[OTR-dev] crypto strength of otr wanting???

Ileana ileana at fairieunderground.info
Tue Feb 19 14:59:58 EST 2013 

Re-posting this is it got lost at the bottom of my last post and should
be a new topic:
----------------
So this brings me to my concern/complaint:  Something like tor is
making thousands of connections and transmitting Terabytes of data all
through these dh 1024 bit group -->AES-256 bit.  That is a lot of data.

From my review of the cryptographic recommendations for forward  
secrecy, the 1024 bit group is too small, and the SHA-1 hash, still
used by tor, is also not recommended.  However, the threat field is
different:  An attacker potentially has to decrypt gigabytes of data
with many different connections (they might not know exactly which
connection contains the info they want).  So maybe for that purpose,
the lower encryption might be sufficient.

But OTR is for critical communication:  chats...communication which
ought to be the most secure you can have...in particular to brute-force
attacks, as it is more likely that an IRC operator for instance may
know exactly which OTR session he/she is interested in cracking.

Hence, OTR should really look to having the strongest encryption
available and reasonable.  On my machine, OTR currently takes about a
minute or so to generate the dsa key...on another machine it seems like
two seconds(not sure if this is blocking on the prng?)

Is it reasonable that I don't want anyone to be able to decrypt my otr
connection for 30 years?

Anyway, I would be willing to wait 5 minutes to meet the recommended
strengths for key lengths:  In this case:

DH prime group:  2048-4096 bits
Hash function:  at least SHA-256  (It seems OTR is using this..)
AES key length:  256 bits
dsa signing key length: at least 2048

In OTR's favor, the amount of cipher text is small, reducing some
crypt-analysis efforts.

So not a crypto expert (but learning)  but I can read www.keylength.com
(some of it anyway!) and see that OTR does not meet recommendations for
forward security.

Someone mentioned using ec key exchange.  I am not qualified to
determine which would be better ec key exchange or dh...but from what I
am reading they are both deemed secure you just need the right key
lengths....

I would think people would want OTR to meet forward security
recommendations.  

Thanks,

Ileana
_______________________________________

More information about the OTR-dev mailing list