Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • briar briar
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 785
    • Issues 785
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 8
    • Merge requests 8
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • briar
  • briarbriar
  • Issues
  • #901

Closed
Open
Created Jan 23, 2017 by akwizgran@akwizgranOwner

Improve key binding in contact exchange protocol

The contact exchange protocol provides the following guarantees:

  • Each party knows that the ephemeral and identity public keys she received are owned by the other party
  • Each party knows that the ephemeral and identity public keys she received were used by the other party in the same run of the protocol - in other words it binds each party's ephemeral key pair to the same party's identity key pair and vice versa
  • Each party knows that the ephemeral public key she received was used by the other party in the current run of the protocol - in other words it binds the parties' ephemeral key pairs to each other

To achieve this, each party uses her identity key pair to sign a nonce derived from the ephemeral shared secret, and authenticates the signed nonce using a symmetric key derived from the ephemeral shared secret.

Each party knows that the nonce she received is fresh, as it depends on her own ephemeral key pair, so the nonce itself proves that the other party owns the ephemeral public key received by the first party, while the signature proves that the other party owns the identity public key received by the first party.

The nonce is unique to this combination of ephemeral key pairs, so the signature represents a claim by the owner of the received identity public key that she took part in a protocol run involving both ephemeral key pairs. Authenticating the signed nonce with a symmetric key derived from the ephemeral shared secret represents a claim by the owner of the received ephemeral public keys that she took part in a protocol run involving both ephemeral key pairs and the identity key pair.

As far as I can tell, this construction is secure and achieves what we need, but it's unnecessarily convoluted. The binding and proof of ownership that's achieved by signing nonces could be achieved more straightforwardly by signing public keys:

  • Each party signs both parties' ephemeral public keys and timestamps using her identity key pair
  • Each party authenticates both parties' identity public keys, ephemeral public keys and timestamps, using a symmetric key derived from the ephemeral shared secret

If we're not concerned with deniability, each party can sign both parties' identity public keys, ephemeral public keys and timestamps. But as far as I can see, we get all the assurance we need without doing this.

Related to #902 (closed).

Edited Nov 19, 2020 by Cleopatra
Assignee
Assign to
Time tracking