[OTR-dev] In what way is the forgeability feature useful?
Jon Kristensen
info at jonkri.com
Wed Feb 27 16:52:08 EST 2013
On 02/27/2013 05:03 PM, Ian Goldberg wrote:
> The transcripts in question here are the ciphertexts; that is, Eve just
> does a packet capture on the wire. She does indeed get access to the
> MAC keys, but *not* the decryption keys. Then Eve can use the OTR
> toolkit that comes with the OTR software to modify the transcript so
> that even if Bob provides the decryption keys, it will decrypt to
> whatever she likes. The goal is to make OTR transcripts just as
> forgeable as plaintext transcripts. If OTR had instead used, for
> example, PGP-signed messages, this would not be possible, and Alice
> would not be able to repudiate what she said in confidence to Bob.
Pual and Ian: Thank you for you replies.
I understand the purpose of repudiability, and the reason for not using
something like PGP. I also understand that Eve can forge the transcript
using the MAC keys, even if she does not have the encryption keys.
However, I still don't understand when the revealing of the MAC keys is
useful. If Eve does not manage to decrypt the ciphertext, the text
cannot be used to prove anything. If Eve does manage to acquire or guess
the encryption key, she will also have the MAC key (as the MAC key is a
simple derivation of the encryption key), and thus the power to forge
the transcript.
What would we lose by not posting the MAC keys over the wire?
Thanks!
Best,
Jon Kristensen
More information about the OTR-dev
mailing list