[OTR-dev] Symmetric key retrieval
Ian Goldberg
ian at cypherpunks.ca
Thu Jul 3 19:11:04 EDT 2008
On Thu, Jul 03, 2008 at 06:08:34PM -0400, px at xelerance.com wrote:
>
> > OTR uses AES-128. I made 256 bits available so you can get two 128-bit
> > keys out of it (say, one for encrypting in each direction, or one for
> > encrypting and one for a MAC). The 256 bits are basically a SHA-256
> > hash of the current Diffie-Hellman g^{xy} value (in order to preserve
> > forward secrecy).
>
> Hmm, if it is derived from g^{xy}, then wouldn't it be enough to
> send the request without the key material? The other end also has
> g^{xy} right?
Yes. That's what it does. No keys are sent (even encrypted).
> What is the risk here when a malicious client is trying to leak
> encrypted content. Could it pick something weak so that g^{xy}
> is easilly guessable when having more crypted text available to it?
>
> Though I guess this case is better protected, as it prevents one
> side from using a known OTP to leak out information via this
> feature. (But I'm not a crypto buf :)
A malicious client could just leak the key directly. I'm not sure what
you're asking? If you could figure out g^{xy} given a lot of data
AES-encrypted with SHA-256(g^{xy}), then you've nontrivially broken
either AES or SHA-256 (and probably both).
- Ian
More information about the OTR-dev
mailing list