them. The
> server should hand them out in order, and should deliver the encrypted
> messages to the recipient in order. If the recipient receives a
> message out of order, all older private keys are deleted and the user
> is alerted.

This makes me nervous.  Just like UDP, I don't believe there's any
guarantee that SMS' sent first will arrive first.  Similarly for XMPP.

> Attack 2: A malicious sender requests a prekey from the server and
> then doesn't send an encrypted message. The server can't deliver any
> subsequent messages without triggering an alert.

That one's pretty bad - a problem with the prekey approach is if
someone Denial of Services a user's prekey, in Moxie's design, the
server will send a last-ditch, reused, key to all future recipients,
until it is restocked with prekeys.

-tom


More information about the Guardian-dev mailing list