[OTR-dev] Questions regarding implementation of the OTR protocol

Marian Kechlibar marian.kechlibar at circletech.net
Tue Aug 6 05:49:16 EDT 2013


Hello,

I am a member of a team which attempts to develop an independent
implementation of the OTR protocol in C++. We have currently finished
implementing the AKE. We have, nevertheless, some significant problems
understanding the Key Management that comes after it. Could you help us
clarify things?

Here are the questions, so far, 6 of them:

=======================================================================================|
1. There are "keyids" in AKE and "keyids" in Key Management. What is
their relation? There is a seeming contradiction in descriptions.

Namely, in construction of Reveal Signature message it says:

"Select keyidA, a serial number for the D-H key computed earlier. It is
an INT, and must be greater than 0."
This would indicate that any random nonzero number would do.

and in Key Management it says:

"generate two DH key pairs for yourself, and set our_keyid = 2."
and
"Send the public part of our_dh[our_keyid-1], with the keyid field, of
course, set to (our_keyid-1)."
This indicates that keyidA must be 1.

Which one holds? Should keyidA be equal to 1 in Reveal Signature, or can
it be any nonzero random number?
=======================================================================================|
2. The Key Management says:
"generate two DH key pairs for yourself"

Why so? Why two?
=======================================================================================|
3. The Key Management says:
"When starting a private conversation with a correspondent"

For the very first conversation between two correspondents, this is
easy. However, when is a previous conversation considered to have finished?

It is clear that after sending a request to "User requests to end an OTR
conversation", the conversation should be considered finished at least
at the
side of the party which sent the request. What if the other party does
not receive it? What if there is transport-level failure? What if the
other party stays
online, but does not write anything for a day?

In principle: when can we consider a private conversation to be
finished, without breaking compatibility with libotr? Does libotr rely
on protocols like
XMPP to consider a conversation finished?
=======================================================================================|
4. The Key Management says:
"For each correspondent, keep track of: (some keys)"

"Keeping track" means that the keys should be stored? How and for how
long? Persistently on disk, or transiently in memory? Until restart of
the underlying messaging application? Or just for the duration of the
private conversation? The private keys are vulnerable if stored on disk.

=======================================================================================|
5. The Key Management says:

"Upon completing the AKE: If the specified keyid equals..."
Specified where? By the other party of the AKE, in their Reveal
Signature / Signature messages? Or in another way?

=======================================================================================|
6. Key rotation (in Key Management)

Key Rotation is only performed upon receiving of a data message?
When the keys are being rotated, the expression "If Alice's public key 
is numerically greater" means the current DH key, right? (And not the
DSA key used for previous AKE).
=======================================================================================|

Thank you in advance for all comments.

Regards

Marian





More information about the OTR-dev mailing list