[OTR-dev] Pre-keying via OTR or XMPP

Ian Goldberg ian at cypherpunks.ca
Fri Jan 3 07:30:29 EST 2014 

On Fri, Jan 03, 2014 at 09:54:48AM +0100, Randolph wrote:
> 2014/1/2 Nathan of Guardian <nathan at guardianproject.info>
> I was thinking about how to pre-key'ing work could be
> implemented in a more generic way, that would not be tied to a specific
> server or app.
> 
> Would it be possible using either an XMPP file transfer mechanism, or
> something like our OTRDATA protocol, to send a number of pre-keys to a
> contact, say at the time of an existing chat?
> 
> 
> Dear Nathan, dear Ian,
> 
> 1.) this reminds of the Rosetta CryptoPad doing this: here you send a key
> shared in the past, and can generate at any time new ciphertext to be sent
> over XMPP or any other Messenger or Email. The key must be surveilled in
> the past and as well the private key must be screwed up. So this is
> unlikely. Due to the hashes and salts the same plaintext generates each
> time a new ciphertext. What would be the benefits, to have the D/H Key
> exchange not in each session? see a seceenshot here:
> http://goldbug.sourceforge.net/img/screenshot_rosetta.png

But that "unlikely" event is *exactly* what forward secrecy is there to
protect against!  You absolutely do not want keys stored long term that
decrypt data sent over the Internet.

> 2) you want pre shared keys? a bunch of? and want to use the XMPP data
> sharing protocol? this reminded of the StarBeam File Transfer which is done
> as well with pre-shared keys, the keys are sort of a magnet due to the
> Magnet-URi standard and looks like this. The thing is, you can choose one
> or several magnets to have access to the transfer (message or data file). I
> would rather extend your request to have not only pre-shared keys, but to
> use one or more keys for one transfer, so it is much more difficult to
> break not only one key, but severals.

The keys Nathan proposes are not symmetric keys that can be used to
decrypt data.  They are public keys.

> 3.) As far as it is known, OTR uses perfect forward secrecy (PFS) per
> session, right?.

Not right.  OTR does a DH key exchange every time Alice and Bob take
turns speaking.

   - Ian

More information about the OTR-dev mailing list