[OTR-dev] Forward secrecy/deniability for long messages with low overhead
Paul Wouters
paul at cypherpunks.ca
Mon Feb 25 23:33:21 EST 2013
On Thu, 21 Feb 2013, Sergio Lerner wrote:
> One of the most interesting thinks I've found in OTR is the ability to
> provide forward secrecy. Nevertheless, as I've read in the section 4.2
> of the paper http://www.cypherpunks.ca/otr/otr-wpes.pdf, some times keys
> are kept in memory for long times if the remote used does not reply.
>
> I can think of two scenarios where this is a drawback:
>
> 1. Alice sends many messages in a row, but Bob does not reply.
> 2. Alice want to send a big file to Bob while (say 10 Mbytes) using OTR
> with forward secrecy. Examples
> 2.a) Alice is sending audio/video chunks recorded with his
> microphone/camera over OTR.
> 2.b) Alice is downloading a file and at the same time she is sending
> it to Bob.
How would you be sending all of that if Bob does not reply? You want to
have millions of messages outstanding without an ack?
> In both three cases she wants that at any time, if her computer is
> compromised, then the data already sent is protected unconditionally.
> Also in these last two cases, going though D-H for every block
> transmitted may imply a very high overhead, and a reduction in
> throughput because of the RTT latency needed to exchange D-H messages.
Read the spec. there is a separate method for negotiating a symmetric
key using OTR. You then use that key for the bulk transport encryption.
I don't know from the top of my head if Alice and Bob have a way of
acknowledging the key for destruction, but I would expect so.
Paul
More information about the OTR-dev
mailing list