[OTR-users] New gaim-otr and otrproxy ready for beta testing

Ian Goldberg ian at cypherpunks.ca
Mon Oct 17 22:19:52 EDT 2005 

On Mon, Oct 17, 2005 at 04:08:30PM -0700, CLAY SHENTRUP wrote:
> >
> > A secure session id? No, all that guarantees is that your current
> >
> conversation is private. It does *not* guarantee that the fingerprint
> > you received is actually the correct one.
> 
> 
> I'm trying to wrap my head around this one. If the session key was
> ultimately derived from your private diffie-hellman generator value, and a
> signed public diffie-hellman value from the other party, then this would
> seem to indicate that only a person who actually has the private key from
> which a fingerprint is derived could have produced that session key. If you
> call up your friend and recognize his voice, and he verifies that session
> key, he has to be the real owner of the private key that produces the
> fingerprint that you think he has. If that fingerprint wasn't really his,
> how would he know that session key?
> 
> Where is this rationale broken?

Indeed, the session key is derived from your private diffie-hellman
keys, which is why, if you verify the session key, you're assured that
the person at the other end of the encrypted pipe is who you think it
is.

The public diffie-hellman keys are then signed by your DSA keys (~= your
fingerprint).  It's possible that a Man-in-the-Middle removed your
buddy's signature from the Key Exchange Message, and substituted his
own.  If you verify the session id, you'll know that you are in fact
talking to your buddy, and the MITM won't be able to read your messages,
but the fingerprint you see will be *his*, and not your buddy's.

That's why it's preferable to check the fingerprint.  As long as your
private DSA keys remain safe, you only have to do it once, and *all* of
your subsequent sessions are protected.  Checking the session id is only
useful when your private DSA keys have been compromised, and it only
checks the privacy of that one session.

I think your confusion may have been between the long-lived public DSA
keys (from which your fingerprint is derived) vs. the short-lived public
Diffie-Hellman keys (from which the session id is derived).

   - Ian

More information about the OTR-users mailing list