New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Key privacy #72
Comments
We have to have a cryptographic instance which the trust relationship is built on after the initial (and for now personal) meeting. IMO that is the signing key. We could use many encryption keys, signed by the signing key and published on our storage for example (after time new keys are added and old ones are removed; sender has to choose one from storage each time he wants to encrypt something). So this would bring us forward secrecy. I will think about the signing and anonymity problem, right now I have no idea how to solve this, but as mentioned changing the signing key is no solution to me. Edit: Of course only partial forward secrecy depending on how often keys are changed |
When you say "signing key" do you mean the "signing sub-key" or the "primary key" in the language of https://github.com/Qabel/qabel-doc/wiki/Components-Crypto#multiple-key-pair-concept? The primary-key has to be long-term because trust is build on that key. The others could in principle be short-term. |
I meant the primary signing key. What do we need signing sub keys for if they are not ephemeral? Edit: Okay I see a reason, but only if they are just known to my contacts, that would help to gain key privacy if the primary signing key cannot be connected to them. And we define "key privacy" only for non-contacts or have different sub-signing keys for each contact. |
I believe the possibility to make them ephemeral was one of the reasons for the introduction of the signing sub-keys. @L-Henke? |
Yes. As long as the primary signing key remains the same, subkeys can be ephemeral... |
We need to decide on how and when to solve this. |
A solution could be a key-renew-protocol: First approach with real key privacy: Each contact gets an encrypted message with a sub signing key, which is only used to sign messages to him and a sub encryption key in a short interval (e.g every month):
Messages would look like this: A needs to store this: Second approach with key privacy for non-contacts: Wording: Each contact gets an encrypted message with a sub signing key and a sub encryption key in a short interval (e.g every month):
Messages would look like this: A needs to store this: That would lead to forward secrecy and key privacy (for all/for non-contacts) after every renewal interval. I know we don't want to reinvent every wheel but that is only an idea. In my view this decision should be made until beta, because as @schulze mentioned no contact is anonymous with our recent concept. |
I would prefer that we follow some existing protocol instead of trying to do our own stuff. Especially his boxes provide all the properties we need: https://github.com/trevp/noise/wiki/Noise-properties-and-protocol-comparisons#box-properties. The key privacy problems are killed just by switching from RSA to using ECC (as e.g. in the noise design). |
I'm in favour of ECC and the noise protocol is an easy solution for key privacy but we would lose the possibility to sign.. |
Can be closed when noise is merged and used for drop messages. |
This is now Qabel/qabel-core/issues/290 in the qabel-core repository. |
Our Abstract:
RSA OAEP ciphertext is not "key-private" http://iacr.org/archive/asiacrypt2001/22480568.pdf, and I think by encrypting Drop message-keys using a public encryption-key we are leaking communication patterns.
Much simpler: If somebody (a Drop server, or a local network attacker) can build a list of public signing-keys, it is not hard to check random Drop-message signatures against many different keys to identify the sender of the message.
A drop-in solution to the problem would be to change signing-keys and encryption-keys regularly.
I think the nicest solution would be, to derive "session-keys" in the initial key-exchange with a new contact and then use these keys for Drop-messages to this contact.
The text was updated successfully, but these errors were encountered: