[OTR-dev] Last-minute change to libotr 4 API

Ian Goldberg ian at cypherpunks.ca
Sun Aug 26 13:11:05 EDT 2012


On Sun, Aug 26, 2012 at 09:40:35AM -0700, Howard Chu wrote:
> > Actually, nowadays, he could just sit
> > on another core, watching an actual legitimate decryption happen, and
> > just yoink the key out of the other thread's memory at the right time.
> 
> Unfortunately this is always true, even for the timed erase that you proposed.
> When a machine is compromised, every scheme you devise boils down to security
> by obscurity, because all of the required inputs are present *somewhere*. The
> best you can hope for is to make it inconvenient for an attacker.

No, sorry if I was unclear.

The point of this proposal is that, after some reasonable amount of time
(one minute, say), the private key in the COMMIT message is *no longer
needed*, and can be completely wiped from memory.  If the machine is
compromised after that point, past messages are indeed safe, no matter
how clever the attacker.

If an attacker compromises a user's machine at time T, the goal is to
minimize the size of the time interval D such that messages
sent/received before time T-D are secure from the attacker, while
messages sent/received after time T-D may still be available to the
attacker.  The way the current master branch has it, there are a handful
of messages (the first ones of each OTR session) for which D might be
needlessly large.

   - Ian



More information about the OTR-dev mailing list