[OTR-dev] In what way is the forgeability feature useful?

Jon Kristensen info at jonkri.com
Sat Apr 20 19:36:54 EDT 2013 

On 03/06/2013 03:56 PM, otr-users at lists.cypherpunks.ca wrote:
> [...] But since OTR leaks the MAC's, their evidence is something 
> anyone observing the enctypted stream could have engineered (after the 
> fact) [...] We want everyone to be able to encrypt a message (in the 
> past) so that handing over _any_ encrypted message gives you evidence 
> whether you, your conversation partner or John Doe wrote it. That's 
> the plausable deniability aspect of it.

Hi again!

Sorry for the late reply.

I see what forgeability is doing on a technical level. But, and I may 
lack imagination or something, I still don't see the real benefits of 
the property.

For some reason, you want the ciphertext transcript to be as forgeable 
as plaintext transcripts. I don't know if this has something to do with 
Alice's ability to dispute having ever authored a certain message; if it 
does, I don't see how. You seem to want anyone, given a ciphertext 
transcript, to be able to come forward with a set of decryption keys (an 
arbitrary plaintext transcript) and a set of MAC keys. Why? How does 
this help Alice? What's the difference no one, one person, or the whole 
world can produce this? It doesn't prove anything, anyway. Some real 
world examples of when this is useful would be greatly appreciated.

If the network log (or the ciphertext transcript) in question is not 
trusted, it may have been tampered with, and can thus be claimed to have 
been forged whether the expired MAC keys are published or not. So let's 
assume that the network log is trusted. For the sake of clarity and 
argument, we can pretend that the network log is provided by an ISP to a 
court.

The only way for Eve to present any kind of "meaningful" case would be 
to include the shared secrets (in which case Eve can derive all 
decryption and MAC keys from this). If Eve has this information, she has 
all the proof that she needs, and exposing MAC keys wont help Alice. And 
if Eve doesn't have the shared secrets, but has the MAC keys, she 
necessarily possesses the means of forging the messages anyway, so her 
data doesn't prove anything. I see that, without forgeability, any such 
case that Eve could make would come from either breaking Bob's system, 
or through Bob's (willing or unwilling) cooperation. Why is this undesired?

Thanks!

Jon

More information about the OTR-dev mailing list