[OTR-dev] Evidence of intelligence agency decryption of OTR chats
Gregory Maxwell
gmaxwell at gmail.com
Mon Dec 29 06:34:32 EST 2014
On Mon, Dec 29, 2014 at 11:21 AM, Ian Goldberg <ian at cypherpunks.ca> wrote:
> On Sun, Dec 28, 2014 at 11:40:02PM +0000, Gregory Maxwell wrote:
>> http://www.spiegel.de/media/media-35552.pdf
>>
>> >From http://www.spiegel.de/international/world/nsa-documents-attacks-on-vpn-ssl-tls-ssh-tor-a-1010525.html
>>
>> The fact that they appear to have decrypted some but not all messages
>> in a log suggests to me that this is not a host compromise, or an
>> MITM. But potentially an attack on 1024 bit DH or AES-CTR?
>
> OTR uses 1536-bit DH, not 1024-bit DH.
>
> It's possible the transcript on the second page of that PDF shows
> protocol messages (OTR Query, key exchange, etc.) messages. But I don't
> have a similar explanation for the ones after the undecryptable OTR
> messages on the first page.
I thought the same thing about the second page. The second page also
could have been "We should switch to OTR" "Okay".
The theory about intermittently bad RNGs in some clients sounds
interesting. It would be a reason why the capability to monitor might
blink in and out as the forward security ratchet turns.
A more robust implementation approach might be to chain like
new_PFS_key = H(prior ephemeral key including from past sessions ||
new randomness) so that if ever the PFS key is secure it's always
secure even if the local RNG is untrusthworthy.
It's annoying that the slow, intermittent disclosures by the media,
and voluntary redacting may well be leaving people at risk because
we're unable to extract many technically relevant details.
More information about the OTR-dev
mailing list