[OTR-dev] hash commitment in DH key exchange

Ian Goldberg ian at cypherpunks.ca
Wed May 28 17:59:11 EDT 2014


On Wed, May 28, 2014 at 10:55:10PM +0100, Ben Laurie wrote:
> On 28 May 2014 19:57, Ian Goldberg <ian at cypherpunks.ca> wrote:
> > On Wed, May 28, 2014 at 05:56:30PM +0100, Ximin Luo wrote:
> >> Thanks! I suppose this is the same reasoning as the DH-commit to protect the SAS in ZRTP[1]?
> >
> > Probably.
> >
> >> To clarify, does this mean the DH-commit is unnecessary if either:
> >>
> >> a. the session key is longer, say 128 bits or 256 bits (but this would
> >> make it "less useable" for verification), or
> >> b. we use a verification method that doesn't depend on the session id,
> >> such as direct fingerprint verification
> >
> > At first glance, those seem plausible to me.
> 
> Now I'm curious: why is the session ID short?

Usability of verification in the (long-since-deprecated) "compare
session IDs" method, which works even if you *know* your private keys
have been compromised (but only for the current session).



More information about the OTR-dev mailing list