[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Forward secrecy in spiped

To: Colin Percival <cperciva@tarsnap.com>
Subject: Re: Forward secrecy in spiped
From: Frederick Akalin <akalin@gmail.com>
Date: Thu, 24 Apr 2014 17:08:56 -0700
Cc: spiped@tarsnap.com
In-reply-to: <0000014595fb9049-a9e40991-6b7e-4b8d-90ea-1e888c1d03e0-000000@email.amazonses.com>
References: <CAC0aHXa79cBJ7VxsRL-3AYNTnrgV4vsffpXmMCO0rog-njDTYw@mail.gmail.com> <0000014595fb9049-a9e40991-6b7e-4b8d-90ea-1e888c1d03e0-000000@email.amazonses.com>

On Thu, Apr 24, 2014 at 4:04 PM, Colin Percival <cperciva@tarsnap.com> wrote:
> If you receive y=1 from a protocol-compliant endpoint, it is running with
> FPS turned off.

You're right. I had to think for a bit to come up with a proof -- for
anyone else who is wondering, it follows from there being no
non-trivial square roots of unity mod p for prime p, and from the fact
that we're working in the group of quadratic residues mod p.

> Protocol non-compliant endpoints could hardcode other values, e.g., y=2,
> which would also have the effect of breaking FPS, but of course non-compliant
> endpoints could do all sorts of things to deliberately leak keys.

Yeah, there's not much we can do to prevent that.

> It's certainly plausible as an anti-foot-shooting mechanism.  It doesn't gain
> you any theoretical security (since it can be circumvented), but it might still
> be useful in practice.
>
> Want to send me a patch?

Sure, I can take a crack at it. I'll let you (and the list) know when
I have something.

-- Fred

Follow-Ups:
- Re: Forward secrecy in spiped
  - From: Colin Percival <cperciva@tarsnap.com>

References:
- Forward secrecy in spiped
  - From: Frederick Akalin <akalin@gmail.com>

Prev by Date: Re: Forward secrecy in spiped
Next by Date: Re: Forward secrecy in spiped
Previous by thread: Re: Forward secrecy in spiped
Next by thread: Re: Forward secrecy in spiped
Index(es):
- Date
- Thread