Excercise 11 - Question 14

0 votes
Hi,
I could not find the reason why m4 would be the first secure message, since Bob uses the old ck_b_s for sending his message m4.
In the exercise was explained that the new round trip has started in m1 and m2, so m4 can't be the start of the new round trip from Bob's perspective.

I have assumed that by "all the local secrets" it was meant that the attacker knows:
b (sampled before m1), rk1, g^ab,  ck_B_s_1

When sending m3, a symmetric ratchet is performed - predictable by the attacker.

(Ck_B_s_2, mk) = KDF(ck_B_S_1, "tag")

then a message from Alice is received - with a yet unknown sample of a' - and an asymmetric ratchet is performed (but only for the receiving key from Bob: ck_B_r_1):

(rk_3, ck_B_r_1) = KDF(rk, g^a'b)

Even these values would be predictable, because the attacker can see the message from Alice containing the new g^a', right?
 

Then m4 is sent and since no new roundtrip can be started by Bob, he has to perform another symmetric ratchet.

(ck_B_s_3, mk) = KDF(ck_B_s_2, "tag")

That would be fully predictable again, since the attacker knows the ck_B_s_2 and knows the "tag".

I would say, that only in m7, when a new roundtrip from Bob is started and Bob samples a new exponent b', the messages are secure again, since the attacker needs at least one fresh private exponent to decrypt the messages.

I have an additional question for the asymmetric ratchet step: in the slides, it seems like the old initial root key is used in every step, but I think that must be wrong, and it should be the newly generated root key instead of the old one. However, this would not change anything in this exercise, since the root key would not be used in the symmetric step that is performed in m4, right?

Thank you very much for taking the time to read my very long question. I would appreciate it if you could answer it and point out any mistakes or issues in my reasoning.
by
edit history

2 Answers

0 votes
Hi,

This is a long question, let me try to go through it:

> since Bob uses the old ck_b_s for sending his message m4

Bob received the new sample (g^a') from A. As you correctly point out, this generates a new ck for receiving.
However, once B sends a new message, a new b is sampled, and then the new share is used to generate a new ck for sending.
Here, the asymmetric ratchet step is triggered by the receival of the new share.

> I have assumed that by "all the local secrets" it was meant that the attacker knows: b (sampled before m1), rk1, g^ab,  ck_B_s_1

Correct.

> When sending m3, a symmetric ratchet is performed - predictable by the attacker.

No, as explained above.

> Even these values would be predictable, because the attacker can see the message from Alice containing the new g^a', right?

The attacker might obtain the new g^a, but not the new secret b' that will be sampled by B.

> it seems like the old initial root key is used in every step, but I think that must be wrong, and it should be the newly generated root key instead of the old one.

Nice catch! We should update that.

> However, this would not change anything in this exercise, since the root key would not be used in the symmetric step that is performed in m4, right?

An asymmetric step is performed, as explained above.

I hope this helps, if not, feel free to ask more questions.

Cheers,
Sebastian
by (2.4k points)
edit history
0 votes

since Bob uses the old ck_b_s for sending his message m4

Bob received the new sample (g^a') from A. As you correctly point out, this generates a new ck for receiving.
However, once B sends a new message, a new b is sampled, and then the new share is used to generate a new ck for sending.
Here, the asymmetric ratchet step is triggered by the receival of the new share.

Thank you for the answer! I think it really helped me to understand the signal protocol better. I have an additional question to make sure I got it correctly:

Is it even true then that Bob has started a new round-trip with m1? Because then almost every message would have to be an asymmetric step - if Bob samples a new exponent b on his "start new roundtrip" messages, and after Alice's "start new roundtrip" messages are received.
m1: new roundtrip by bob
m2: new roundtrip by Alice
m4: new roundtrip by Bob (triggered by m2)
m5: new roundtrip by Alice (triggered by m1)

Or does only one partner then trigger the new round-trip in the beginning, after the init? And then the ping pong begins with only one path, not two?

I thought the new roundtrips are decoupled from each other, as if Alice samples a new exponent, only the keys for Alice get updated (and the receive Keys for Bob as well).

by
edited
edit history
0
Hi,

Sorry for the late answer.
You need to comment / reply on my reply, otherwise, this platform does not notify me about any new replies.
I only stumbled upon your question by chance.

We do not handle the case that both peers try to start the communication at the same time in the lecture.
It is enough for you to know that one peer starts the communication and obtains the necessary shares using the Initial Key Exchange (see slide 44f).

We sometimes switch up the tasks by changing who starts the conversation.
This is the reason why both peers kind of start the conversation in our picture.

Also see slide 59.
It shows how the ping-pong system works.

I hope this helps.

Cheers,
Sebastian
by (2.4k points)