[OTR-dev] OTR, keyservers, MITM, etc.

chris-tuchs at hushmail.com chris-tuchs at hushmail.com
Wed Aug 12 05:16:54 EDT 2009 

Here's version 3.

I added time to the name hash to increase the work required to
build a log of who talks to whom.

I added R as part of the key used to encrypt E.  This prevents a
kind of replay attack.  In particular, if <N, R, E, M> is a
valid post, then <N, R', E, M> is very unlikely to be a valid
post unless R' == R.

In response to a message like <N, R, E, M>, a keyserver responds
with all the messages <N', R', E', M'> it received in the last
256 seconds where N' == N.

Where

N          = HASH1(npnt)
R          = a 24 bit nonce chosen at random
E          = AESC(HASH3(npnt | R), HASH2(kfp))
M          = HMAC(HASH4(npnt), E)

npnt       = user1-name | protocol-name | user2-name | time
kfp        = key1-fingerprint | key2-fingerprint
             fingerprints are human readable utf8 strings
             produced by otrl_privkey_hash_to_human()
time       = number of seconds since 1970 UTC right shifted 7
             bits expressed as a utf8 encoded string, i.e. "123"
             not 0x7b

HASH1(x)   = TRUNC(168, SHA256("User names" | x | "HASH1"))
HASH2(x)   = TRUNC(168, SHA256("Fingerprints" | x | "HASH2")
HASH3(x)   = TRUNC(128, SHA256("Encryption key" | x | "HASH3")
HASH4(x)   =            SHA256("HMAC key" | x | "HASH4")
HMAC(k,x)  = TRUNC(168, HMAC-SHA256(k, x))
AESC(k,x)  = The encryption of x by AES in counter mode with 128
             bit key k and initial count 0

TRUNC(L,n) = the L left most bits of n

The keyservers are http servers which respond to urls like
http://host.tld/otrkey?v=1&N=<b64>&E=<b64>&M=<b64>&R=<b64>

with lines like
N=<b64>&E=<b64>&M=<b64>&R=<b64>
N=<b64>&E=<b64>&M=<b64>&R=<b64>
N=<b64>&E=<b64>&M=<b64>&R=<b64>

Where <b64> is a URL safe variant of a base 64 encoded number.
And it's the reason I picked 168 bits and 24 bits above since
they are evenly divisible by 24, which is the base 64
"blocksize", and thus eliminates the need for any padding
algorithm.  The N, E, and M values are all 28 characters long,
and the R value is 4 characters long.

Chris

Postscript: Please tell me someone has already done this better,
let me use their protocol.

More information about the OTR-dev mailing list