[OTR-dev] Last-minute change to libotr 4 API

Ian Goldberg ian at cypherpunks.ca
Sat Aug 25 22:50:49 EDT 2012 

I really wish there was another way to do this.  Suggestions are
extremely welcome.

While tracking down the problems I mentioned yesterday, I came across
this issue:

- Alice sends an OTR Query message to Bob

- Bob sends a COMMIT message to Alice

- Alice repies with a DHKEY message

* At this point, the 3.x code would forget about the commit message, but
  in 4.x, in order to allow for the case where Alice is logged in more
  than once, Bob needs to hold on to the commit message, and in
  particular, to the private key that generated it, so that he can set
  up an OTR session with each of Alice's logins.  [Recall that the
  major change in 4.0 over 3.x is that it addresses the "Alice is logged
  in more than once" problem.]

So even after Alice and Bob have established an OTR session and are
happily chatting, the current 4.x (master branch) code still has a copy
of the private key used to generate Bob's COMMIT message stashed away.
If Bob's computer's memory is compromised after that point, this private
key may be able to be used to decrypt the first messages of the
conversation.  This is undesirable.

A plausible thing to do is, after a "reasonable" amount of time, Bob
should erase the private key.  If one of Alice's login instances is
extremely laggy, and that instance sends its DHKEY message after that
time, it will be ignored as spurious.

The problem is, suppose Alice and Bob exchange just a few messages
quickly (before the "reasonable" timeout period), and then stop typing.
There's no reason that *any* libotr function will be called for an
arbitrarily long period of time, and so no code could run to erase that
no-longer-needed private key.

So here's the proposed change.  Again, alternate suggestions (the sooner
the better) are extremely welcome.

    There will be a new function
    
	polltime = otrl_polltime(userstate);
    
    you must call right after creating your userstate that will return a
    number of seconds.
    
    The calling application must then call (in the same thread as the
    rest of libotr, to be sure)
    
	otrl_poll(userstate, uiops, uiopdata);
	
    every polltime seconds (or thereabouts; exactness is not important).
    The otrl_poll function will do any periodic cleanups necessary for
    forward secrecy purposes (and, I suppose, any other operations that
    should be done periodically, but none is needed at the moment).

Comments, please?

Thanks,

   - Ian

More information about the OTR-dev mailing list