[OTR-dev] Forward secrecy/deniability for long messages with low overhead

Paul Wouters paul at cypherpunks.ca
Tue Feb 26 16:32:10 EST 2013


On Tue, 26 Feb 2013, Sergio Lerner wrote:

>> Read the spec. there is a separate method for negotiating a symmetric
>> key using OTR. You then use that key for the bulk transport encryption.
>> I don't know from the top of my head if Alice and Bob have a way of
>> acknowledging the key for destruction, but I would expect so.
>>
> Yes but you don't get forward secrecy for the file during transmission
> of a 1 Gb file.

If you can't keep a session key secret for the duration of the transfer,
you are toast. cycling a AES key because you don't trust it for more
then 5 minutes instead of one hour buys you a factor 12, which is
basically nothing in order of magnitudes crypto normally works at.

If they can break 1 AES key per hour, they can also break 12 keys
per hour, and you're much better of doubling the bit size of the 1
key.

PFS helps you using a long term key (years) that generates session keys
(hours, minutes). PFS has nothing to do with the breaking capability
of symmetric ciphers. You're fighting the wrong battle,

Paul



More information about the OTR-dev mailing list