[OTR-dev] OTR using PAKE and for group chat

Ian Goldberg ian at cypherpunks.ca
Wed Mar 17 08:59:17 EDT 2010 

On Wed, Mar 17, 2010 at 01:24:08PM +0100, Louis Granboulan wrote:
> On 12 March 2010 14:17, Ian Goldberg <ian at cypherpunks.ca> wrote:
> 
> > If you don't have long-term public keys, won't you have to authenticate
> > *every time* you talk to someone?  OTR+SMP binds your shared knowledge
> > to your long-term fingerprint, so that you don't have to do it every
> > time.
> >
> 
> If the PAKE is used to generate a long-term shared secret key that will be
> memorized, then you don't need to re-authenticate to the same partner. With
> OTR+SMP, you need to memorize your secret key and one public-key per
> partner; with this option, you need to memorize one secret key per partner,
> which has the slight drawback of needing a larger trusted memory to store
> this nformation.

That's fair.  But in IM settings, people don't realistically run the
authentication step with each of their buddies.  In such situations, OTR
gives "ssh-style" protection: you're safe against passive attacks, and
you also have some protection against non-constant active attacks.  In
addition, you can *retroactively* become assured that your past
conversations were private by running SMP at any time.  (This gives you
confidence that there's no MITM both backward and forward in time.)

> > But secret society meetings aren't held in dark rooms, where you can't
> > even see who's speaking.  (And even if some crazy ones are, that's not
> > the model most people have in mind for "secure chat room"; imagine the
> > UI: it would have to show what people are saying, but not who's saying
> > it.  I can't imagine that's what people are looking for.)  *Within* the
> > private chat room, there's value in being able to have secure and
> > authenticated communications.
> 
> 
> There are two different things that the autentication can prove: the right
> to be a participant to the chat room, or the identity. They need different
> trust models.

Yes, that's true.  I've yet to see a plausible proposal for a UI for the
former, though, but I'd love to!

> I would clearly accept that in a private chat room I don't know personally
> everyone, and therefore not everyone is issuing authenticated communications
> (from my point of view). However, I want that everyone that participate to
> the chat room has the right to know what is told in there.

But I'd also suggest that even if you don't know who personally Bob and
Charlie are, you'd be upset if an adversary would be able to trick you
into thinking Charlie said something that was actually said by Bob,
while keeping most of their messages correctly attributed.

> I don't put the emphasis on the authentication of the sender of messages,
> but on the authentication of the receiver.
> 
> Louis
> 
> PS: by the way, thank you for this interesting discussion.

It takes two.  ;-)

   - Ian

More information about the OTR-dev mailing list