[OTR-dev] Simplifying deniability
Trevor Perrin
trevp at trevp.net
Tue Jul 30 04:32:49 EDT 2013
Hi Jake, Gregory, others,
I think the protocol Moxie sketched is "deniable" in the sense of [1]
- roughly, the complete-protocol transcripts Alice has after
performing key agreement with Bob aren't different from transcripts
she could produce herself, without interacting with Bob.
As a SIGMA-based key exchange that uses signatures, OTR is a bit less
deniable per [1]. Performing OTR key agreement with Bob gives Alice a
signature from him, which she could not produce herself.
I'm not sure what publishing MAC keys adds. Gregory wrote:
> In particular, you can just _make up_ an AES key, modify the
> transcript to say whatever you want assuming that AES key and you get
> a completely plausable transcript which you know the AES key for that
> appears to be between the named parties.
The transcripts I was talking about represent complete protocol runs.
AFAICT, Gregory's just describing "making up" an AES key and some
plaintext, encrypting it, then splicing it into a bunch of ciphertext
and claiming it came from Bob. If the attacker can make up new keys,
splice in new ciphertext, and get some 3rd party to believe this all
came from Bob, why can't the attacker make up a new MAC key, too?
Trevor
[1]http://eprint.iacr.org/2006/280
More information about the OTR-dev
mailing list