[OTR-dev] In what way is the forgeability feature useful?

Ian Goldberg ian at cypherpunks.ca
Wed Feb 27 11:03:21 EST 2013


On Wed, Feb 27, 2013 at 12:15:39AM +0100, Jon Kristensen wrote:
> Hello OTR hackers!
> 
> I'm a little confused about the forgeability feature.
> 
> My understanding of forgeability in OTR is this: Since OTR uses a
> malleable encryption scheme (AES-CTR), an attacker can use the MAC
> keys exposed by Alice and Bob to modify a known transcript between
> Alice and Bob and still have it appear valid, assuming the same length
> of the messages.
> 
> What I would like to know is when this is actually useful. If Eve has
> somehow gained access to a transcript, would she then not also have
> gained access to the MAC keys as well?
> 
> The only ways I see that Eve could have gained access to the
> transcripts would be if a) she had broken the security of Alice's or
> Bob's system, b) she would have been informed by Alice or Bob, or
> c) she would have been able to perform a man-in-the-middle attack. In
> either of these cases, she would have acquired access to the MAC keys
> along with the transcript.
> 
> Thank you for any clarification that you can give me about this!

Jon,

The transcripts in question here are the ciphertexts; that is, Eve just
does a packet capture on the wire.  She does indeed get access to the
MAC keys, but *not* the decryption keys.  Then Eve can use the OTR
toolkit that comes with the OTR software to modify the transcript so
that even if Bob provides the decryption keys, it will decrypt to
whatever she likes.  The goal is to make OTR transcripts just as
forgeable as plaintext transcripts.  If OTR had instead used, for
example, PGP-signed messages, this would not be possible, and Alice
would not be able to repudiate what she said in confidence to Bob.

   - Ian



More information about the OTR-dev mailing list