Hacker News new | past | comments | ask | show | jobs | submit login

Signal uses a form of Diffie-Hellman to generate a common key. That exchange has to be signed. So you know that your key is common with your correspondent. Without this signature you would have no way to know where a message came from, just like in the unsigned PGP case. Without this signature you would also be subject to MITM attacks (unlike the PGP case).

>What may have confused you is that Signal can eventually send Bob's expired authentication keys in cleartext.

Is this a new feature? Originally the decision was made to only allow correspondents to forge messages, not everyone as in the case of Off The Record.

If you signed a PGP message and did not encrypt it then you specifically wanted it to be possible for everyone to verify the signature. A trusted correspondent would not decrypt and release your signed message so the only time that would happen would be if your correspondent was compromised. In the Signal case you would have to claim that your trusted correspondent forged a message from you. That wouldn't really work.

In the case of an untrusted correspondent you would not want to sign your message at all or would sign it with a non-public identity. PGP allows you do do either.




> Signal uses a form of Diffie-Hellman to generate a common key. That exchange has to be signed. Without this signature you would have no way to know where a message came from, just like in the unsigned PGP case. Without this signature you would also be subject to MITM attacks (unlike the PGP case).

In what sense do you believe X3DH is "signed" ? Is this going to be more handwaving where you treat authenticated as "signed" just because that's how you'd do it in PGP ?

The recipient of a first X3DH message does know for sure it is from the sender, because they're the only one that could have performed the steps needed without the recipient's private keys.

But if (like the recipient) you know their private keys, you can just forge messages that are entirely plausible.

Consider an initial message purportedly from Alice to Bob but let's suppose we're Bob and we're forging it. How do we go about this?

We need to do three DH calculations. First one, is Alice's long term Identity crossed with Bob's prekey. Alice would do this by knowing her Identity private key, but we know Bob's private prekey, so we use that with Alice's public long term Identity.

Second one, Alice's ephemeral crossed with Bob's long term Identity. Alice would do that using her ephemeral private key, but we know Bob's private Identity key, so we use that with any key X.

Third one, Alice's ephemeral crossed with Bob's prekey. Alice would use her ephemeral private key again, but we know Bob's private prekey, so we use that with key X again.

We now have a secret key we can use to encrypt our forged message "from Alice" and we write key X into the headers where Alice would have written her public ephemeral. Our message is indistinguishable from genuine. Only Bob (who forged it) and Alice (who knows she didn't send it) know this is a forgery and neither of them can prove it.

> In the Signal case you would have to claim that your trusted correspondent forged a message from you. That wouldn't really work.

If the Secret Police are content that you are a Blasphemer or you plotted against the Emperor or whatever without proof, nothing would "really work", regardless of the technology used or not used. That's not interesting here because we can't do anything about it. If the Star Chamber will have you executed based on hearsay, that's just as true for literal whispers as for a Signal message.

In contrast PGP provides them with unshakeable proof even though it didn't need to.


From here:

* https://signal.org/docs/specifications/x3dh/

... I understand that the prekeys are signed. I will confess that I have no deep understanding of how everything works together. Signal protocol is somewhat baroque.


The (signed) prekeys are public information about a user, although unlike their long term Identity key the prekey is replaced periodically to help ensure Forward Secrecy. The signature means Alice knows she was given Bob's real public prekey and not a fake, but she doesn't get a different prekey (or signature) than Charlie or Deborah if they ask in roughly the same time period.

A loose equivalent in the OpenPGP world would be a user's temporary encryption keys, which may change sometimes while your signing key stays unchanged. I don't know how common this practice is today, I know it was common years ago. Clearly knowing Alice's most recent temporary encryption public key, signed by Alice's signing key, would not prove a message you showed me was from Alice.

> Signal protocol is somewhat baroque.

I agree it seems more complicated in principle than OpenPGP, although I think it's hard to make that argument for the practical deployment of OpenPGP because of the complexity of delivering compatibility.

But Signal's complexity has a specific purpose. For example those three DH pairs are combined together with a KDF so that 1. Bob learns whether the message is really from Alice (assuming Bob is not the protagonist of the movie Memento and so remember if he forged the message); 2. Alice knows the message can only be received by Bob (to the extent she verified Bob's identity, which is an out-of-band problem), and 3. A fresh random Forward Secret key is used for the conversation. Three desired properties, run DH three times.

It is definitely possible that cryptographers will come along and say "Oh, we can do this in a single function" and write like fifty pages of difficult maths and one day we get a replacement for Signal with "simpler" (although like Elliptic Curve maybe not simpler to explain) cryptography than this. Definitely possible, but these moving parts all have a purpose AFAIU today.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: