[OTR-dev] Persisting userstate object across app restarts.
Ian Goldberg
ian at cypherpunks.ca
Mon Aug 11 20:19:30 EDT 2014
On Mon, Aug 11, 2014 at 08:12:52PM -0400, Greg Troxel wrote:
>
> Madhav V <madhav at avaamo.com> writes:
>
> > 3. Alice goes into the app. Bob and Alice apps establish a secure session.
> > The app persist the session on Alice' device.
> > The session is persisted on Bob's device as well.
> >
> > 4. Now Bob can send Alice messages even when her phone is switched off or
> > off the network or the app is in the background.
> >
> > 5. Alice's app can restore the session on restart or whenever necessary to
> > decrypt Bob's message.
>
> I can see why you want to do this, but it more or less breaks the
> Perfect Forward Secrecy property to write the encryption keys to other
> than RAM. So I would be concerned about this being labeled as OTR.
I agree with Greg. You're planning to store *session keys* in
persistent state? Please don't do that.
- Ian
More information about the OTR-dev
mailing list