[OTR-dev] hash commitment in DH key exchange

Ian Goldberg ian at cypherpunks.ca
Wed May 28 14:57:35 EDT 2014


On Wed, May 28, 2014 at 05:56:30PM +0100, Ximin Luo wrote:
> Thanks! I suppose this is the same reasoning as the DH-commit to protect the SAS in ZRTP[1]?

Probably.

> To clarify, does this mean the DH-commit is unnecessary if either:
> 
> a. the session key is longer, say 128 bits or 256 bits (but this would
> make it "less useable" for verification), or
> b. we use a verification method that doesn't depend on the session id,
> such as direct fingerprint verification

At first glance, those seem plausible to me.

> Come to think of it, why does the SMP secret include the session id?
> Isn't the fingerprints enough? (I had thought perhaps this was to
> prevent replay attacks, but including the fingerprints should mean
> that no successful run of SMP is ever seen by a MitM, to be able to
> store and replay it later.)

By including the session id in the SMP secret, it's at least possible to
detect the case where your private key has been stolen.



More information about the OTR-dev mailing list