[OTR-users] OTR & SIMP

Daniel Carrera dcarrera at math.umd.edu
Sat Apr 23 12:36:22 EDT 2005 

First, OTR is open source and SIMP isn't. For security products, the 
ability to verify the source code is invaluable. Security through 
obscurity is no security at all.

Judging from their "specifications" page, this looks like an 
old-fashioned security system. That is, using RSA to exchange symmetric 
keys, and then using the same session session key for the entire 
discussion. This system does not provide the repudiability and perfect 
forward security of OTR. Specifically:

* Repudiability: With previous systems, if someone managed to read the 
communication (e.g. by stealing the private key) not only would they 
know what you said, but they would have mathematical /proof/ that you 
said it. This can hardly be considered "private". The principle of 
anonimity is central to privacy.

* Perfect forward security: Suppose that an attacker collects the 
encrypted transmissions, over time, in the hope of one day being able to 
obtain your private key. 20 years from now they get it (either through a 
breakthrough in mathematics, or faster computers, or by stealing your 
computer). They will be able to read every transmission you sent ove 
those 20 years. In contrast, with OTR, there is a short window (a few 
seconds) over which a transmission can be decrypted (and the key can 
only be obtained from the computer's RAM memmory). After that, the key 
is shreded from RAM and a new one is created. If someone obtains your 
key 20 years from now, they will not be able to read /anything/ that you 
sent over those 20 years. The information is gone. Period.

Traditional encryption is like sealing a letter in a safe. OTR is like 
that, but also writing the letter on self-destruct paper.

Cheers,
Daniel.


geiri bolla wrote:

>howdy!
>
>I was wondering what the difference between SIMP (
>http://www.secway.fr/products/simplite_msn/home.php?PARAM=us,text )
>and OTR is?
>
>Thanks in advance,
>geiri
>
>_______________________________________________
>OTR-users mailing list
>OTR-users at lists.cypherpunks.ca
>http://lists.cypherpunks.ca/mailman/listinfo/otr-users
>  
>

More information about the OTR-users mailing list