[OTR-dev] [OTR-users] otr dh key encryption
Gregory Maxwell
gmaxwell at gmail.com
Tue Feb 19 00:46:00 EST 2013
On Mon, Feb 18, 2013 at 8:51 PM, Ileana <ileana at fairieunderground.info> wrote:
> We are writing an article: https://fairieunderground.info/node/149
> Any other comments or additional details are appreciated.
You're really understating OTR's authentication advantages. The SMP
handshake allows you to use past social context to do a highly secure
(brute force proof, it's a ZKP) authentication handshake without
having to previously establish a secure channel to transmit high
entropy data in... if you had a channel to securely establish a hidden
service ID you might as well have exchanged a long lived symmetric key
(And gained some hypothetical security against QC enabled
adversaries).
The availability point is really about the underlying transport with
OTR. Presumably you could use OTR over personally run jabber servers
over tor to get similar properties, though in both cases the tor
network itself is subject to denial of service (and, in general,
hidden services seem a bit more brittle than tor is over all).
> Encryption secrecy Perfect forward secrecy Perfect forward secrecy
> Proof of Communication Retrieving hidden service key is proof of running the service
This sort of misses OTR's main protocol innovation— it conducts its
operation without binding the content with a cryptographic signature.
So if you're talking to a traitor they can't log your signed packets
and then prove to a third party what you said and yet the person you
spoke to knows for sure it was you.
So there are two different kinds of denyability at play— being able to
deny a conversation happened (which perhaps use with tor provides
although traffic analysis is _very_ powerful) and being able to deny
_what_ you said in the face of a defecting counterparty. I don't
believe the torchat provides denyable authentication. I'm not sure if
torchat has denyable authentication or if something in the tor
transport breaks that.
Neither torchat nor OTR use 256 bit AES, they both use 128 bit AES.
More information about the OTR-dev
mailing list