Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Olm
Project overview
Project overview
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
matrix-org
Olm
Commits
f8abaf9e
Commit
f8abaf9e
authored
Jun 18, 2019
by
Matthew Hodgson
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
explicitly define backward & forward secrecy
as it repeatedly trips people up, including me
parent
a18a4e8e
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
19 additions
and
3 deletions
+19
-3
docs/megolm.md
docs/megolm.md
+19
-3
No files found.
docs/megolm.md
View file @
f8abaf9e
...
...
@@ -267,8 +267,16 @@ future research.
### Lack of Backward Secrecy
Once the key to a Megolm session is compromised, the attacker can decrypt any
future messages sent via that session.
[
Backward secrecy
](
https://intensecrypto.org/public/lec_08_hash_functions_part2.html#sec-forward-and-backward-secrecy
)
(also called 'future secrecy' or 'post-compromise security') is the property
that if current private keys are compromised, an attacker cannot decrypt
future messages in a given session. In other words, when looking
**backwards**
into the past at a compromise, messages sent since the compromise
will be secret.
By itself, Megolm does not posess this property: once the key to a Megolm
session is compromised, the attacker can decrypt any future messages sent via
that session.
In order to mitigate this, the application should ensure that Megolm sessions
are not used indefinitely. Instead it should periodically start a new session,
...
...
@@ -279,7 +287,15 @@ with new keys shared over a secure channel.
### Partial Forward Secrecy
Each recipient maintains a record of the ratchet value which allows them to
[
Forward secrecy
](
https://intensecrypto.org/public/lec_08_hash_functions_part2.html#sec-forward-and-backward-secrecy
)
is the property that if the current private keys are compromised, an attacker
cannot decrypt
*past*
messages in a given session (unless past private keys
are retained). 'Perfect forward secrecy' means that no past keys are retained.
'Partial forward secrecy' means that some past key data may be retained. In
other words, when looking
**forwards**
into the future at a potential
compromise, messages sent prior to the compromise will be secret.
In Megolm, each recipient maintains a record of the ratchet value which allows them to
decrypt any messages sent in the session after the corresponding point in the
conversation. If this value is compromised, an attacker can similarly decrypt
those past messages.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
