[OTR-dev] question regarding the AKE protocol
Stefan Schoenleitner
dev.c0debabe at gmail.com
Fri Jun 18 14:01:52 EDT 2010
Hi,
after reading the SIGMA and OTR papers I was wondering why 4 instead of
only two MAC keys are needed for the protocol.
In the protocol description[1] in the third step, Bob derives the MAC
keys m1 and m2 (among other keys not being relevant for my question).
The MAC key m2 is used in an usual way to authenticate the encrypted packet.
However, the key m1 is used to create a MAC over the ephemeral DH public
keys (g^x, g^y), the longterm public key and the keyid.
By looking at the libotr code, it can be seen that HMAC-SHA256 is used
for the MAC.
After that this MAC is signed with Bob's long term private key.
Another look at the code reveals that for signing DSA with SHA256 is used.
Thus, over the existing MAC hash (HMAC-SHA256) another hash (SHA256) is
calculated in the process of signing.
* Why is this form of "double hashing" necessary ?
* Is it just because two keys (m1 and the private sign key) is better
than just one (private sign key) ?
* Why is this data (g^x, g^y, the longterm public key and the keyid) not
just signed traditionally and the additional MAC can be omitted ?
cheers,
stefan
[1] http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html
More information about the OTR-dev
mailing list