[OTR-dev] OMEMO, PFS

Thijs Alkemade me at thijsalkema.de
Fri Nov 13 16:13:22 EST 2015 

> On 13 nov. 2015, at 17:43, Greg Troxel <gdt at ir.bbn.com> wrote:
> 
> 
> Nathan of Guardian <nathan at guardianproject.info> writes:
> 
>> On Tue, Nov 10, 2015, at 04:15 PM, Greg Troxel wrote:
>>> 
>>> I am curious if anyone from OTR-land has comments about the pros and
>>> cons of OMEMO vs OTR.
>>> 
>>>  http://conversations.im/omemo/
>>> 
>>> In using smssecure as well as OTR, I notice an interesting property
>>> which is more about the implementation than the protocol, which is that
>>> keymat is stored persistently.  So after having an smssecure session
>>> with Alice (not her real name :-) in early June, and no texts since, I
>>> was able to send one just now, and have both of our devices still have
>>> the keymat and have it work.   Of course that means it has persisted in
>>> flash across reboots.
>> 
>> Are you sure it was persisting key material? I think the idea with OMEMO
>> is to support the Axolotl/TextSecure pre-key technique using XMPP
>> infrastructure. This means, you can create a valid session key without
>> the other party needing to be online.
> 
> I guess I need to go reread the protocol.  I don't understand how one
> can create a session key that is used to send a message to a
> perhaps-offline party can work unless the other party is persisting the
> key needed to decrypt.

The key is persisted on permanent storage (and potentially backed up multiple
times in unerasable locations), but the protocol is designed to make sure that
compromising a single ephemeral key has the smallest impact possible.

Suppose Bob's ephemeral keys are compromised by an attacker at a specific
time, then the attacker can decrypt all messages from Alice since the last
time Bob sent Alice a message before the compromise, up to (and including? I'm
not clear on that) the first time Bob sent a message after the compromise.
Once Bob sends a new message, the key material changes and the ephemeral key
becomes useless.

[1] probably explains this a lot better.

Prekeys have nothing to do with this, they are only used to create new
sessions when the other side is offline. Once the session is set up, they
shouldn't need to use each-other's Prekeys again.

Regards,
Thijs

[1] = https://whispersystems.org/blog/advanced-ratcheting/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20151113/edad206d/attachment.sig>

More information about the OTR-dev mailing list