[OTR-users] Google Alert : How to keep instant messaging off the record

Ian Goldberg ian at cypherpunks.ca
Tue Oct 18 08:54:18 EDT 2005 

On Tue, Oct 18, 2005 at 05:46:24AM +0200, Paul Wouters wrote:
> On Mon, 17 Oct 2005, Aldert J.B.P. Hazenberg wrote:
> 
> >Google pointed me today at :
> >http://internet.newsforge.com/internet/05/10/07/1521221.shtml?tid=13
> 
> He got some minor errors though:
> 
> >Deniable authentication means that, while Bob is talking to Alice, he's
> >assured that he really is talking to Alice, and not an imposter. However,
> >Bob cannot turn around and prove to Charlie that he's talking to
> >Alice. The key here is that all the messages between Alice and Bob come
> >with proof that they were written by either Alice or Bob, but you can't
> >tell which. When Bob gets such a message, he knows that he didn't write
> >it, so it must have been written by Alice. But if Bob shows this message
> >to Charlie, Charlie has no reason to believe Alice wrote it, since Bob
> >could have written it himself.
> 
> He got it wrong here though :(
> (deniability is in the fact that *afterwards* anyone can "encrypt" messages
> with the 'leaked' the old keys, so *anyone* who sniffed the communications
>  (not just alice or bob) could forge messages in the past (but not read any)

Actually, he's wrong in a few places, but this isn't one of them.  :-)

His explanation is a perfectly reasonable description of the *real-time*
deniable authentication of OTR; i.e. even during the conversation,
before the MAC keys are revealed, Bob can't prove to Charlie that Alice
wrote the message he just received.  Your description is of the
*after-the-fact* forgeability of messages, once the MAC keys are
revealed.

OTR offers quite a few layers of deniability:

- MACs on messages (the "real-time deniabilty")
- deriving the MAC key from the encryption key ("if you can read it, you
  can forge it")
- publishing the MAC keys (anyone can forge messages after the fact)

> He also tried to run gaim with otrproxy, which is kinda weird.

He apparently had trouble finding another Linux AIM client that
supported proxies.  Do you know of one?

   - Ian

More information about the OTR-users mailing list