Documentation Inaccuracy Found

Steven Murdoch revealed an inaccuracy in the documentation for ScatterChat regarding the term "perfect forward secrecy."

The documentation consistently claims that the underlying protocol is capable of keeping past conversations private only when one peer's long-term key is compromised (the front page claims the system contains "resiliency against partial compromise," and section 7 of the user's guide explicitly states this). Steven Murdoch correctly pointed out that this does not fit the strict definition of perfect forward secrecy, as the system would need to be able to resist compromise of both peers' long-term keys. Therefore, the documentation is being revised to remove this term.

Observe that keys generated by ScatterChat are encrypted with a password, thus if an adversary were to recover both key files, good passwords/passphrases would prevent them from recovering the long-term keys. However, some adversaries, such as the Chinese government, could recover the passwords using out-of-band techniques, such as torture.

It is important to note that ScatterChat v1.0.1 is not vulnerable to any design flaw or implementation flaw. It continues to fulfill its original design and it remains safe to use as intended.

Documentation is coming soon for ScatterChat v2.0's protocol, which features perfect forward secrecy using the elliptic curve Diffie-Hellman algorithm.

-- JST Duce, Project Maintainer

August 5th, 2006.