From otr at cypherpunks.ca  Sun Jul 24 10:55:04 2005
From: otr at cypherpunks.ca (The OTR Dev Team)
Date: Sun, 24 Jul 2005 10:55:04 -0400
Subject: [OTR-dev] Flaw in OTR Protocol (with workaround!)
Message-ID: <E1Dwhse-0003Gs-RH@smtp.paip.net>

Well, this is the benefit of open protocols and open source.  :-)

Researchers from the Universita di Cantania (Italy) and IBM have looked
at the OTR protocol, and pointed out a flaw, which is this:

If Alice tries to communicate with Bob, Mallory (an active attacker) can
make Bob _think_ he's talking to Mallory, when he's actually talking to
Alice.  Alice correctly knows she's talking to Bob.  Note that Mallory
can't actually _read_ the messages between Alice and Bob.

For example, if Bob thinks he's talking to Mallory, he may tell her
something in confidence he would not want Alice to hear.  Note that
although Mallory could relate this confidential information to Alice
herself, but in the attack scenario Alice has assurance that the
message came from Bob rather than having to take Mallory's word for it.

There's a simple temporary workaround: Alice should say "Hi, this is
Alice." at the beginning of the conversation, alerting Bob to any
possible attack.  Likewise, Bob should identify himself to prevent
the attack in the opposite direction.

But in the longer term, we're going to fix the protocol to prevent the
attack in the first place.  Unfortunately, this will mean changing the
wire protocol, which will cause incompatibility.  The current plan is
for the next version of libotr to support both the current and new
protocols (with an option to disallow the current protocol); if you
communicate with someone speaking the current protocol, it will let you
know that you should confirm your identity with the other person.  [Note
that in the attack scenario, the people communicating are not "in on"
the attack, so simply mentioning your own name inside the OTR
conversation is sufficient.]

As a side effect, if anyone's got other enhancements to OTR in the wings
that would require wire protocol changes, now's the time to speak up.  :-)

- The OTR Dev Team

[Note that Ian and Kat will shortly be off the net until Monday evening,
but Nikita may be around.]


From gdt at ir.bbn.com  Tue Jul 26 08:39:01 2005
From: gdt at ir.bbn.com (Greg Troxel)
Date: 26 Jul 2005 08:39:01 -0400
Subject: [OTR-dev] Flaw in OTR Protocol (with workaround!)
In-Reply-To: <E1Dwhse-0003Gs-RH@smtp.paip.net>
References: <E1Dwhse-0003Gs-RH@smtp.paip.net>
Message-ID: <rmiu0ihagii.fsf@fnord.ir.bbn.com>

I'd like an OTR implementation to be able to send a computer-readable,
authenticated "delete SA" message to the other side, for example when
exiting a client.

I would like to be able to sign OTR public keys (not session keys, but
the signing keys) in openpgp format, and to be able to send openpgp
keys to peers, kind of like x509 certs in IKE, so that I can leverage
the PGP WoT to authenticate OTR signing keys.  Checking one signing
key for someone is far more reasonable than checking 6 OTR keys for my
friend's 6 computers, and thus far more likely to happen.



-- 
        Greg Troxel <gdt at ir.bbn.com>


From alex323 at gmail.com  Tue Jul 26 18:16:43 2005
From: alex323 at gmail.com (Alex)
Date: Tue, 26 Jul 2005 18:16:43 -0400
Subject: [OTR-dev] [Feature Request] - Ability to see session keys in Gaim
Message-ID: <42E6B64B.2080700@gmail.com>

I think it would be useful to have the ability to see the session keys
for any conversation at any given point in time. We could add a right
click menu to the OTR button. When we click on an option, we would see
the session keys (in bold marking whether we are on the high or low end)
as well as the fingerprint of the other user. I think this is good
because you only get to see the session key dialog once during the
conversation.

 - Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20050726/555a64fb/attachment.pgp>

From ian at cypherpunks.ca  Tue Jul 26 18:18:47 2005
From: ian at cypherpunks.ca (Ian Goldberg)
Date: Tue, 26 Jul 2005 18:18:47 -0400
Subject: [OTR-dev] [Feature Request] - Ability to see session keys in Gaim
In-Reply-To: <42E6B64B.2080700@gmail.com>
References: <42E6B64B.2080700@gmail.com>
Message-ID: <20050726221847.GZ1155@smtp.paip.net>

On Tue, Jul 26, 2005 at 06:16:43PM -0400, Alex wrote:
> I think it would be useful to have the ability to see the session keys
> for any conversation at any given point in time. We could add a right
> click menu to the OTR button. When we click on an option, we would see
> the session keys (in bold marking whether we are on the high or low end)
> as well as the fingerprint of the other user. I think this is good
> because you only get to see the session key dialog once during the
> conversation.

Assuming you meant "secure session id" and not "session keys", that's
already in the CVS version of gaim-otr.

   - Ian