[OTR-users] What type of encryption?
Gregory Maxwell
gmaxwell at gmail.com
Wed Mar 22 22:14:58 EST 2006
On 3/22/06, Ian Goldberg <ian at cypherpunks.ca> wrote:
> You can find all the details on http://otr.cypherpunks.ca/, but at a
> high level, 1536-bit DH for key agreement, 128-bit AES-CTR for message
> encryption, and 160-bit SHA1-HMAC for integrity protection.
I should read the source, but it's easier just to ask... Is OTR just
using a single DH group? Does the protocol have support for multiple
groups? Group sharing/agreement?
Thoughts on perhaps a later version of the protocol supporting the use
of a shared secret hashed and XORed with the DH derived key (probably
after a couple of seconds of key strengthening)? It would make a dandy
form of MITM protection for people who can easily exchange a weak
human compatible secret... As more sound form of authentication
(exchanging fingerprints) is too much of a nuisance for most people
other than crypto-dorks. The side effect of mixing it with the DH
derived key is that were DH (or perhaps just the group we're using) be
found to be profoundly weaker than expected, users who authenticated
with a shared secret would have an additional level of protection.
More information about the OTR-users
mailing list