[OTR-dev] Forward secrecy/deniability for long messages with low overhead

[Paul Wouters]

On Tue, 26 Feb 2013, Sergio Lerner wrote:

>> Read the spec. there is a separate method for negotiating a symmetric
>> key using OTR. You then use that key for the bulk transport encryption.
>> I don't know from the top of my head if Alice and Bob have a way of
>> acknowledging the key for destruction, but I would expect so.
>>
> Yes but you don't get forward secrecy for the file during transmission
> of a 1 Gb file.

If you can't keep a session key secret for the duration of the transfer,
you are toast. cycling a AES key because you don't trust it for more
then 5 minutes instead of one hour buys you a factor 12, which is
basically nothing in order of magnitudes crypto normally works at.

If they can break 1 AES key per hour, they can also break 12 keys
per hour, and you're much better of doubling the bit size of the 1
key.

PFS helps you using a long term key (years) that generates session keys
(hours, minutes). PFS has nothing to do with the breaking capability
of symmetric ciphers. You're fighting the wrong battle,

Paul