[Standards] OMEMO Key Agreement

Richard van der Hoff richard at matrix.org
Wed Jun 7 09:06:28 UTC 2017


On 07/06/17 00:35, Sebastian Verschoor wrote:
> Eve can impersonate Bob when she compromises a private Curve25519 key 
> that is signed by Bob's Ed25519 key without compromising the Ed25519 
> private key itself.  This should not be possible under normal 
> circumstances, but I can think of two scenario's: (1) Eve tricks Bob 
> into signing a Curve25519 key generated by her.  This should never 
> happen as long as the only thing that Bob signs is his own locally 
> generated public keys; (2) Bob's random number generator is weak 
> during some identity-key generation, so Eve can guess/bruteforce his 
> private Curve25519 key.  Compare this to X3DH where a RNG failure 
> results in the loss of security for a session, not an identity.

Thanks very much for the feedback, Sebastian. Neither of those scenarios 
seem particularly problematic to me, but it's certainly interesting to 
think about them. I'll try to update the Olm documentation at some point 
to reflect these as security considerations.




More information about the Standards mailing list