

Advanced cryptographic ratcheting - aw3c2
https://whispersystems.org/blog/advanced-ratcheting/

======
sillysaurus2
This is great work. The previous two posts on this topic can be found here:

[https://whispersystems.org/blog/simplifying-otr-
deniability/](https://whispersystems.org/blog/simplifying-otr-deniability/)

[https://whispersystems.org/blog/asynchronous-
security/](https://whispersystems.org/blog/asynchronous-security/)

Is there any way to extend the protocol to allow multiple recipients? Right
now the protocol seems to preclude group messaging.

Also, until TextSecure becomes very popular, it seems possible for an
adversary to gather metadata of all TextSecure conversations via traffic
analysis. As a simple example, imagine there are only four people using
TextSecure: A, B, C, and D. Let's say A and B exchange several text messages
within a few minutes. Then C and D exchange messages a few minutes later.
Since A and B are talking to TextSecure's servers at about the same time, it
can be inferred that they're texting eachother. C and D can be similarly
pegged.

Until TextSecure becomes so popular that many messages per second are being
sent, it seems possible to collect metadata on all users who exchange text
messages in realtime. If both the sender and receiver have the TextSecure app
open and are actively exchanging text messages, then they'll probably be the
only mobile users communicating with TextSecure's servers within the same
~200ms interval.

This could be mitigated by generating cover traffic. Each user could download
some fake data from the servers every few seconds. But this would drain
battery life very quickly.

Are there any plans to defend against traffic analysis?

(I only bring this up because one of the goals of TextSecure is to obscure
metadata from telcos, as stated in
[https://whispersystems.org/blog/simplifying-otr-
deniability/](https://whispersystems.org/blog/simplifying-otr-deniability/))

~~~
trevp
"Group messaging" can be done by separately encrypting a message to each
member of a group.

If you want resistance to traffic analysis check out Pond, which is also using
this ratchet:

[https://pond.imperialviolet.org](https://pond.imperialviolet.org)

------
conformal
great blog entry, moxie et al. it is wonderful to see what i consider to be
legitimate improvement in crypto protocols.

NOTE: i still think it's a really poor idea to assume that encrypting stuff on
your mobile device / smartphone will actually protect you since every default
mobile OS has, at a minimum, an OS-vendor installed backdoor.

~~~
salient
I hear, for instance, that T-mobile is still using Carrier-IQ, and that's
without considering the "other OS" for the phone's radio:

[http://www.osnews.com/story/27416/The_second_operating_syste...](http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone)

~~~
lcedp
Is it related to GSM modem only? What about wi-fi?

