[OTR-users] How does deniability work?
Ian Goldberg
ian at cypherpunks.ca
Wed Apr 26 09:57:27 EDT 2006
On Tue, Apr 25, 2006 at 06:04:37PM +0200, Thomas Henlich wrote:
> I have read the CodeCon presentation and still don't fully understand
> how deniability works:
>
> "Anyone can forge messages after a conversation to make them look like
> they came from you. However, during a conversation, your correspondent
> is assured the messages he sees are authentic and unmodified."
>
> If at some point in the conversation (after each message?) the old
> message key is published, doesn't it open up the possibility for a MITM
> attack? I.e. the attacker intercepts and holds back two of Alice's
> messages and uses the message key from the second message to forge a
> message and sends it to Bob?
It's a good question. The MAC key for a particular message is only
published at the point Bob is about to erase it from memory. So there's
no way Bob will ever again accept a message MAC'd with that key. The
idea is that the MAC keys aren't revealed after each message, but
rather, slightly more slowly (after changes of directions of the
conversation), so that Bob only publishes and throws away a MAC key when
he sees a message from Alice using the next one in the sequence.
In the scenario you describe, both messages from Alice would be MAC'd
using the same key, which would not be revealed until later on.
- Ian
More information about the OTR-users
mailing list