[OTR-users] mpOTR: replay attacks from insiders

Berkant Ustaoglu bustaoglu at cryptolounge.net
Sun Aug 29 21:23:58 EDT 2010 

Hi,

This is one of the many directions we were not able to complete due to  
space and time restrictions. The examples you suggest are quite  
descriptive of the problems that can arise. You should consider the  
consensus as something vital for any implementation: we have not  
offered a concrete solution, but emphasized consensus importance for  
mpOTR and that security as in encryption, macs and signatures do not  
necessarily imply consensus.

A more personal answer regarding your question "Which order  
fingerprint is chosen?". OTR I think is satisfying a quite a few  
folks. So when two parties are concerned as in your example mpOTR  
should at least provide OTR result. The interesting part to  
design/decide is when you have Charlie contributing to the messages.  
KleeQ (reference [18]) has some worthy things to add on the issue. I  
think relative counters must somehow be used. Alice has a counter she  
increases with every message, but also uses Bob's and  Charlie's  
counters to indicate what she thinks she responds to. So Alice won't  
accept a replayed message (counter is part of the message) from Bob  
because Bob's counter will say "I'm responding to your first  
question.". However, the feasibility of that approach is somewhat  
questionable since counters may get the message length a bit too long.

Your otr-user list alternative is to send us directly your questions  
and comments.

Best

Berkant

Quoting "Christoph A." <casmls at gmail.com>:

> On 08/29/2010 10:46 PM, Gregory Maxwell wrote:
>>> If I understand AuthSend() - defined in algorithm 5 - correctly, it does
>>> not contain any counter that would prevent such a replay attack.
>>> Is that correct or did I miss something that prevents already such an
>>> attack? (beside the consensus check in shutdown())
>>
>>
>> I initially replied "The consensus check" but then saw you mentioned that.
>>
>> I'm not an mpOTR designer, so perhaps there is some other protection
>> there that I'm missing... But this was how I understood the operation
>> of the protocol.  Do you think that the consensus check is inadequate?
>
> A replay-proof signature would prevent the attack from
> happening/succeeding in the first place.
> Alice would refuse to accept the signature in line 5.
> The consensus check detects it after the fact at the end of the chat
> session, therefore I think I would prefer the first solution.
>
> I would be surprised that such a replay attack is possible (which is not
> confirmed yet) because including a counter in sign() would defeat the
> attack.
>
> To be honest I also have a question regarding the consensus that is
> somehow connected to the replay scenario:
>
> Alice view:
>
> 1 Alice: Does it rain?
> 2 Bob: yes
> 3 Alice: really?
> 4 Bob: no
>
> Bob's view of the same chat room:
>
> 1 Alice: Does it rain?
> 2 Bob: no
> 3 Alice: really?
> 4 Bob: yes
>
> Charlie's view
>
> 1 Alice: Does it rain?
> 2 Alice: really?
> 3 Bob: no
> 4 Bob: yes
>
> Consensus checklist:
>  - same set of participants -> ok
>  - same sid -> ok
>  - same set of messages -> ok
>  - each message origin -> ok
>
> consensus reached?
>
> From chapter 4.4:
> "To ensure that out-of-order message delivery does not affect this
> digest, the messages are taken in lexical order. Note however, that
> should messages include a suitable order fingerprint, the lexical order
> coincides with delivery and creation order, hence our ordering is not
> restrictive."
>
> The remaining question is: Which order fingerprint is chosen?
>
> kind regards,
> Christoph
>
>



-- 
Berkant Ustaoglu
http://cryptolounge.net

More information about the OTR-users mailing list