Commit 0c741b075756fb759b5ce37c2a7ad3c248fcb9d8
oops! salsa20 not chacha20!
Dominic Tarr committed on 5/12/2015, 5:06:50 AMParent: 5de93e4ce725a6e903b42f3c38b3816316f9bf56
Files changed
| a-secure-secure-channel-(WIP).md | changed |
| a-secure-secure-channel-(WIP).md | ||
|---|---|---|
| @@ -42,9 +42,9 @@ | ||
| 42 | 42 | |
| 43 | 43 | `crypto_box` takes a message, a nonce, a public key and a private key. |
| 44 | 44 | `crypto_box(message, nonce, alice.public_key, bob.private_key)` which is decrypted by |
| 45 | 45 | `crypto_box_open(boxed, nonce, bob.public_key, alice.private_key)`. |
| 46 | -The message is encrypted with [chacha20 cipher, and authenticated with poly1305. There is no length delimitation so if you wish to transmit this message it must be framed, or have a fixed size, the other party requires the same nonce in order to perform the decryption so that must be provided some way (i.e. either by sending it along with the message, or by having a protocol for determining the next nonce) | |
| 46 | +The message is encrypted with salsa20 cipher, and authenticated with poly1305. There is no length delimitation so if you wish to transmit this message it must be framed, or have a fixed size, the other party requires the same nonce in order to perform the decryption so that must be provided some way (i.e. either by sending it along with the message, or by having a protocol for determining the next nonce) | |
| 47 | 47 | |
| 48 | 48 | Although it's described as Bob _encrypting to_ Alice ("Bob boxes the message to Alice") the encryption is not directional, and either Bob _or_ Alice can decrypt the message. This is because it derives a shared key in the manner of a diffie-helman key exchange, _not_ by encrypting a key to Alice's pub key (which would be an operation that Bob could not reverse). This has a surprising property if this is used as an authentication primitive: If an attacker gains Bob's private key, and knows Alice's key then they can not only impersonate bob to Alice (or anyone), but surprisingly they can impersonate _anyone_ to Bob (provided they know that public key)! |
| 49 | 49 | |
| 50 | 50 | This would make a compromise of his private key a decidedly schizophrenic experience for Bob! Although to other parties, Bob suddenly acting weird would be simple enough to diagnose - Bob has been hacked - but Bob may instead experience _everyone he knows_ suddenly going schizophrenic. This could potentially be more destructive than merely impersonating Bob. Hopefully loosing control of one's private keys is an extremely unlikely event, but the antics of bitcoin has certainly shown this is possible via a variety of avenues if attackers are sufficiently motivated. If it's reasonable to design a protocol to be forward secure (not leak information if keys are compromised) then it's reasonable to make other aspects of the protocol fail safely in the case of key compromise. |
Built with git-ssb-web