[OTR-dev] Separate Fingerprint For Each Account?

otr at synx.us.to otr at synx.us.to
Wed Sep 17 22:45:29 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ian Goldberg wrote:

> If I've verified that the AIM id "fooman" has
> a particular key, should OTR (technically, pidgin-otr, Adium, Kopete,
> Psi, etc.) automatically believe that "fooman at foo.com" on MSN
> and "fooman at jabber.de" on XMPP can be correctly authenticated with
> that same key?

Assuming an attacker with fooman at jabber.de on XMPP is trying to
impersonate "fooman" on AIM, but does not have the key that "fooman" on
AIM has, how could he possibly produce the same OTR fingerprint, even if
it's from an account that the real fooman does not control?

It's my opinion that identity should start from within the encryption,
and what account you log into outside of that is not something that can
be automatically trusted. Making a distinction based on which account
you log in where does not add to your security or verifiability, but it
does add complexity that the user has to manually fiddle with, instead
of clear transparent usability.

As an example, consider if fooman was allowed to use the same key for
both "fooman" on AIM, and fooman at jabber.de. The OTR plugin could simply
realize that both accounts were encrypted and authenticated using the
same key, and if the first is a validated key, then the second will be
validated too, even though it came from a different destination.
Assuming fooman's key isn't stolen, there's no way for an attacker to
impersonate fooman no matter what account he comes from.

With the current system you can do the same thing, but it's much more
complicated. If you had a verified session with "fooman" on AIM, and you
had an unverified session with fooman at jabber.de, if "fooman" on AIM
typed a message saying "My fingerprint on fooman at jabber.de is
'abcdefg'", and fooman at jabber.de's fingerprint was "abcdefg", then you
could safely mark fooman at jabber.de as a verified fingerprint, without
fooman having to speak to you over the telephone. "fooman" on AIM is
verified and in the private state, so you can trust anything he says
wasn't an injection or impersonation, even if what he says is to
validate a second account.

Doing that requires that fooman has to eyeball his own fingerprint,
likely type it in character by character, and also fooman has to
manually remember which fingerprint goes with which account, in order to
tell you which fingerprint to trust. It requires you to pull up OTR's
authenticate fingerprint thingy, to manually eyeball the fingerprint
fooman typed at you comparing it with the real fingerprint of
goodfooman at jabber.de, then you have to select the statement that you
have verified the fingerprint, and ignore the messages suggesting you
telephone fooman.

If you complete this lengthy set of steps, you can verify a second key
based on the conversation of an already verified key, with no extra
unsecure out of band communication needed. But if you could use the same
key, then all that manual twiddling wouldn't be necessary, and in fact
it might be safer since there wouldn't be an opportunity for human
error, such as if the fingerprints differed by one character and your
eyeball missed catching that.

And one more benefit to sharing a key between two accounts, if AOL
decides that fooman is banned from AIM due to his use of "terrorist
weapons" like OTR, then fooman cannot establish any more verified
sessions using "fooman" at AIM. You just have to trust him at his word
at this point if he has a different fingerprint for his new account on
fooman at jabber.de. Or call him on the telephone, if you feel for some
reason that the person who answers won't be a middle man spy either.
Assuming he trusts you enough to give you his telephone number which can
be used by corporate background check databases to retrieve most of his
identity and personal history.

I've found when a jabber server dies, the users have the difficult
problem of getting people to trust their new accounts, since they can't
verify their new accounts via messages from the old one. But with keys
not tied to server accounts, you could change your account pretty
seamlessly, with no risk of identity theft at all along the way, just by
using the same key for the new account.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjRwMgACgkQB/meY5RuPPS5LwCfVEkIn+L/r3MtVB7BYWb7bQjx
RcQAnjxqk88GCqqI/u/nqrLz5aCSQEaW
=csid
-----END PGP SIGNATURE-----

More information about the OTR-dev mailing list