[OTR-dev] Thinking about mpOTR and secure multiparty chat protocols in general

[Ileana]

On Fri, 22 Feb 2013 11:00:59 +0000
Michael Rogers <michael at briarproject.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 21/02/13 18:30, George Kadianakis wrote:
> > * Is the shutdown phase of OTR the only place where transcript 
> > soundness is guaranteed? By 'transcript soundness', I mean the 
> > guarantee that all participants see the exact same transcript.
> > What happens, if an 3vil server drops packets in the middle of the 
> > conversation? Do participants learn this only in the end of the 
> > conversation?
> 
> A related threat: can a chat participant send different messages to
> different participants, without this being detected until the
> transcripts are compared? For example:
> 
> Alice -> Everyone: Let's make plans for Friday
> Bob -> Alice: Who wants to get ice cream?
> Bob -> Carol: Who want to shoot the president?
> Alice -> Everyone: Ooh, me me me!

This particular threat can be mitigated by sending encrypted signed
hashes of received messages back to every party.  Is there already a
temporary signing key that is used, or is the mac key sufficient?

A party receiving different hashes at each point would prompt a message
to the user that party x is sending false messages.

Assumes messages are sequence numbered.
Users A, B, C, D

A -> msg to B, C
A -> diff message to D
B,C, D -> send signed hash to A, B, C, D
A, B, C, D compare results with recieved/sent text
A-> detects different hash for D, resends message to D
B, C -> detect different message, sends "resend message" to A, D.
A -> resends message to B, C
D-> resends hash to B, C
(if hash matches new message)
B, C -> sends hash to A, B, C, D
(if hash is different)
B, C -> sends authentication error to all parties, system warns user
of A

Kind of complicated, and a lot of network traffic.