[OTR-dev] Simplifying deniability

Trevor Perrin trevp at trevp.net
Tue Jul 30 12:29:42 EDT 2013 

On Tue, Jul 30, 2013 at 7:07 AM, Paul Wouters <paul at cypherpunks.ca> wrote:
> On Tue, 30 Jul 2013, Trevor Perrin wrote:
>
>> As a SIGMA-based key exchange that uses signatures, OTR is a bit less
>> deniable per [1].  Performing OTR key agreement with Bob gives Alice a
>> signature from him, which she could not produce herself.
>
>
> No. It simply means Alice got an automated reply from Bob's machine.

With what Moxie specified, a full transcript doesn't even mean that much.


> Bob could be 6000km away without internet connectivity. This is very
> different from giving a "digital signature" that requires Bob to use
> a passphrase or pin to create it (eg PGP)

But it's also different from an implicitly authenticated, all-DH key
agreement.  Such a key agreement does not create 3rd-party verifiable
digital signatures *at all*.  Thus full transcripts can be forged more
easily, without interacting with Bob.


>> I'm not sure what publishing MAC keys adds.
>
>
> Repudiation. While I'm not sure there is legal value in that, it does
> provide it. If the NSA says "this proves Alice said X", you can say
> "The NSA could have create that message themselves, it is not proof
> without reasonable doubt".

When the NSA says "this", what is the "this"?  If they are pointing to
a full transcript from one party to a conversation that shows all
plaintext / ciphertext / secrets, then they will have the MAC keys
regardless of whether they were published.

Could you elaborate on your scenario, and explain how publication of
MAC keys helps?


>> The transcripts I was talking about represent complete protocol runs.
>> AFAICT, Gregory's just describing "making up" an AES key and some
>> plaintext, encrypting it, then splicing it into a bunch of ciphertext
>> and claiming it came from Bob.  If the attacker can make up new keys,
>> splice in new ciphertext, and get some 3rd party to believe this all
>> came from Bob, why can't the attacker make up a new MAC key, too?
>
>
> Because it is the _old_ MAC, and it is not longer used or trusted by
> Alice or Bob. You can only forge messages _in the past_.

I understand that only old MAC keys are published.


Trevor

More information about the OTR-dev mailing list