[OTR-dev] Forward secrecy/deniability for long messages with low overhead
Sergio Lerner
sergiolerner at certimix.com
Tue Feb 26 13:02:37 EST 2013
On 26/02/2013 01:33 a.m., Paul Wouters wrote:
> On Thu, 21 Feb 2013, Sergio Lerner wrote:
>
>> One of the most interesting thinks I've found in OTR is the ability to
>> provide forward secrecy. Nevertheless, as I've read in the section 4.2
>> of the paper http://www.cypherpunks.ca/otr/otr-wpes.pdf, some times keys
>> are kept in memory for long times if the remote used does not reply.
>>
>> I can think of two scenarios where this is a drawback:
>>
>> 1. Alice sends many messages in a row, but Bob does not reply.
>> 2. Alice want to send a big file to Bob while (say 10 Mbytes) using OTR
>> with forward secrecy. Examples
>> 2.a) Alice is sending audio/video chunks recorded with his
>> microphone/camera over OTR.
>> 2.b) Alice is downloading a file and at the same time she is sending
>> it to Bob.
>
> How would you be sending all of that if Bob does not reply? You want to
> have millions of messages outstanding without an ack?
>
You acknowledge each message as usual. The point is that a Hash
evaluation is much faster than a D-H exchange, and requires no round
trip time.
So even the most basic tablet or slowest laptop, microcontroller or
watch or microcontrolled-embedded tiny microphone or any other pervasive
computing device will be able to talk using OTR, since the D-H part is
executed only once. I don't mind waiting 10 seconds if then I won't have
to wait a single millisecond for the rest of the communication.
Think about the voice-over-OTR case. No jitter, no abrupt silences...
>> In both three cases she wants that at any time, if her computer is
>> compromised, then the data already sent is protected unconditionally.
>> Also in these last two cases, going though D-H for every block
>> transmitted may imply a very high overhead, and a reduction in
>> throughput because of the RTT latency needed to exchange D-H messages.
>
> Read the spec. there is a separate method for negotiating a symmetric
> key using OTR. You then use that key for the bulk transport encryption.
> I don't know from the top of my head if Alice and Bob have a way of
> acknowledging the key for destruction, but I would expect so.
>
Yes but you don't get forward secrecy for the file during transmission
of a 1 Gb file.
Sergio.
More information about the OTR-dev
mailing list