6 comments

[ 1.7 ms ] story [ 22.5 ms ] thread
great blog entry, moxie et al. it is wonderful to see what i consider to be legitimate improvement in crypto protocols.

NOTE: i still think it's a really poor idea to assume that encrypting stuff on your mobile device / smartphone will actually protect you since every default mobile OS has, at a minimum, an OS-vendor installed backdoor.

This is great work. The previous two posts on this topic can be found here:

https://whispersystems.org/blog/simplifying-otr-deniability/

https://whispersystems.org/blog/asynchronous-security/

Is there any way to extend the protocol to allow multiple recipients? Right now the protocol seems to preclude group messaging.

Also, until TextSecure becomes very popular, it seems possible for an adversary to gather metadata of all TextSecure conversations via traffic analysis. As a simple example, imagine there are only four people using TextSecure: A, B, C, and D. Let's say A and B exchange several text messages within a few minutes. Then C and D exchange messages a few minutes later. Since A and B are talking to TextSecure's servers at about the same time, it can be inferred that they're texting eachother. C and D can be similarly pegged.

Until TextSecure becomes so popular that many messages per second are being sent, it seems possible to collect metadata on all users who exchange text messages in realtime. If both the sender and receiver have the TextSecure app open and are actively exchanging text messages, then they'll probably be the only mobile users communicating with TextSecure's servers within the same ~200ms interval.

This could be mitigated by generating cover traffic. Each user could download some fake data from the servers every few seconds. But this would drain battery life very quickly.

Are there any plans to defend against traffic analysis?

(I only bring this up because one of the goals of TextSecure is to obscure metadata from telcos, as stated in https://whispersystems.org/blog/simplifying-otr-deniability/)

"Group messaging" can be done by separately encrypting a message to each member of a group.

If you want resistance to traffic analysis check out Pond, which is also using this ratchet:

https://pond.imperialviolet.org

I have thought about this a lot. I think the only way to truly defend against traffic analysis is with regularly-spaced broadcast messages. This is complete anathema to mobile devices, where power is at a premium and radios shut down to save power. If you have any thoughts about what could be done about this, I would love to hear them.