[OTR-users] diffie-hellyes

Ian Goldberg ian at cypherpunks.ca
Wed Jun 22 19:33:07 EDT 2005


On Wed, Jun 22, 2005 at 04:25:50PM -0700, CLAY SHENTRUP wrote:
> 
> I haven't read the OTR spec in awhile, but I seem to recall that
> one digitally signs the AES key derived from the Diffie-Hellman
> transaction.  Why not simply sign only your own public value in
> the Diffie-Hellman process?  If the other party sign's his, then
> you know with confidence the shared secret (private key) that
> you will both generate.  This seems to provide substantially
> better deniability, because there's no way to prove you ever
> even knew the other party's public value and generated the
> shared secret.  You could deny that you had ever even seen that
> private key.  Does this make sense??  Am I missing something?
> Is this how it's already done and I just misunderstood?

This is in fact exactly how it's done now.  :-)

The only thing the digitally signed message in OTR proves is that
you've used OTR at some point in the past (not even necessarily to talk
to any particular person).

> Just curious..
> I think the next step on this plug-in, and I wish I had the time
> to help, would be to make the equivalent of mixminion for IM.
> Essentially, your message is encrypted like those little Russian
> dolls, so that the next person in the line can encrypt a layer,
> and then on down the line, until the final party can view the
> message, and an outside observer would be hard pressed to
> discover who you were talking to.  Maybe this is too process
> intensive, since it would require successive RSA decryption to
> peel away the layers, as well as the permission of various
> people on a network.  Just a thought..

Ben Laurie's "APRES" project is along these lines.  You need to use a
separate IM network though (not, for example, AIM), since it would be
way too easy for AOL to figure out who's talking to whom, when every
single message goes through their servers.

   - Ian



More information about the OTR-users mailing list