RFC : Integrate automated RSA key distribution that reinforces all our elliptic curve based crypto #142
Comments
|
From a security point of view I think this is unrelated to the reasons people would be uncomfortable with Pond. In my mind it's nothing to do with the primitives used for signing, it's just the fact that it's new code, has a couple of new protocol approaches and an (optional) new key exchange paradigm. I honestly don't think you've thought this through. It would be a huge amount of work, effectively double the complexity of the core protocols, moots what I would argue are insane-person key sizes, and still doesn't address the bootstrapping issue of adding a contact. (Tying identities at the pondserver to GPG keys means a server compromise would be a security consideration.) Communicating with Pond has very different linkability characteristics when compared with communicating via GPG, which is a design goal. IMHO nothing good can come of blurring that line. It definitely wouldn't require a libgcrypt dependency, though. Everything you talked about is trivial with native Go. |
|
I'm still mulling this all over myself, thanks for weighing in and pointing out that crypto/rsa and crypto/x509 make libgcrypt irrelevant. :)
Not really. The protocol would remain mostly the same. And must remain completely backwards compatible. There are three options for the protocol modification :
In all cases, the RSA protections on a message must be entirely optional for backwards compatibility, but if they ever appear and then later disappear, then a warning would be displayed on the messages and the disappearance would be logged as a contact event.
The new RSA data would be transmitted inside pond messages, making it encrypted using pond's ratchet key and invisible to the server. No changes to the server code are proposed here. |
|
Sorry, but now this seems to make even less sense. If people want to RSA sign inside a pond message they're completely free to do so ( just use a PEM signature block ). I can't see any upsides to connecting RSA keys OR "public" identities to the protocol itself. |
|
Yes, a user could protect individual pond message's text and attachments with GPG, the point is to protect the ratchet. One candidate workflow :
There is a lot more that Alice and Bob could do with this RSA key that they maybe should not do with their pond identity keys.
I'm happy to close this up now because (a) it does need more thought as you say and (b) I've learned what I wanted from it for now. I'm happy to hear if anyone else has comments of course. |
At present, pond.imperialviolet.org still warns :
Is it worth implementing a kind of "fallback" to RSA?
Thought : In the state file, we could store an 8192 bit RSA public key pair, and the RSA public keys for every contact. RSA key exchange would occur by attaching public key requests and/or the public keys themselves to messages. Pond messages would then carry an RSA signature of the ratchet values and users would be notified if a signature failed for a contact to whom they knew the RSA key. A user's RSA public key pair would be generated automatically, presumably by using libgcrypt, but conceivably they could import their existing GnuPG key or export the pond generated one for use with GnuPG or SSH.
Advantages : Safer against hick ups in elliptic curve cryptography. Improves security in the absence of good code review. Always nice to have a securely distributed GnuPG key lying around.
Disadvantages : Confuses users. Adds libgcrypt dependency. Adds complexity, making full review and other implementations harder. Cannot create an air gapped GnuPG key which might encourage insecurity through laziness.
What do people feel about this or similar? I have not succeeded in convincing myself that this would be worth doing, but I wanted to ask publicly for comments.
The text was updated successfully, but these errors were encountered: