Opened 7 years ago

Last modified 4 years ago

#1358 assigned enhancement

Bote, Perfect Forward Secrecy, Deniability

Reported by: user Owned by: str4d
Priority: major Milestone:
Component: apps/plugins Version:
Keywords: I2P-Bote security Cc:
Parent Tickets: Sensitive: no


It would be a huge win if we could have Bote have the properties of
Perfect Forward Secrecy and of Deniability/Malleability?, as we know from OTR.

In the background bote could send encrypted mails to peers in the addressbook and send them a time-limited and quantity-limited symmetric key, and sign it. the recipient confirms.
the key is cached until it a) expires or b) was used to its use limit.
When you want to send a bote mail, instead of signing it, you encrypt it with that symmetric key - since it is only known to sender and receiver it is as good as signing for the reciever, but no proof for third parties.
In case of contacts not in the addressbook, have option to send without these features or with, in case of with, the mail is held in suspense while the above provcess is executed in the backgournd. This can significantly delay the delivery in case of rarely connected peers and therefore a warnung must be displayed.



Change History (21)

comment:1 Changed 7 years ago by somewon

What you are describing is not mathematically possible, unfortunately. There is no such thing as a decryption key that expires in such a way that it can no longer decrypt data. For instance, a GPG key that "expires" is only a very "soft" limit - all it means is that users verifying signatures from that expired key will receive a warning message, but the signature still works and can still be verified.

Computers do not have a "hard" definition of "time." Any value of "what time it is" on a computer is unreliable and can be spoofed. Even if it isn't spoofed, conditions of any given specific time can be emulated, along with any other conditions necessary to derive the key from the given supplemental data - most especially if the desired time value is one that has already elapsed (in the case of certain timestamp hardening efforts, like perhaps a proof-of-work blockchain).

Therefore, an "expiring" symmetric key offers zero deniability or forward secrecy - if the initial asymmetric key(s) are compromised, the symmetric session keys are also available, even into the future, and will work perfectly fine for verifying and decrypting the session's cleartext. True forward secrecy requires an interactive, multi-part handshake such as a Diffie-Hellman Key Exchange which establishes a secure, symmetric key that is never actually transmitted, either in the clear or encrypted. It is also generated non-deterministically (partially randomly) and therefore cannot be easily emulated or recreated.

Even your own links explain this, though it is certainly difficult to follow, so I don't fault you.

As explained in your links, ring signatures could provide a certain degree of deniability, but not forward secrecy (as defined as message cleartext privacy even in the event of a private key compromise). But higher-level protocols in the Bote system would probably not have any trouble calculating and comparing hashes of sent/received messages, anyway (and probably already do), without the need for ring signatures.

All in all, what you are describing is simply not mathematically feasible at this time, except by exchanging a multitude of Bote messages as a lower level means of establishing a Diffie-Hellman exchange, which is indeed feasible, but fairly slow and inefficient, and would not be as secure (or ephemeral) if either party's computer rebooted at any point before the communication was completely halted.

comment:2 Changed 7 years ago by somewon

Resolution: invalid
Status: newclosed

comment:3 Changed 7 years ago by user

Resolution: invalid
Status: closedreopened

you have not fully understood the goal here.
the keys are ephimeral. you don't use them over a long time. and they are wiped after use.

deniability/malleability follows directly from the use of symmetric keys.
(Some define deniability in a different way. Here it refers to the fact that the receiver of a message cannot prove to a third party that the message was sent by a certain sender bote destination (you))

comment:4 Changed 7 years ago by somewon

I think one of us is misunderstanding something, then.

Let me explain this as I see it:

Consider the threat being secured against and the results of the proposed scheme. In our case, the primary threat is an observer (either passive or active) intercepting and presumably saving Bote ciphertexts. The scheme would hope to provide Forward Secrecy (defined as preserving message encryption keys indefinitely, even in the event of compromised private keys) and Deniability (defined as ensuring the integrity and authenticity of the message and its sender without the message data itself containing any demonstrable link to that sender).

