[OTR-dev] otr dh key encryption
Kjell Braden
kb at pentabarf.de
Tue Feb 19 14:35:09 EST 2013
On 2013-02-19 19:58, Ileana wrote:
> On Tue, 19 Feb 2013 11:36:36 +0100
> Kjell Braden <kb at pentabarf.de> wrote:
>
>>
>> Also, you confuse two different concepts of authentication:
>> Every OTR session uses cryptographic authentication. If you
>> previously marked a key as trusted (ie. you know it belongs to the
>> reported owner), OTR will flag it as trusted again if you come back
>> later to the same DSA key.
>
> Another note on this: doesn't this destroy your "plausible
> deniability"? If there is some DSA key stored on my computer, that I
> keep showing to everyone I chat with, and is recoverable if my computer
> is seized...what is deniable about that?
You might want to read the OTR protocol spec [1].
1. The DSA key is only used for authenticating in the AKE
(authenticated key exchange, which builds upon Diffie-Hellman). This
way, either party can prove that they talked to each other. The AKE
results in a symmetric key, shared by both parties. Note that they don't
authenticate the messages themselves.
2. Each actual data message is encrypted using the symmetric key
mentioned above, and authenticated using a MAC (which uses a key which
is derived from the symmetric session key as well).
3. Frequently (from the top of my head, I think this is on each
message) a new session key will be exchanged and the keys used for
encryption and the keys used for MACs are renewed. The old keys used for
the MACs will be revealed to everyone. This is the function that
provides the deniability, because at this point in time, anyone can
forge messages that would've been valid earlier.
So much for cryptographic authentication. Now you only have to prove
that the DSA keys your partner used to identify himself indeed is his.
And this is where either fingerprint verification or SMP comes up. These
are used to verify that you did not talk to a man-in-the-middle, or
someone completely
Now this is the sort of manual authentication you do for TOR as well:
you exchange on a secure channel (preferably face-to-face) your hidden
service address, or your OTR fingerprint (or your SMP secret).
On 2013-02-19 19:13, Ileana wrote:
> DH prime group: 2048-4096 bits
> Hash function: at least SHA-256
> AES key length: 256 bits
>
> In OTR's favor, the amount of cipher text is small, reducing some
> crypt-analysis efforts.
>
> So not a crypto expert (but learning) but I can read www.keylength.com
> and see that OTR does not meet recommendations for forward security.
While the Hash length and DL group size may be valid suggestions (I'm
no expert in cryptanalysis), I don't see where you got the AES key
size=256bit from (your source lists symmetric keys with 128 bits until
2040).
You shouldn't forget to be scared about the asymmetric keys though:
most DSA implementations currently don't support keys above 1024bit. ;-)
[1] http://www.cypherpunks.ca/otr/Protocol-v3-4.0.0.html
--
Kjell
More information about the OTR-dev
mailing list