[OTR-dev] Fwd: Some DH groups found weak; is OTR vulnerable?
Nadim Kobeissi
nadim at nadim.computer
Fri May 22 11:08:37 EDT 2015
On Fri, May 22, 2015 at 3:40 PM, Ian Goldberg <ian at cypherpunks.ca> wrote:
> On Thu, May 21, 2015 at 08:39:43PM +0300, Shnatsel . wrote:
> > Dear OTR developers,
> >
> > I'm following up on the recent findings in Diffie-Hellman key exchange
> > published at https://weakdh.org/
> >
> > In a nutshell, a state agency kind of adversary can probably break a few
> > common Diffie-Hellman groups and passively decrypt a significant part of
> > encrypted communications over multiple protocols.
>
> That is indeed believed to be true for <= 1024-bit keys. (It is
> demonstrably true for 512-bit, even for random single people; 768-bit
> keys are likely doable for researchers or companies with big compute
> farms.)
>
> > As far as I understand OTR uses Diffie-Hellman key exchange in the
> > protocol. I'd like to know if OTR is vulnerable to this attack.
> >
> > Thanks in advance,
> > --
> > Sergey "Shnatsel" Davidoff
>
> No, there is no reason to believe that the 1536-bit DH group used by OTR
> is vulnerable.
>
I am a researcher at one of the labs that worked on Logjam, and AFAIK OTR
is not vulnerable to that particular result in any way.
Nevertheless, I've harbored the strong opinion for many months now that OTR
should soon move to Curve25519 for key agreement, and eschew DSA in favor
of ED25519. In fact, I'd be happy to offer a hand in specifying and
implementing this change to the AKE if the OTR team is on board.
Thanks to Ian, Jake and the rest of the OTR team for their attention to
this issue.
Nadim
>
> - Ian
> _______________________________________________
> OTR-dev mailing list
> OTR-dev at lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20150522/6c1acd1b/attachment.html>
More information about the OTR-dev
mailing list