You propose:

send them a time-limited and quantity-limited symmetric key

What I hoped to make clear is that such a key does not exist. There simply is not any such thing, at least not without relying on a centralized oracle of some kind that passes judgment on whether the key is currently valid or not (probably with some kind of multi-sig operation, like Shamir's).

Because the adversary has a saved record of all enciphered communications, they will always hold a copy of the symmetric key (perhaps encrypted to the recipient's public key, however), and there is no way to force them to delete it.

Likewise, the adversary also holds saved copies of all the following messages' ciphertexts, and can likewise not be forced to delete them. If they can gain access to the unecrypted symmetric key that was transmitted, they can then use it to decrypt their saved copies of the message ciphertexts that it was used for, at any time into the entire future.

So, even if the keys are "ephemeral," as long as they are in fact transmitted, they are essentially permanent. The same goes for the messages.

GPG uses a very similar scheme to encrypt its messages. A given message to be GPG-encrypted is symmetrically encrypted to a random key, and then a copy of the key is encrypted asymmetrically to each recipient's public key, and included with the symmetric ciphertext. However, this does not offer any kind of forward secrecy or deniability (in fact, it's rather like the opposite of those things).

That is the situation as I understand it. If I have misinterpreted your proposal at all, I would be corrected gladly. The goals for your idea are absolutely good ones and I, too, would like very much for them to be achieved.

comment:5 Changed 7 years ago by user

The idea is to use DH and AES for perfect forward secrecy.
For deniable authentication OTR uses MAC's.
But my current thinking - I may be totally wrong and blind now - is that if only two thwo parties know the key, the fact that the decypted mail is meaningful, already shows that it was encrypted with the correct key, i.e. the sender is who we think he is, ie. the mail is authenticated. If that does not suffice, then MACs could of course be added.

The difference between OTR and Bote in that respect is just the timeframes.

ps: if we go on signing the mail with our private keys, then the receiver can prove that a cipher text has come from us, and can then hsow that the cypher text decrypts to the plain text he has there. Thas making it extremely unlikely he has made up that text. Therefore we must use symmetric encryption here.

Last edited 7 years ago by user (previous) (diff)

comment:6 Changed 7 years ago by somewon

The idea is to use DH

DH doesn't work with asynchronous messaging. As a bare minimum, three messages must be sent back and forth to establish a shared secret with DH. There are other ephemeral keying schemes that can work with only a two-part handshake, but the problem is still the same: both sender and recipient must be online at the same time, and exchange multiple messages, in order to calculate a shared secret.

But my current thinking - I may be totally wrong and blind now - is that if only two thwo parties know the key, the fact that the decypted mail is meaningful, already shows that it was encrypted with the correct key, i.e. the sender is who we think he is, ie. the mail is authenticated.

That is correct, additional authentication would not be necessary.

ps: if we go on signing the mail with our private keys, then the receiver can prove that a cipher text has come from us, and can then hsow that the cypher text decrypts to the plain text he has there. Thas making it extremely unlikely he has made up that text.

This is true. Signing removes deniability, and so it is not desirable in all circumstances. However, knowledge of the symmetric key also removes deniability, for the same reason that it provides authentication. The only way that I know of to keep message authenticity while preserving deniability is how OTR does it, with some clever SIGMA hacks.

