[OTR-dev] Simplifying deniability
Paul Wouters
paul at cypherpunks.ca
Tue Jul 30 10:07:47 EDT 2013
On Tue, 30 Jul 2013, Trevor Perrin wrote:
> As a SIGMA-based key exchange that uses signatures, OTR is a bit less
> deniable per [1]. Performing OTR key agreement with Bob gives Alice a
> signature from him, which she could not produce herself.
No. It simply means Alice got an automated reply from Bob's machine.
Bob could be 6000km away without internet connectivity. This is very
different from giving a "digital signature" that requires Bob to use
a passphrase or pin to create it (eg PGP)
> I'm not sure what publishing MAC keys adds.
Repudiation. While I'm not sure there is legal value in that, it does
provide it. If the NSA says "this proves Alice said X", you can say
"The NSA could have create that message themselves, it is not proof
without reasonable doubt".
> The transcripts I was talking about represent complete protocol runs.
> AFAICT, Gregory's just describing "making up" an AES key and some
> plaintext, encrypting it, then splicing it into a bunch of ciphertext
> and claiming it came from Bob. If the attacker can make up new keys,
> splice in new ciphertext, and get some 3rd party to believe this all
> came from Bob, why can't the attacker make up a new MAC key, too?
Because it is the _old_ MAC, and it is not longer used or trusted by
Alice or Bob. You can only forge messages _in the past_.
Paul
More information about the OTR-dev
mailing list