[OTR-users] Shared secret authentication?

Ian Goldberg ian at cypherpunks.ca
Thu Jan 20 19:27:13 EST 2005


On Thu, Jan 20, 2005 at 04:32:30PM -0500, Gregory Maxwell wrote:
> Has there been any thought given to the use of shared secrets for
> initial RSA key authentication?
> 
> Users establish a 'secret phrase' out of band (potentially in advance
> of ever using OTR). When OTR sees a new 'untrusted' RSA. Each end gets
> the option of providing a secret phrase. (there are a couple of pretty
> good MTM proof ways of authenticating with a preshared secret,  I can
> describe one if anyone needs it spelled out)...   The preshared secret
> is never stored.  It should be processed with an expensive transform
> PBKDF2 to prevent a MTM from attempting a dictionary attack.
> 
> This would be useful in the case where users must authenticate before
> they have installed OTR or where as user must move between systems
> from time to time and there is not a readily available secure channel
> the reconfirm the new keys.  It might also provide more security
> because users are more likely to actually exchange a phrase than get
> on the phone and read off a bunch of digits.

That's a pretty interesting suggestion.  An easy way would be to
calculate SHA-1(dir, sessionid, secret) and exchange those values
[once the session is established].  (Use the stretched secret, of
course.)

Technically, you could even do that "by hand" (even on the command line
if you don't care about the stretching), but that does sound like a cool
feature.

> On that topic---
> 
> In addition to displaying the public key hash in hex, it might be
> useful to create a transformation that expresses it as english words
> (uses the words to look up in a dictionary).   This way there is a
> pretty good chance that someone can 'remember' part of another
> person's key id when they go to another client without the stored
> keys.   Of course, if you just use part of the hash,  it would make it
> possible for someone to generate keys until they find a matching
> string...  So rather it should expand the whole hash (or at least a
> large part of it) and users should then use a non predictable subset
> for verification.

That's the S/KEY idea (http://www.faqs.org/rfcs/rfc1760.html).  The
particular word list they use isn't the best, though.

   - Ian



More information about the OTR-users mailing list