[briar-devel] Multiple devices per user
Brought to you by:
akwizgran
Menu
▾
▴
[briar-devel] Multiple devices per user
|
From: Michael R. <m-...@gm...> - 2012-03-20 18:47:38
|
Hi all, Here's a sketch of how I propose to handle multiple devices per user. I'd be interested to hear how it meshes with your expectations of how people will use Briar. And as always, I'd love to hear about any security holes or improvements you can spot. Goals: * A user should be able to install Briar on multiple devices and use any of those devices to communicate with her contacts. * A new device should be able to communicate with its owner's contacts' existing devices immediately. * Communication between the new device and existing devices should maintain the usual obfuscation and security properties. Overview of the solution: * Each user's devices form a tree. * The user's first device is the root of the tree. * A new device is added by transferring some key pairs and other information from one of the owner's existing devices, which becomes the new device's parent in the tree. * Each device creates key pairs for its next child before the child is added, and gossips the public keys to the owner's other devices and the owner's contacts' devices. * When a device is added, its public keys have already been distributed (or are already being distributed) by its parent. It inherits the private keys from its parent, which then destroys its copies of the private keys. * The parent then creates key pairs for its next child, while the child creates key pairs for its own first child. The public keys are gossipped as before. * A device that has been added is called an existing device. A device that hasn't yet been added, but for which key pairs have been created, is called a future device. * If Alice and Bob are contacts, there's a key pair for each directed pair (i, j) of their existing and future devices. Each private key is held on a single device, while the public keys are gossipped to all of Alice and Bob's devices. * Any existing device, d1, belonging to Alice can derive the secret it shares with any present or future device, d2, belonging to Bob by combining the private key (d1, d2) with the public key (d2, d1). * Likewise, d2 can combine the private key (d2, d1) with the public key (d1, d2) to derive the same shared secret. * To ensure forward secrecy, the devices derive one-way sequences of secrets from their initial shared secret, just as they would if they'd been introduced directly. * Encryption, authentication and tag keys for each connection are derived from the one-way sequences of secrets. * The forward secrecy periods for connections between all of Alice and Bob's devices are rooted in time at the moment when Alice and Bob exchanged invitations. (Open problem: how should the moment be communicated to all of Alice and Bob's existing and future devices?) Any thoughts? Cheers, Michael |