Hacker News new | past | comments | ask | show | jobs | submit login

> Do you mean that TextSecure may send encrypted messages to contacts who don't have it?

Of course not. The recipient would see unreadable ciphertext. What I'm saying is that SMS carries some metadata which identifies the message as coming from TextSecure. This enables one TextSecure client to detect the presence of another without the TextSecure-Server, and offer the option of establishing a secure session. In this case key exchange is performed over SMS.

I'm not sure I understand your first bullet point. The preimage space of what? In what way do you propose to use the entropy of text messages or call logs?




Thanks for replying. My bullet (2) was stupid. Hopefully bullet (1) makes sense.

TL;DR: TextSecure faces a key distribution problem. But texts messages are somewhat secret and are often already stored in each of Alice and Bob's phones. My assertion is these secrets authenticate Alice to Bob and Bob to Alice.

I mean currently it's easy to reverse a hash because there aren't many phone numbers (that was your point, wasn't it?). If you query WhisperSystems (WS) by hash(sender_number + recipient_number + date_sent + text_message), then the hash is much harder to reverse for any long text message. Alice and Bob can both compute the hash and discover whether the other has TextSecure because only they can query this hash to WS. Similarly, they can authenticate each other and exchange keys because only they know their past message history.

Obviously, you wouldn't use text history alone because someone may have been eavesdropping. But these distributed secrets would make WS know much less about its users and could help bootstrap the PKI in my opinion.


You're suggesting that the client submits a hash of the combination of the address (phone number) and something only a legitimate sender would know that has sufficient entropy to act as an effective salt value.

The problem I see with using text messages for that is that Alice and Bob very likely have not exchanged messages before. Or they have but those messages are no longer on the device because they have been deleted. Or Bob just bought a new device.

A variation of the idea is using the contact name. It's more reasonable to expect the sender to know the name and address of the recipient, but that has problems too: It would require the sender know the exact spelling of the recipients name (eg. Robert? Bob? Rob?) Also, while hash(name + address) is harder to crack than hash(address) it's not that hard for anyone who knows the value of address. The server knows this, so the server operator would be in a position to figure out names for nearly everyone. The server would also function as an oracle for anyone who knows a number and suspects a name, or knows a name and wants to scan for the number. That's even worse than allowing for enumeration of registered addresses.

Does that make sense or am I missing something?


Yes that's about it.

I disagree about the likelihood that messages or phone calls were exchanged prior to installing TextSecure. And restoring the SMS database after purchasing a new device is not impossible. But I agree that names and addresses wouldn't work, although I didn't suggest so.

My point was that it would improve on the status quo, at least for people you care most about (the ones you've talked to, the texts you didn't delete). And once the hashes are hard enough to reverse, you can have a federation of TS servers, because it becomes less risky to share them with an untrusted party. Maybe the improvement would only be marginal after all.

Anyway thanks for the discussion.


> restoring the SMS database after purchasing a new device is not impossible.

Neither is comparing key fingerprints, but 99% of users are unwilling to do so.

> Anyway thanks for the discussion.

Looking at the docs and blog posts may give you the impression that certain things are done, when in actuality they're not.

For example, the TextSecure-Server does include federation related code, but implementation is definitely not complete yet. It's not clear to me whether or not all design decisions have even been finalized yet.

I encourage you to write up your idea more formally and post it on the WhisperSystems mailing list. Just don't wait too long, or Moxie and his gang of contributors will just decide what to do and push working code before you know it!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: