[OTR-dev] Forward secrecy/deniability for long messages with low overhead

Paul Wouters paul at cypherpunks.ca
Tue Feb 26 20:43:00 EST 2013


On Tue, 26 Feb 2013, Sergio Lerner wrote:

>> If you can't keep a session key secret for the duration of the transfer,
>> you are toast. cycling a AES key because you don't trust it for more
>> then 5 minutes instead of one hour buys you a factor 12, which is
>> basically nothing in order of magnitudes crypto normally works at.
>>
> Perhaps it doesn't make sense in OTR for messages.
> But If you're streaming audio with ZRTP
> (http://zfone.com/docs/ietf/rfc6189bis.html), then the mode makes
> perfect sense.

No. If they can brute force your first ZRTP packet, then they can also
brute force the next 10000 packets. Rotating keys that fast isn't
buying yoy anything. Don't start out with such weak keys.

> ALSO, the attacker can try to break in your computer BECAUSE you've just
> made a call to someone that is under surveillance, so you should be
> prepared to be hacked just after you send your first message (and not
> before).

If they break in your computer you're lost from now until you find out,
so that's the reverse of perfect forward secrecy. At that point your
key generation can be as secure as we can make it yet they will just
get a copy of any key, no matter how fast or slow you rotate them over.

Paul



More information about the OTR-dev mailing list