So unless I'm mistaken, it still seems that what you're proposing is not only infeasible, but would also not accomplish all of the goals you would like it to.

comment:7 Changed 7 years ago by user

Quite the opposite: Knowledge of the symmetric key does not remove deniability but increase it.
and I see no reason why you need to be online all the time while the messages are exchanged. They are simply messages. And one mail in each direction should suffice for establishment.

edit: fixed some nasty typos

Last edited 7 years ago by user (previous) (diff)

comment:8 Changed 7 years ago by user

without relays being used, considering curret delivery times, session establishment and sending the actual mail could be done in about an hour or little more. The process starts once bote starts up. Even with pidgin otr you only know that you were talking with the user you authenitcated, in the very moment of authentication, 5 minutes later someone else could be sitting at the computer. So that's what we have the local encryption for. when you send establish a secure session than the shared secret is saved encrypted or maybe not even that, but only kept in mem, and unlocked only once the user gets back to screen and enters the correct pw. Only then can he decrypt the mails he received or send authenticated mails. since the shared secret is then delete, this provides PFS
if you sign your messages you need for that, than authenticity is for the receiver as guaranteed as now, however since you never sign the actual mail packets, there is deniability

comment:9 Changed 7 years ago by user

the thing is how to accomodate those pieces into the current storage and retrieval scheme

comment:10 Changed 7 years ago by user

since we can still encrypt it additionally the way it is done right now (using the recipient's dest), without losing any of the above propperties, there wouldn't be a need to change anything wrt the storing of the bote mails.
(this refers just to encrypting the pre-encrypted mail and storing the packets, only the signing must be left out and the mail must have been pre-encrypted)

The shared secret could be calculated only when the user is in front of the screen.

Last edited 7 years ago by user (previous) (diff)

comment:11 Changed 7 years ago by user

ok, we'd want a MAC too.
Just relying on the fact that only the authentic peer really knows the encrpytion key is not secure.
So first check if the MAC matches when you receive a ciphertext, then if it does match, decrypt it and mark it as authentic, else drop it.

Also an interesting read:

comment:12 Changed 7 years ago by zzz

Owner: set to HungryHobo
Status: reopenedassigned

comment:13 Changed 7 years ago by str4d

Keywords: perfect forward secrecy deniability malleability removed

comment:14 Changed 7 years ago by user

Priority: minormajor

comment:15 Changed 6 years ago by user

Basically, this ticket should be renamed to: Incorporating Axolotl protocol into I2P-Bote.
It offers OTR features for asynchronous messaging and has pretty neat propperties.
However, it was not designed with a p2p infrastructure in mind. So especially the prekeys may need some thought.

comment:17 Changed 6 years ago by zzz

Thanks for the links. I'm no expert, but they appear to rebut many of somewon's objections e.g. "DH doesn't work with asynchronous messaging".

Note that this protocol requires a centralized prekey server, which, as you imply in comment 15 above, is problematic. You can't just spray them out to a DHT, because each prekey may only be used once. Maybe you need a blockchain of prekeys and "spend" them?

comment:18 Changed 6 years ago by zzz

It's also useful to evaluate our current Garlic ElG/AES+tags implementation in the router in the whisper systems terminology, especially 'ratchet', with the view of modifying/replacing it someday.

comment:19 Changed 6 years ago by user

I'm not a big fan of blockchains myself.
But yes, as you pointed out, the problem lies with the prekeys.
More precisely,

  • they need to be stored somewhere so they are available when the respective peer is offline
  • they must be used only once
  • they must be repopulated/refilled

We currently use the DHT to store mails and a distributed addressbook, so yes, it could also store the keys.
For fetched mail packets there are deletion packets that instruct the storage nodes to delete the mail packet. Something like this might be used to address point two. However, it does not guarantee its timely deletion.
To address 2 and 3, in my original proposal the "prekeys" were not stored on a server or in DHT, but exchanged directly between the two parties in a previous connection. This would however restrict you to sending a first mail only after the other side has received a reqest by you and answered to it. For all subsequent mails you would not have any problems.
But still, this is not ideal either. So maybe the delete keys or block chains should be looked at in more detail.

comment:20 Changed 5 years ago by zzz

Owner: changed from HungryHobo to str4d

comment:21 Changed 4 years ago by str4d

Migrated to - I will close these tickets as things are resolved rather than right now, but please make future comments on GitHub?.

Note: See TracTickets for help on using tickets.