[OTR-dev] hash commitment in DH key exchange
Ximin Luo
infinity0 at pwned.gg
Tue May 27 12:43:32 EDT 2014
Hi, I'm helping someone read over the OTR protocol spec atm.
I'm confused about the hash commitment in the DH key exchange. In the 2007 paper "Improved User Auth in OTR" it says:
"The channel itself uses a 64-bit secure session id based on the shared secret, which is short enough to be vulnerable to brute-force attacks. As a result, an initial commitment is used to ensure that neither party can base their choice of g^x on the other party’s value of g^y."
Why is the hash commitment necessary? The first sentence implies that Bob can set the session id to something they can predict, since (without the commitment) they receive g^x before they pick y. This is true, but it's not clear why this is a big deal.
I have never seen the session id in any UIs, but according to the protocol spec[1] it can be used for entity verification. I don't see how a session id controlled by Bob gives him any advantage. They are meant to be confidential - so it's not like you can try to collide to a session id with another conversation, because you don't know what it is.
I don't think the hash commitment hurts security, but it does add one extra round trip, so I'm curious what justifies this.
X
[1] https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html
--
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 880 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20140527/ee04a502/attachment.pgp>
More information about the OTR-dev
mailing list