[OTR-dev] OTR using PAKE and for group chat

Ian Goldberg ian at cypherpunks.ca
Fri Mar 12 08:17:44 EST 2010 

On Wed, Mar 10, 2010 at 04:02:09PM +0100, Louis Granboulan wrote:
> Ian Goldberg answers:
> 
> > OTR already has a mechanism for authenticating with a shared secret.
> > See http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html (the current
> > version).  It's the "Socialist Millionaires' Protocol" (SMP).
> >
> 
> OK. I did not look at the lastest version of OTR.
> 
> Can you describe the advantages of your proposal over that?
> >
> 
> I am not sure that there is a true advantage in practice, but for example
> EKE is less computationally intensive that OTR+SMP. Not using long-term
> public keys has some advantages in terms of efficiency.

If you don't have long-term public keys, won't you have to authenticate
*every time* you talk to someone?  OTR+SMP binds your shared knowledge
to your long-term fingerprint, so that you don't have to do it every
time.

> > As for group chat, it's work in progress.  We had a paper a few months
> > ago in ACM CCS describing a protocol for it, but quite a bit more work
> > still needs to be done.
> >
> 
> I guess that you refer to http://www.cs.uwaterloo.ca/~iang/pubs/mpotr.pdf

That's right.

> I would not be as strict on the authentication as you appear to be.
> For group chat, I would not require one-to-one authentication, but simply
> that every participant has proved that he knows the shared password. It
> would be the digital world version of a meeting of a secret society, where
> one has to prove membership, but not identity.

But secret society meetings aren't held in dark rooms, where you can't
even see who's speaking.  (And even if some crazy ones are, that's not
the model most people have in mind for "secure chat room"; imagine the
UI: it would have to show what people are saying, but not who's saying
it.  I can't imagine that's what people are looking for.)  *Within* the
private chat room, there's value in being able to have secure and
authenticated communications.  The challenge is in ensuring that
participants end up with proof about who said what, but that proof is
not transferrable (even by a corrupted participant) to outside parties.
Two-party OTR does this with a simple MAC, but for more than two people,
it's quite a bit more complicated.

   - Ian

More information about the OTR-dev mailing list