[OTR-dev] mpOTR protocol phases and research questions
Trevor Perrin
trevp at trevp.net
Wed Oct 23 13:00:24 EDT 2013
On Wed, Oct 23, 2013 at 9:10 AM, David Goulet <dgoulet at ev0ke.net> wrote:
>
> I'm no crypto expert but my understanding is that deniability with OTR
> done by broadcasting the ephemeral keys after usage,
[...]
> Considering that, if correct, I feel like deniability seems a non
> trivial part here
I know I'm not making friends here, but to rehash what I've said before...
Deniability is easily achieved if you just use Diffie-Hellman based
key agreements without signatures (like MQV, NTor, TripleDH, etc.).
Which should be probably done anyways, as these are the "best" key
agreements (simplest, most efficient, most flexible).
Deniability is achieved because any party could forge records of
communication with other parties that a 3rd-party judge could not,
post-facto, cryptographically distinguish from actual records.
Because such forgery is possible, "malleablility" of transcripts isn't
necessary, and the OTR / mpOTR rigamarole around "modifiable
transcripts" and publishing signing/MAC keys becomes unnecessary. If
you can *forge* transcripts from scratch, there's no need to modify
existing ones.
Trevor
More information about the OTR-dev
mailing list