From otr@cypherpunks.ca Sun Jul 24 15:55:04 2005 From: otr@cypherpunks.ca (The OTR Dev Team) Date: Sun, 24 Jul 2005 10:55:04 -0400 Subject: [OTR-dev] Flaw in OTR Protocol (with workaround!) Message-ID: Well, this is the benefit of open protocols and open source. :-) Researchers from the Universita di Cantania (Italy) and IBM have looked at the OTR protocol, and pointed out a flaw, which is this: If Alice tries to communicate with Bob, Mallory (an active attacker) can make Bob _think_ he's talking to Mallory, when he's actually talking to Alice. Alice correctly knows she's talking to Bob. Note that Mallory can't actually _read_ the messages between Alice and Bob. For example, if Bob thinks he's talking to Mallory, he may tell her something in confidence he would not want Alice to hear. Note that although Mallory could relate this confidential information to Alice herself, but in the attack scenario Alice has assurance that the message came from Bob rather than having to take Mallory's word for it. There's a simple temporary workaround: Alice should say "Hi, this is Alice." at the beginning of the conversation, alerting Bob to any possible attack. Likewise, Bob should identify himself to prevent the attack in the opposite direction. But in the longer term, we're going to fix the protocol to prevent the attack in the first place. Unfortunately, this will mean changing the wire protocol, which will cause incompatibility. The current plan is for the next version of libotr to support both the current and new protocols (with an option to disallow the current protocol); if you communicate with someone speaking the current protocol, it will let you know that you should confirm your identity with the other person. [Note that in the attack scenario, the people communicating are not "in on" the attack, so simply mentioning your own name inside the OTR conversation is sufficient.] As a side effect, if anyone's got other enhancements to OTR in the wings that would require wire protocol changes, now's the time to speak up. :-) - The OTR Dev Team [Note that Ian and Kat will shortly be off the net until Monday evening, but Nikita may be around.] From gdt@ir.bbn.com Tue Jul 26 13:39:01 2005 From: gdt@ir.bbn.com (Greg Troxel) Date: 26 Jul 2005 08:39:01 -0400 Subject: [OTR-dev] Flaw in OTR Protocol (with workaround!) In-Reply-To: References: Message-ID: I'd like an OTR implementation to be able to send a computer-readable, authenticated "delete SA" message to the other side, for example when exiting a client. I would like to be able to sign OTR public keys (not session keys, but the signing keys) in openpgp format, and to be able to send openpgp keys to peers, kind of like x509 certs in IKE, so that I can leverage the PGP WoT to authenticate OTR signing keys. Checking one signing key for someone is far more reasonable than checking 6 OTR keys for my friend's 6 computers, and thus far more likely to happen. -- Greg Troxel From alex323@gmail.com Tue Jul 26 23:16:43 2005 From: alex323@gmail.com (Alex) Date: Tue, 26 Jul 2005 18:16:43 -0400 Subject: [OTR-dev] [Feature Request] - Ability to see session keys in Gaim Message-ID: <42E6B64B.2080700@gmail.com> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5EAFAE1CBA38A87A3A298777 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit I think it would be useful to have the ability to see the session keys for any conversation at any given point in time. We could add a right click menu to the OTR button. When we click on an option, we would see the session keys (in bold marking whether we are on the high or low end) as well as the fingerprint of the other user. I think this is good because you only get to see the session key dialog once during the conversation. - Alex --------------enig5EAFAE1CBA38A87A3A298777 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iQIVAwUBQua2T4NsvbPFJtOPAQPoIQ//YlpwEmNI8rWBqrrAszBxYGdT3JjzlXzp 4DjE2XryEyA+50aHsh+9W4HacTl92q0bPXlTeAIsMFqiUhYuub8srBREob/S9iqK KyhyVMedXOc/nPCvC5zUK48SDs5Ey/Oo58ytPfAfeYqfJuuqukOPKv9P/qLFyoMP XWsSx44Ce7t733mzeHk3/jN1qZJnMSfiQgc2fIlxYruh0iA9R7c32rwtPeTkupSk 14OR8vYU+n9IMCRNqMD0o3GHmftNCpggmL8VAHQputGnrxcwvT3tAgmqOyWm4cXl wtac7d22Otpyt4Ysrt50+nJNxTiv4G+OLbkyQ28sMQQpJ5CGTOSbOtrcfIk3jYxW QWtygOqEOYuwxPKBcLc9WxWOl8TufSqSDmnZegKZgIU4IVtU0QG6CKHhALcfyWA3 7SCBs0Ufh1XG+Rx4+wJIq3gQWyeVLvCcOseBWxCq0vdoX2o3Fc3DRRsYD9UVumgh ziZBgXXQ6QThobRynWqJx+jrCSMFCfCPQzU6NNT1GcRqBHVuWdgx7F5kmZ9WsgDx APTlHz/I0oP2jr0E7czT5MssObqdHBXKGObnRKZbecyWpE1wEdluq4UsY7SNETyx XckClcWGEWcu6pnsHy17Pu0WZT2Jqi1KPWLr3jGRivsnuaSLcQ85w0QvnwR/Ux0o EIjtDKziud8= =ddSi -----END PGP SIGNATURE----- --------------enig5EAFAE1CBA38A87A3A298777-- From ian@cypherpunks.ca Tue Jul 26 23:18:47 2005 From: ian@cypherpunks.ca (Ian Goldberg) Date: Tue, 26 Jul 2005 18:18:47 -0400 Subject: [OTR-dev] [Feature Request] - Ability to see session keys in Gaim In-Reply-To: <42E6B64B.2080700@gmail.com> References: <42E6B64B.2080700@gmail.com> Message-ID: <20050726221847.GZ1155@smtp.paip.net> On Tue, Jul 26, 2005 at 06:16:43PM -0400, Alex wrote: > I think it would be useful to have the ability to see the session keys > for any conversation at any given point in time. We could add a right > click menu to the OTR button. When we click on an option, we would see > the session keys (in bold marking whether we are on the high or low end) > as well as the fingerprint of the other user. I think this is good > because you only get to see the session key dialog once during the > conversation. Assuming you meant "secure session id" and not "session keys", that's already in the CVS version of gaim-otr. - Ian