Axolotl, an asynchronous cryptographic protocol with perfect forward secrecy for long-lived sessions

Transcript

1. @FredericJacobs

2. What? Security, simplified. TextSecure RedPhone

3. TextSecure

4. Protocols

5. We live asynchronously

6. Perfect Forward Secrecy

7. Perfect Future Secrecy

8. Deniability

9. General Approach Message Protocols Session protocols Examples : PGP, S/MIME

   ! Asynchronous ! Problems: Conversation Integrity, forward secrecy, deniability Examples: OTR, SSL, SSH ! Synchronous ! Short-lived session Axolotl Examples: TextSecure, Pond ! Asynchronous with all great features of short lived protocols ! Forward secrecy, deniability, conversation integrity …

10. Axolotl

11. Protocols WhatsApp iMessage Threema MTProto (Telegram) SCIMP (SilentText) Axolotl (TextSecure)

    OTR End-to-End Encryption No Yes (no control on key management) Yes Yes Yes Yes Yes PFS No No No No Yes Yes Yes Perfect Future Secrecy No No No No No Yes Yes Multi-Party Encrypted Chats No Yes Yes No Yes Yes No Multi-Device Encrypted Chats No Yes No No No Yes (not yet implemented ) No

12. Axolotl Outline • Basic features! • Authentication • Handshake •

     Forward-secrecy ratcheting • Advanced (not covered in this talk) • Multi-party • Multi-device

13. Contact Discovery

14. Authentication

15. TextSecure Server Prekey for Moxie? Ephemeral Prekey + Identity Key

    for Moxie

16. Handshaking

17. Moxie’s Identity Key My Identity Key Moxie’s ephemeral prekey My

    ephemeral key Shared Secret = HKDF(3-Way DH)

18. Ratcheting

19. OTR-Ratchet (three step ratchet)

20. SCIMP-Ratchet (hash-based ratchet)

21. OTR Ratchet Silent Circle Ratchet Excellent Perfect Forward & Future

    Secrecy Excellent Perfect Forward Secrecy. But if message key gets compromised, all future conversations will be compromised.

22. Axolotl-Ratchet

23. A leap into the future

24. Thanks Questions? Such Crypto Very Datalove Wow