Commit 27f5c25f authored by Matthew Hodgson's avatar Matthew Hodgson
Browse files

incorporate review from vdh & luca

parent f8abaf9e
...@@ -271,12 +271,13 @@ future research. ...@@ -271,12 +271,13 @@ future research.
(also called 'future secrecy' or 'post-compromise security') is the property (also called 'future secrecy' or 'post-compromise security') is the property
that if current private keys are compromised, an attacker cannot decrypt that if current private keys are compromised, an attacker cannot decrypt
future messages in a given session. In other words, when looking future messages in a given session. In other words, when looking
**backwards** into the past at a compromise, messages sent since the compromise **backwards** in time at a compromise which has already happened, **current**
will be secret. messages are still secret.
By itself, Megolm does not posess this property: once the key to a Megolm By itself, Megolm does not possess this property: once the key to a Megolm
session is compromised, the attacker can decrypt any future messages sent via session is compromised, the attacker can decrypt any message that was
that session. encrypted using a key derived from the compromised key or any following
ratchet values.
In order to mitigate this, the application should ensure that Megolm sessions In order to mitigate this, the application should ensure that Megolm sessions
are not used indefinitely. Instead it should periodically start a new session, are not used indefinitely. Instead it should periodically start a new session,
...@@ -288,17 +289,17 @@ with new keys shared over a secure channel. ...@@ -288,17 +289,17 @@ with new keys shared over a secure channel.
### Partial Forward Secrecy ### Partial Forward Secrecy
[Forward secrecy](https://intensecrypto.org/public/lec_08_hash_functions_part2.html#sec-forward-and-backward-secrecy) [Forward secrecy](https://intensecrypto.org/public/lec_08_hash_functions_part2.html#sec-forward-and-backward-secrecy)
is the property that if the current private keys are compromised, an attacker (also called 'perfect forward secrecy') is the property that if the current
cannot decrypt *past* messages in a given session (unless past private keys private keys are compromised, an attacker cannot decrypt *past* messages in
are retained). 'Perfect forward secrecy' means that no past keys are retained. a given session. In other words, when looking **forwards** in time towards a
'Partial forward secrecy' means that some past key data may be retained. In potential future compromise, **current** messages will be secret.
other words, when looking **forwards** into the future at a potential
compromise, messages sent prior to the compromise will be secret. In Megolm, each recipient maintains a record of the ratchet value which allows
them to decrypt any messages sent in the session after the corresponding point
In Megolm, each recipient maintains a record of the ratchet value which allows them to in the conversation. If this value is compromised, an attacker can similarly
decrypt any messages sent in the session after the corresponding point in the decrypt past messages which were encrypted by a key derived from the
conversation. If this value is compromised, an attacker can similarly decrypt compromised key or any following ratchet values. This gives 'partial'
those past messages. forrward secrecy.
To mitigate this issue, the application should offer the user the option to To mitigate this issue, the application should offer the user the option to
discard historical conversations, by winding forward any stored ratchet values, discard historical conversations, by winding forward any stored ratchet values,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment