incorporate review from vdh & luca

This commit is contained in:
Matthew Hodgson 2019-06-18 23:47:42 +01:00
parent f8abaf9e2f
commit 27f5c25fe8

View file

@ -271,12 +271,13 @@ future research.
(also called 'future secrecy' or 'post-compromise security') is the property
that if current private keys are compromised, an attacker cannot decrypt
future messages in a given session. In other words, when looking
**backwards** into the past at a compromise, messages sent since the compromise
will be secret.
**backwards** in time at a compromise which has already happened, **current**
messages are still secret.
By itself, Megolm does not posess this property: once the key to a Megolm
session is compromised, the attacker can decrypt any future messages sent via
that session.
By itself, Megolm does not possess this property: once the key to a Megolm
session is compromised, the attacker can decrypt any message that was
encrypted using a key derived from the compromised key or any following
ratchet values.
In order to mitigate this, the application should ensure that Megolm sessions
are not used indefinitely. Instead it should periodically start a new session,
@ -288,17 +289,17 @@ with new keys shared over a secure channel.
### Partial Forward Secrecy
[Forward secrecy](https://intensecrypto.org/public/lec_08_hash_functions_part2.html#sec-forward-and-backward-secrecy)
is the property that if the current private keys are compromised, an attacker
cannot decrypt *past* messages in a given session (unless past private keys
are retained). 'Perfect forward secrecy' means that no past keys are retained.
'Partial forward secrecy' means that some past key data may be retained. In
other words, when looking **forwards** into the future at a potential
compromise, messages sent prior to the compromise will be secret.
(also called 'perfect forward secrecy') is the property that if the current
private keys are compromised, an attacker cannot decrypt *past* messages in
a given session. In other words, when looking **forwards** in time towards a
potential future compromise, **current** messages will be secret.
In Megolm, each recipient maintains a record of the ratchet value which allows them to
decrypt any messages sent in the session after the corresponding point in the
conversation. If this value is compromised, an attacker can similarly decrypt
those past messages.
In Megolm, each recipient maintains a record of the ratchet value which allows
them to decrypt any messages sent in the session after the corresponding point
in the conversation. If this value is compromised, an attacker can similarly
decrypt past messages which were encrypted by a key derived from the
compromised key or any following ratchet values. This gives 'partial'
forrward secrecy.
To mitigate this issue, the application should offer the user the option to
discard historical conversations, by winding forward any stored ratchet values,