[OTR-dev] Symmetric key retrieval

Ian Goldberg ian at cypherpunks.ca
Thu Jul 3 19:11:04 EDT 2008

On Thu, Jul 03, 2008 at 06:08:34PM -0400, px at xelerance.com wrote:
> > OTR uses AES-128.  I made 256 bits available so you can get two 128-bit
> > keys out of it (say, one for encrypting in each direction, or one for
> > encrypting and one for a MAC).  The 256 bits are basically a SHA-256
> > hash of the current Diffie-Hellman g^{xy} value (in order to preserve
> > forward secrecy).
> Hmm, if it is derived from g^{xy}, then wouldn't it be enough to
> send the request without the key material? The other end also has
> g^{xy} right?

Yes.  That's what it does.  No keys are sent (even encrypted).

> What is the risk here when a malicious client is trying to leak
> encrypted content. Could it pick something weak so that g^{xy}
> is easilly guessable when having more crypted text available to it?
> Though I guess this case is better protected, as it prevents one
> side from using a known OTP to leak out information via this
> feature. (But I'm not a crypto buf :)

A malicious client could just leak the key directly.  I'm not sure what
you're asking?  If you could figure out g^{xy} given a lot of data
AES-encrypted with SHA-256(g^{xy}), then you've nontrivially broken
either AES or SHA-256 (and probably both).

   - Ian

More information about the OTR-dev mailing list