[OTR-dev] Pre-keying via OTR or XMPP
Trevor Perrin
trevp at trevp.net
Fri Jan 3 11:49:28 EST 2014
On Thu, Jan 2, 2014 at 6:05 PM, Ian Goldberg <ian at cypherpunks.ca> wrote:
> On Thu, Jan 02, 2014 at 10:44:34AM -0500, Nathan of Guardian wrote:
>>
>> I was thinking about how to pre-key'ing work designed by OWS
>> (https://whispersystems.org/blog/asynchronous-security/) could be
>> implemented in a more generic way, that would not be tied to a specific
>> server or app.
>>
>> Would it be possible using either an XMPP file transfer mechanism, or
>> something like our OTRDATA protocol, to send a number of pre-keys to a
>> contact, say at the time of an existing chat? Would this require
>> modification of existing OTR implementation, or could the pre-keys be
>> injected into the existing logic?
>
> How would you prevent the identity misbinding attack (the major change
> from OTRv1 to OTRv2) in this setting?
I think that could be prevented by using a key-agreement that mixes
the long-term keys into the session key, e.g. "triple Diffie-Hellman"
[1].
Alternatively, if you really want to do signed key agreement as Ian
describes, you could prevent identity misbinding by hashing the
parties' identities (e.g. long-term key fingerprints) into the derived
session key. But if doing that, an expiry should be applied to the
signatures, so that a stolen ephemeral DH private key can't be reused
forever.
To Nathan's original point: I'm not sure the value of sharing pre-keys
with a pre-existing contact. I think Nathan is trying to enable
parties to communicate asynchronously even when the recipient is
offline. But the parties could simply remember their session state to
do this.
(That's how TextSecure works - prekeys/tripleDH allow asynchronous
communication between parties with no prior contact, but for
subsequent messages the "ratchet state" is cached. Since this means
the ratchet state might be cached for a long-time, the TextSecure
ratcheting algorithm differs from OTR in deleting keys immediately
after sending a message, instead of waiting for an acknowledgement
[2]).
Trevor
[1] https://whispersystems.org/blog/simplifying-otr-deniability/
[2] https://whispersystems.org/blog/advanced-ratcheting/
More information about the OTR-dev
mailing list