[OTR-dev] Pre-keying via OTR or XMPP
Ian Goldberg
ian at cypherpunks.ca
Thu Jan 2 21:05:04 EST 2014
On Thu, Jan 02, 2014 at 10:44:34AM -0500, Nathan of Guardian wrote:
>
> I was thinking about how to pre-key'ing work designed by OWS
> (https://whispersystems.org/blog/asynchronous-security/) could be
> implemented in a more generic way, that would not be tied to a specific
> server or app.
>
> Would it be possible using either an XMPP file transfer mechanism, or
> something like our OTRDATA protocol, to send a number of pre-keys to a
> contact, say at the time of an existing chat? Would this require
> modification of existing OTR implementation, or could the pre-keys be
> injected into the existing logic?
How would you prevent the identity misbinding attack (the major change
from OTRv1 to OTRv2) in this setting?
The attack in the straightforward application of pre-keys would be like
this:
Mallory runs an evil XMPP server. Alice, Bob, and Charlie are clients.
Charlie is in cahoots with Mallory. Bob posts some pre-keys to Alice,
signed by his own long-term signature key. Mallory intercepts these,
and has Charlie re-sign the same DH keys with Charlie's long-term
signature key. Mallory stores them for Alice, making them appear to
come from Charlie. Mallory then relays Alice's responses to Charlie
back to Bob.
Bob (correctly) thinks he's talking to Alice, but Alice (erroneously)
believes she's talking to Charlie. Charlie can't read the messages, but
unless Bob explicitly identifies himself, things can go awry.
- Ian
More information about the OTR-dev
mailing list