[OTR-dev] [OTR-users] otr dh key encryption

Alex alex323 at gmail.com
Tue Feb 19 02:58:50 EST 2013 

On Mon, 18 Feb 2013 21:46:00 -0800
Gregory Maxwell <gmaxwell at gmail.com> wrote:

> On Mon, Feb 18, 2013 at 8:51 PM, Ileana
> <ileana at fairieunderground.info> wrote:
> > We are writing an article:  https://fairieunderground.info/node/149
> > Any other comments or additional details are appreciated.
> 
> You're really understating OTR's authentication advantages.  The SMP
> handshake allows you to use past social context to do a highly secure
> (brute force proof, it's a ZKP) authentication handshake without
> having to previously establish a secure channel to transmit high
> entropy data in... if you had a channel to securely establish a hidden
> service ID you might as well have exchanged a long lived symmetric key
> (And gained some hypothetical security against QC enabled
> adversaries).
> 
> The availability point is really about the underlying transport with
> OTR. Presumably you could use OTR over personally run jabber servers
> over tor to get similar properties, though in both cases the tor
> network itself is subject to denial of service (and, in general,
> hidden services seem a bit more brittle than tor is over all).
> 
> > Encryption secrecy 	Perfect forward secrecy 	Perfect
> > forward secrecy Proof of Communication 	Retrieving hidden
> > service key is proof of running the service
> 
> This sort of misses OTR's main protocol innovation— it conducts its
> operation without binding the content with a cryptographic signature.
> So if you're talking to a traitor they can't log your signed packets
> and then prove to a third party what you said and yet the person you
> spoke to knows for sure it was you.
> 
> So there are two different kinds of denyability at play— being able to
> deny a conversation happened (which perhaps use with tor provides
> although traffic analysis is _very_ powerful) and being able to deny
> _what_ you said in the face of a defecting counterparty.  I don't
> believe the torchat provides denyable authentication.  I'm not sure if
> torchat has denyable authentication or if something in the tor
> transport breaks that.
> 

I never understood how the denyability aspect of OTR actually works. If
you have a conversation with a "friend" who recently became an
informant, how would OTR provide more denyability than an unencrypted,
unsigned conversation?

Sadly, I don't think the US government really cares if you have
denyability, they'll do whatever they damn well please. :(

-- 
Alex

More information about the OTR-dev mailing list