[OTR-dev] In what way is the forgeability feature useful?

Jon Kristensen info at jonkri.com
Tue Feb 26 18:15:39 EST 2013


Hello OTR hackers!

I'm a little confused about the forgeability feature.

My understanding of forgeability in OTR is this: Since OTR uses a
malleable encryption scheme (AES-CTR), an attacker can use the MAC
keys exposed by Alice and Bob to modify a known transcript between
Alice and Bob and still have it appear valid, assuming the same length
of the messages.

What I would like to know is when this is actually useful. If Eve has
somehow gained access to a transcript, would she then not also have
gained access to the MAC keys as well?

The only ways I see that Eve could have gained access to the
transcripts would be if a) she had broken the security of Alice's or
Bob's system, b) she would have been informed by Alice or Bob, or
c) she would have been able to perform a man-in-the-middle attack. In
either of these cases, she would have acquired access to the MAC keys
along with the transcript.

Thank you for any clarification that you can give me about this!

Warm regards,
Jon Kristensen




More information about the OTR-dev mailing list