[OTR-dev] mpOTR protocol phases and research questions
Trevor Perrin
trevp at trevp.net
Wed Oct 23 13:21:49 EDT 2013
On Wed, Oct 23, 2013 at 10:13 AM, Greg Troxel <gdt at ir.bbn.com> wrote:
>
> It seems that the hard property is to simultaneously achieve:
>
> deniability
>
> authentication to the counterparty in real time
>
> confidentiality, which means more than encryption, but also being
> sure that you are encrypting in a key that only the authorized
> counterparty has
>
> It seems that OTR does all of this, and I don't understand how you
> propose to get the second two properties with unsigned DH.
Easily, see several decades of literature on implicitly-authenticated
key agreement (MTI/A0, MQV, NTor, Unified Model, TripleDH, CurveCP,
Naxos, etc and etc...)
My favorite is the NTor / TripleDH-style of hashing ephemeral-static
and static-static DHs together, see:
NTor:
http://cacr.uwaterloo.ca/techreports/2011/cacr2011-11.pdf
TripleDH:
https://whispersystems.org/blog/simplifying-otr-deniability/
http://www.isg.rhul.ac.uk/~kp/theses/CKthesis.pdf
Trevor
More information about the OTR-dev
mailing list