[OTR-dev] [OTR-users] otr dh key encryption
Ileana
ileana at fairieunderground.info
Tue Feb 19 22:40:35 EST 2013
On Tue, 19 Feb 2013 15:06:52 -0800
Gregory Maxwell <gmaxwell at gmail.com> wrote:
> On Tue, Feb 19, 2013 at 2:42 PM, Ileana
> <ileana at fairieunderground.info> wrote:
> > #define CIPHER_IV_LEN 16
>
> To be fair— AES 256 has certificational weaknesses with a lower work
> factor then the best attacks on 128 bit AES. They don't appear to
> matter in practice, but I'm not aware of a threat model where 256 bit
> AES would make a material improvement, except perhaps the
> attacker-has-arbitrarily-good-quantum-computers model... and under
> that model all the key derivation (curve25519 and DHKE) fails
> completely in any case.
OK...as I was saying...
I guess I don't have issue with the AES128 vs
AES256.
However realize that otr should theoretically be stronger then
tor...simply because tor is about thousands of anonymous connections,
whereas OTR is a small amount of traffic that someone could capture
easily and is know to likely be mostly plain text (therefore easier for
cyrptanalysis) and possibly exactly whos text it was. In this case, it
is clear they would attack your dh params for primes, as the discreet
logarithm problem for 1536 bit length is orders of magnitude simpler
then attacking AES-128.
OTR should be considered needing the same cryptographic strength as PGP
email.
Beyond that, the SHA-1 function is no longer recommended for
cryptographic entropy/key gen/records etc...and it appears to still
being used in OTR beyond just fingerprinting.
Forget about quantum computers...the issues is an attacker in this case
knows there is sensitive text, it is easy to capture, and can
conceivably hold unto it for 15 years to run on the next get whatever
machine with perhaps some reduced attack vector due to advancements in
the discreet log problem, problems discovered with the common
prng's...whatever. 15 years is a long time so those extra bits may
end up becoming relevant for as yet unforeseen reasons.
Ileana
More information about the OTR-dev
mailing list