[OTR-dev] otr dh key encryption

Kjell Braden kb at pentabarf.de
Tue Feb 19 14:35:09 EST 2013

On 2013-02-19 19:58, Ileana wrote:
> On Tue, 19 Feb 2013 11:36:36 +0100
> Kjell Braden <kb at pentabarf.de> wrote:
>>    Also, you confuse two different concepts of authentication:
>>    Every OTR session uses cryptographic authentication. If you
>> previously marked a key as trusted (ie. you know it belongs to the
>> reported owner), OTR will flag it as trusted again if you come back
>> later to the same DSA key.
> Another note on this:  doesn't this destroy your "plausible
> deniability"?  If there is some DSA key stored on my computer, that I
> keep showing to everyone I chat with, and is recoverable if my computer
> is seized...what is deniable about that?

  You might want to read the OTR protocol spec [1].

  1. The DSA key is only used for authenticating in the AKE 
(authenticated key exchange, which builds upon Diffie-Hellman). This 
way, either party can prove that they talked to each other. The AKE 
results in a symmetric key, shared by both parties. Note that they don't 
authenticate the messages themselves.

  2. Each actual data message is encrypted using the symmetric key 
mentioned above, and authenticated using a MAC (which uses a key which 
is derived from the symmetric session key as well).

  3. Frequently (from the top of my head, I think this is on each 
message) a new session key will be exchanged and the keys used for 
encryption and the keys used for MACs are renewed. The old keys used for 
the MACs will be revealed to everyone. This is the function that 
provides the deniability, because at this point in time, anyone can 
forge messages that would've been valid earlier.

  So much for cryptographic authentication. Now you only have to prove 
that the DSA keys your partner used to identify himself indeed is his. 
And this is where either fingerprint verification or SMP comes up. These 
are used to verify that you did not talk to a man-in-the-middle, or 
someone completely
  Now this is the sort of manual authentication you do for TOR as well: 
you exchange on a secure channel (preferably face-to-face) your hidden 
service address, or your OTR fingerprint (or your SMP secret).

On 2013-02-19 19:13, Ileana wrote:
> DH prime group:  2048-4096 bits
> Hash function:  at least SHA-256
> AES key length:  256 bits
> In OTR's favor, the amount of cipher text is small, reducing some
> crypt-analysis efforts.
> So not a crypto expert (but learning)  but I can read www.keylength.com
> and see that OTR does not meet recommendations for forward security.

  While the Hash length and DL group size may be valid suggestions (I'm 
no expert in cryptanalysis), I don't see where you got the AES key 
size=256bit from (your source lists symmetric keys with 128 bits until 
  You shouldn't forget to be scared about the asymmetric keys though: 
most DSA implementations currently don't support keys above 1024bit. ;-)

[1] http://www.cypherpunks.ca/otr/Protocol-v3-4.0.0.html


More information about the OTR-dev mailing list