[Standards] OMEMO Key Agreement
matthew at matrix.org
Tue Jun 6 14:58:14 UTC 2017
On 6/2/17 9:18 PM, Sebastian Verschoor wrote:
> I also noted that although Olm has been audited , the scope of the
> audit only concerns the double ratchet. Given that Olm differs from
> Signal only in the handshake, I find this strange. Has the handshake
> not been audited? Am I missing something?
The handshake was included in the scope of the DR audit (even if the
abstract doesn't specifically call it out) - findings NCC-Olm2016-001
and NCC-Olm2016-009 explicitly highlight the need for ephemeral keys to
be signed, and the risk of an unknown key-share attack in the handshake.
We chose to mitigate these at the application level (updating the Olm
documentation to spell out the mitigations required).
That said, as Richard said on the earlier mail, please do let us know if
you still think Olm should be doing X3DH (possibly off-list, as it's
increasingly non-OMEMO/XMPP specific :)
More information about the Standards