| I'm looking at libaxolotl-c.
I'm a little bit disturbed about perfect forward/future secrecy.
Perfect forward secrecy ensure that a session key cannot be compromised if a long-term key is compromised in future.
With something like OTR even if a session key is compromised at n, session key at n-1 or n+1 will not be compromised. Here, we got perfect forward/future secrecy. If i take a look at axolotl, in scenario Alice send message to bob when Bob is offline: (1) , (2) MK = HMAC-HASH(CKs, "0") // (3) msg = Enc(HKs, Ns || PNs || DHRs) || Enc(MK, plaintext) Ns = Ns + 1 CKs = HMAC-HASH(CKs, "1") // (4) return msg We can see that Alice re-use CKs to get a new symmetric key.
So if an attacker get CKs(n) he could easily compute CKs(n+1)
CKs is not a long term key, but we cannot honestly call this _perfect_ futur secrecy...
One more thing, if I remember correctly, according of perfect forward secrecy definition, an implementation must NOT re-use previous session key to derive a new one ... I'm wrong ? (1) Quoted from https://github.com/trevp/axolotl/wiki (2) see session_cipher_get_or_create_message_keys (https://github.com/WhisperSystems/libaxolotl-c/blob/0640b5ac...) (3) i think we should read MK = HKDF(HMAC-HASH(CKs, 0x00) see ratchet_chain_key_get_message_keys (https://github.com/WhisperSystems/libaxolotl-c/blob/0640b5ac...) (4) i think we should read MK = HMAC-HASH(CKs, 0x02) see ratchet_chain_key_create_next (https://github.com/WhisperSystems/libaxolotl-c/blob/0640b5ac...) |
I am not a cryptographer.