[OTR-dev] In what way is the forgeability feature useful?
info at jonkri.com
Sun Mar 3 16:15:46 EST 2013
On 02/28/2013 04:14 PM, otr-users at lists.cypherpunks.ca wrote:
> On Wed, 27 Feb 2013, Jon Kristensen wrote:
>> However, I still don't understand when the revealing of the MAC keys
>> is useful. If Eve does not manage to decrypt the ciphertext, the text
>> cannot be used to prove anything. If Eve does manage to acquire or
>> guess the encryption key, she will also have the MAC key (as the MAC
>> key is a simple derivation of the encryption key), and thus the power
>> to forge the transcript.
>> What would we lose by not posting the MAC keys over the wire?
> With the MAC keys you can fake messages _in the past_
> So while you won't be fooled in your _current_ conversation, no one can
> later produce logs to claim you said something, as _anyone_ who captured
> the MACs could forge message (for the past!) as you or your conversation
Thank you for your reply, but I still don't see how this helps. I don't
see how anyone could claim that I would have said something even without
the MAC keys. The only way to decrypt our message is to have the
encryption key. And if Eve has the encryption key, she also has the MAC
So I ask again: What would we lose by not posting the MAC keys over the
Actually, when I think about it, there seems to be a potential drawback
with exposing the MAC keys: If Eve have the MAC key (for example, as
revealed over the wire), and an encryption key which seems to decrypt
the message, that should pretty much prove that the encryption key in
question is actually the key that was used, as the probability of the
same MAC key being derived from another encryption key is extremely low.
More information about the OTR-dev