[OTR-users] Shared secret authentication?

[Gregory Maxwell]

Has there been any thought given to the use of shared secrets for
initial RSA key authentication?

Users establish a 'secret phrase' out of band (potentially in advance
of ever using OTR). When OTR sees a new 'untrusted' RSA. Each end gets
the option of providing a secret phrase. (there are a couple of pretty
good MTM proof ways of authenticating with a preshared secret,  I can
describe one if anyone needs it spelled out)...   The preshared secret
is never stored.  It should be processed with an expensive transform
PBKDF2 to prevent a MTM from attempting a dictionary attack.

This would be useful in the case where users must authenticate before
they have installed OTR or where as user must move between systems
from time to time and there is not a readily available secure channel
the reconfirm the new keys.  It might also provide more security
because users are more likely to actually exchange a phrase than get
on the phone and read off a bunch of digits.

On that topic---

In addition to displaying the public key hash in hex, it might be
useful to create a transformation that expresses it as english words
(uses the words to look up in a dictionary).   This way there is a
pretty good chance that someone can 'remember' part of another
person's key id when they go to another client without the stored
keys.   Of course, if you just use part of the hash,  it would make it
possible for someone to generate keys until they find a matching
string...  So rather it should expand the whole hash (or at least a
large part of it) and users should then use a non predictable subset
for verification.