Merge branch 'matthew/define-secrecy' into 'master'
explicitly define backward & forward secrecy See merge request matrix-org/olm!3
This commit is contained in:
Matthew Hodgson
commit
25662564d4
1 changed files with 23 additions and 6 deletions
|
|
@ -267,8 +267,17 @@ future research.
|
|||
|
||||
### Lack of Backward Secrecy
|
||||
|
||||
Once the key to a Megolm session is compromised, the attacker can decrypt any
|
||||
future messages sent via that session.
|
||||
[Backward secrecy](https://intensecrypto.org/public/lec_08_hash_functions_part2.html#sec-forward-and-backward-secrecy)
|
||||
(also called 'future secrecy' or 'post-compromise security') is the property
|
||||
that if current private keys are compromised, an attacker cannot decrypt
|
||||
future messages in a given session. In other words, when looking
|
||||
**backwards** in time at a compromise which has already happened, **current**
|
||||
messages are still secret.
|
||||
|
||||
By itself, Megolm does not possess this property: once the key to a Megolm
|
||||
session is compromised, the attacker can decrypt any message that was
|
||||
encrypted using a key derived from the compromised or subsequent ratchet
|
||||
values.
|
||||
|
||||
In order to mitigate this, the application should ensure that Megolm sessions
|
||||
are not used indefinitely. Instead it should periodically start a new session,
|
||||
|
|
@ -279,10 +288,18 @@ with new keys shared over a secure channel.
|
|||
|
||||
### Partial Forward Secrecy
|
||||
|
||||
Each recipient maintains a record of the ratchet value which allows them to
|
||||
decrypt any messages sent in the session after the corresponding point in the
|
||||
conversation. If this value is compromised, an attacker can similarly decrypt
|
||||
those past messages.
|
||||
[Forward secrecy](https://intensecrypto.org/public/lec_08_hash_functions_part2.html#sec-forward-and-backward-secrecy)
|
||||
(also called 'perfect forward secrecy') is the property that if the current
|
||||
private keys are compromised, an attacker cannot decrypt *past* messages in
|
||||
a given session. In other words, when looking **forwards** in time towards a
|
||||
potential future compromise, **current** messages will be secret.
|
||||
|
||||
In Megolm, each recipient maintains a record of the ratchet value which allows
|
||||
them to decrypt any messages sent in the session after the corresponding point
|
||||
in the conversation. If this value is compromised, an attacker can similarly
|
||||
decrypt past messages which were encrypted by a key derived from the
|
||||
compromised or subsequent ratchet values. This gives 'partial' forward
|
||||
secrecy.
|
||||
|
||||
To mitigate this issue, the application should offer the user the option to
|
||||
discard historical conversations, by winding forward any stored ratchet values,
|
||||
|
|
|
|||
Loading…
Reference in a new issue