[OTR-dev] OTR using PAKE and for group chat
Ian Goldberg
ian at cypherpunks.ca
Tue Mar 2 12:18:12 EST 2010
On Tue, Mar 02, 2010 at 06:10:21PM +0100, Louis Granboulan wrote:
> I did not know that OTR could do authentication using a shared secret,
> because I see it in http://www.cypherpunks.ca/otr/Protocol-v2-3.0.0.html
See http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html (the current
version). It's the "Socialist Millionaires' Protocol" (SMP).
> Anyway, password-based authentication is different of shared-key
> authentication, because it uses a password of small entropy. The idea is
> that enumerating all possible passwords is not feasible on-line, and the
> protocol protects against off-line attacks.
OTR's shared secret authentication indeed protects against offline
attacks. The SMP yields a joint computation of w^{x-y} (mod a big
prime), where x and y are the parties' secrets, and w is a random number
known to nobody. If x = y, this equals 1, and if x \not= y, this is a
random number which leaks no information about x or y, even if you know
the other one. It's meant to be used exactly in the low-entropy
scenario.
- Ian
More information about the OTR-dev
mailing list