incorporate review from vdh & luca
This commit is contained in:
Matthew Hodgson
parent
f8abaf9e2f
commit
27f5c25fe8
1 changed files with 16 additions and 15 deletions
|
|
@ -271,12 +271,13 @@ future research.
|
||||||
(also called 'future secrecy' or 'post-compromise security') is the property
|
(also called 'future secrecy' or 'post-compromise security') is the property
|
||||||
that if current private keys are compromised, an attacker cannot decrypt
|
that if current private keys are compromised, an attacker cannot decrypt
|
||||||
future messages in a given session. In other words, when looking
|
future messages in a given session. In other words, when looking
|
||||||
**backwards** into the past at a compromise, messages sent since the compromise
|
**backwards** in time at a compromise which has already happened, **current**
|
||||||
will be secret.
|
messages are still secret.
|
||||||
|
|
||||||
By itself, Megolm does not posess this property: once the key to a Megolm
|
By itself, Megolm does not possess this property: once the key to a Megolm
|
||||||
session is compromised, the attacker can decrypt any future messages sent via
|
session is compromised, the attacker can decrypt any message that was
|
||||||
that session.
|
encrypted using a key derived from the compromised key or any following
|
||||||
|
ratchet values.
|
||||||
|
|
||||||
In order to mitigate this, the application should ensure that Megolm sessions
|
In order to mitigate this, the application should ensure that Megolm sessions
|
||||||
are not used indefinitely. Instead it should periodically start a new session,
|
are not used indefinitely. Instead it should periodically start a new session,
|
||||||
|
|
@ -288,17 +289,17 @@ with new keys shared over a secure channel.
|
||||||
### Partial Forward Secrecy
|
### Partial Forward Secrecy
|
||||||
|
|
||||||
[Forward secrecy](https://intensecrypto.org/public/lec_08_hash_functions_part2.html#sec-forward-and-backward-secrecy)
|
[Forward secrecy](https://intensecrypto.org/public/lec_08_hash_functions_part2.html#sec-forward-and-backward-secrecy)
|
||||||
is the property that if the current private keys are compromised, an attacker
|
(also called 'perfect forward secrecy') is the property that if the current
|
||||||
cannot decrypt *past* messages in a given session (unless past private keys
|
private keys are compromised, an attacker cannot decrypt *past* messages in
|
||||||
are retained). 'Perfect forward secrecy' means that no past keys are retained.
|
a given session. In other words, when looking **forwards** in time towards a
|
||||||
'Partial forward secrecy' means that some past key data may be retained. In
|
potential future compromise, **current** messages will be secret.
|
||||||
other words, when looking **forwards** into the future at a potential
|
|
||||||
compromise, messages sent prior to the compromise will be secret.
|
|
||||||
|
|
||||||
In Megolm, each recipient maintains a record of the ratchet value which allows them to
|
In Megolm, each recipient maintains a record of the ratchet value which allows
|
||||||
decrypt any messages sent in the session after the corresponding point in the
|
them to decrypt any messages sent in the session after the corresponding point
|
||||||
conversation. If this value is compromised, an attacker can similarly decrypt
|
in the conversation. If this value is compromised, an attacker can similarly
|
||||||
those past messages.
|
decrypt past messages which were encrypted by a key derived from the
|
||||||
|
compromised key or any following ratchet values. This gives 'partial'
|
||||||
|
forrward secrecy.
|
||||||
|
|
||||||
To mitigate this issue, the application should offer the user the option to
|
To mitigate this issue, the application should offer the user the option to
|
||||||
discard historical conversations, by winding forward any stored ratchet values,
|
discard historical conversations, by winding forward any stored ratchet values,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue