From f8abaf9e2fab382f80f0378728c889887d112ac4 Mon Sep 17 00:00:00 2001
From: Matthew Hodgson <matthew@matrix.org>
Date: Tue, 18 Jun 2019 12:45:31 +0100
Subject: explicitly define backward & forward secrecy

as it repeatedly trips people up, including me
---
 docs/megolm.md | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

(limited to 'docs')

diff --git a/docs/megolm.md b/docs/megolm.md
index b9eedec..1cfd105 100644
--- a/docs/megolm.md
+++ b/docs/megolm.md
@@ -267,8 +267,16 @@ future research.
 
 ### Lack of Backward Secrecy
 
-Once the key to a Megolm session is compromised, the attacker can decrypt any
-future messages sent via that session.
+[Backward secrecy](https://intensecrypto.org/public/lec_08_hash_functions_part2.html#sec-forward-and-backward-secrecy)
+(also called 'future secrecy' or 'post-compromise security') is the property
+that if current private keys are compromised, an attacker cannot decrypt
+future messages in a given session.  In other words, when looking
+**backwards** into the past at a compromise, messages sent since the compromise
+will be secret.
+
+By itself, Megolm does not posess this property: once the key to a Megolm
+session is compromised, the attacker can decrypt any future messages sent via
+that session.
 
 In order to mitigate this, the application should ensure that Megolm sessions
 are not used indefinitely. Instead it should periodically start a new session,
@@ -279,7 +287,15 @@ with new keys shared over a secure channel.
 
 ### Partial Forward Secrecy
 
-Each recipient maintains a record of the ratchet value which allows them to
+[Forward secrecy](https://intensecrypto.org/public/lec_08_hash_functions_part2.html#sec-forward-and-backward-secrecy)
+is the property that if the current private keys are compromised, an attacker
+cannot decrypt *past* messages in a given session (unless past private keys
+are retained). 'Perfect forward secrecy' means that no past keys are retained.
+'Partial forward secrecy' means that some past key data may be retained. In
+other words, when looking **forwards** into the future at a potential
+compromise, messages sent prior to the compromise will be secret.
+
+In Megolm, each recipient maintains a record of the ratchet value which allows them to
 decrypt any messages sent in the session after the corresponding point in the
 conversation. If this value is compromised, an attacker can similarly decrypt
 those past messages.
-- 
cgit v1.2.3


From 27f5c25fe855300c4af70b13088708214af6d232 Mon Sep 17 00:00:00 2001
From: Matthew Hodgson <matthew@matrix.org>
Date: Tue, 18 Jun 2019 23:47:42 +0100
Subject: incorporate review from vdh & luca

---
 docs/megolm.md | 33 +++++++++++++++++----------------
 1 file changed, 17 insertions(+), 16 deletions(-)

(limited to 'docs')

diff --git a/docs/megolm.md b/docs/megolm.md
index 1cfd105..58ea10b 100644
--- a/docs/megolm.md
+++ b/docs/megolm.md
@@ -271,12 +271,13 @@ future research.
 (also called 'future secrecy' or 'post-compromise security') is the property
 that if current private keys are compromised, an attacker cannot decrypt
 future messages in a given session.  In other words, when looking
-**backwards** into the past at a compromise, messages sent since the compromise
-will be secret.
+**backwards** in time at a compromise which has already happened, **current**
+messages are still secret.
 
-By itself, Megolm does not posess this property: once the key to a Megolm
-session is compromised, the attacker can decrypt any future messages sent via
-that session.
+By itself, Megolm does not possess this property: once the key to a Megolm
+session is compromised, the attacker can decrypt any message that was
+encrypted using a key derived from the compromised key or any following
+ratchet values.
 
 In order to mitigate this, the application should ensure that Megolm sessions
 are not used indefinitely. Instead it should periodically start a new session,
@@ -288,17 +289,17 @@ with new keys shared over a secure channel.
 ### Partial Forward Secrecy
 
 [Forward secrecy](https://intensecrypto.org/public/lec_08_hash_functions_part2.html#sec-forward-and-backward-secrecy)
-is the property that if the current private keys are compromised, an attacker
-cannot decrypt *past* messages in a given session (unless past private keys
-are retained). 'Perfect forward secrecy' means that no past keys are retained.
-'Partial forward secrecy' means that some past key data may be retained. In
-other words, when looking **forwards** into the future at a potential
-compromise, messages sent prior to the compromise will be secret.
-
-In Megolm, each recipient maintains a record of the ratchet value which allows them to
-decrypt any messages sent in the session after the corresponding point in the
-conversation. If this value is compromised, an attacker can similarly decrypt
-those past messages.
+(also called 'perfect forward secrecy') is the property that if the current
+private keys are compromised, an attacker cannot decrypt *past* messages in
+a given session. In other words, when looking **forwards** in time towards a
+potential future compromise, **current** messages will be secret.
+
+In Megolm, each recipient maintains a record of the ratchet value which allows
+them to decrypt any messages sent in the session after the corresponding point
+in the conversation. If this value is compromised, an attacker can similarly
+decrypt past messages which were encrypted by a key derived from the
+compromised key or any following ratchet values. This gives 'partial'
+forrward secrecy.
 
 To mitigate this issue, the application should offer the user the option to
 discard historical conversations, by winding forward any stored ratchet values,
-- 
cgit v1.2.3


From cfd1450b0e93585b254c10c6a9d896954f6e7bd1 Mon Sep 17 00:00:00 2001
From: Matthew Hodgson <matthew@matrix.org>
Date: Thu, 20 Jun 2019 00:21:47 +0100
Subject: fix typo & more wording from luca

---
 docs/megolm.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'docs')

diff --git a/docs/megolm.md b/docs/megolm.md
index 58ea10b..ec98001 100644
--- a/docs/megolm.md
+++ b/docs/megolm.md
@@ -276,8 +276,8 @@ messages are still secret.
 
 By itself, Megolm does not possess this property: once the key to a Megolm
 session is compromised, the attacker can decrypt any message that was
-encrypted using a key derived from the compromised key or any following
-ratchet values.
+encrypted using a key derived from the compromised or subsequent ratchet
+values.
 
 In order to mitigate this, the application should ensure that Megolm sessions
 are not used indefinitely. Instead it should periodically start a new session,
@@ -298,8 +298,8 @@ In Megolm, each recipient maintains a record of the ratchet value which allows
 them to decrypt any messages sent in the session after the corresponding point
 in the conversation. If this value is compromised, an attacker can similarly
 decrypt past messages which were encrypted by a key derived from the
-compromised key or any following ratchet values. This gives 'partial'
-forrward secrecy.
+compromised or subsequent ratchet values. This gives 'partial' forward
+secrecy.
 
 To mitigate this issue, the application should offer the user the option to
 discard historical conversations, by winding forward any stored ratchet values,
-- 
cgit v1.2.3