[OTR-dev] OTR version 4 Draft #2
Sofia
sofia at autonomia.digital
Fri Mar 16 12:39:57 EDT 2018
Hey!
I am Sofia from the team that previously sent a draft of the OTRv4
protocol. We, as a team, would like to present the third version of this
draft. It has been reviewed by Ian and Nik two times in the interim. The
draft is at Github[1].
There are many changes on this version as compared with the version 3 of
the OTR protocol. Just to briefly summarize them:
* Security level raised to 224 bits and based on Elliptic Curve
* Cryptography (ECC) (using ed448, Goldilocks, -huge thanks to Mike
Hamburg!-).
* Additional protection against transcript decryption in the case of ECC
compromise.
* Support for both online and offline conversations.
* Support for an out-of-order network model.
* The following cryptographic primitives and protocols have been updated:
* Deniable authenticated key exchanges (DAKE) using "DAKE with Zero
Knowledge" (DAKEZ) and "Extended Zero-knowledge Diffie-Hellman" (XZDH).
DAKEZ corresponds to conversations when both parties are online
(interactive) and XZDH to conversations when one of the parties is
offline (non-interactive).
* Key management using the Double Ratchet Algorithm.
* Upgraded SHA-1 and SHA-2 to SHAKE-256.
* Switched from AES to XSalsa20.
* Support for different modes in how the specification can be used
(OTRv4 only, OTRv4+v3 compatibility mode, OTRv4 interactive only).
* Explicit instructions for producing forged transcripts using the same
functions used to conduct honest conversations.
The DAKEs we are using are based upon the ones defined by Nik and Ian in
their paper: Improved Strongly Deniable Authenticated Key Exchanges for
Secure Messaging[2]. Nik will be talking about them at the next PETS
[3], if you are interested, or you can check this diagram around them [4].
Previously, there were some comments inquiring whether this was the
"official" draft of OTRv4. As we have been closely working with Ian and
Nik on this, we consider this an official version 4 of the OTR protocol.
Just for context, this version of the protocol started with a discussion
held at the beginning of March, 2015, at the IFF - you can see the
report and discussion about that beginning here [5].
This proposal have had two reviews. We briefly held a meeting around it
with Ian at Real World Crypto, 2018.
Notice that the draft points to another specification for how a prekey
server used for offline conversations works. This specific specification
is still a work in progress. But we will finish it soon. ;)
We are sending this in order to get a third review from Nik and Ian, but
also to get the opinions, thoughts, discussions and much more from the
OTR community. This is by no means a finished draft, so, we welcome your
feedback on it (please, do so).
Let's discuss and share our opinions! :)
Thanks and have a very good weekend!
The OTRv4 team
1- https://github.com/otrv4/otrv4/blob/master/otrv4.md
2- http://cacr.uwaterloo.ca/techreports/2016/cacr2016-06.pdf
3- https://petsymposium.org/2018/paperlist.php
4- https://cs.uwaterloo.ca/~njunger/dake_csdf17_poster_72dpi.png
5- https://lists.cypherpunks.ca/pipermail/otr-dev/2016-March/002447.html
--
SofĂa Celi (aka cherenkov)
@claucece / @cherenkov_d
EF74 1A5F 5692 E56F 14F6 243C 3992 6144 F89D 996F
More information about the OTR-dev
mailing list