Skip to content
This repository has been archived by the owner before Nov 9, 2022. It is now read-only.

We do not have perfect forward secrecy #707

Open
yaronyg opened this issue Apr 8, 2016 · 2 comments
Open

We do not have perfect forward secrecy #707

yaronyg opened this issue Apr 8, 2016 · 2 comments

Comments

@yaronyg
Copy link
Member

yaronyg commented Apr 8, 2016

To actually connect two devices we use data from the discovery process to generate a secret that is then used with TLS PSK. Ideally we should be able to provide perfect forward secrecy. But the algorithm used to generate the PSK uses static entries based on the device's public keys. This means that an attacker can record a TLS session and if the attacker can later get one of the devices to give up its public key it should be possible to regenerate the secret and retrieve the session contents.

We were well aware of this threat when the discovery system was designed and our assumption was that we would use one of the TLS PSK cipher suites that provides perfect forward secrecy by introducing an extra set of ephemeral keys. Any of the ECDHE_PSK_* suites would do nicely.

The problem is that the version of OpenSSL used in JXcore is so old that it doesn't support any of those suites!

The only sane solution to this problem is to upgrade the OpenSSL version we use with JXcore to one that supports an appropriate cipher suite.

If anyone suggests adding perfect forward secrecy to the discovery protocol directly rather than using the existing facilities in OpenSSL please ask them to consider a different line of work than security. We already committed a grave sin by implementing the Discovery cryptographic protocol (we didn't have a choice, there is literally nothing available off the shelf to match it), extending it to support forward secrecy would just be irresponsible. This is a complex area and we need to take advantage of existing, well tested code. Not inventing our own solutions.

@yaronyg
Copy link
Member Author

yaronyg commented Jul 14, 2016

Once #741 is resolved then hopefully this bug goes away.

@yaronyg yaronyg added this to the V1 milestone Aug 3, 2016
@yaronyg
Copy link
Member Author

yaronyg commented Aug 8, 2016

We either get this for free because we get the right cipher suite or we can't do it.

@yaronyg yaronyg added Node and removed 1 - Backlog labels Oct 6, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant