[OTR-users] What type of encryption?

CLAY SHENTRUP CLAY at BROKENLADDER.COM
Thu Mar 23 02:30:08 EST 2006 

>
> > I should read the source, but it's easier just to ask...  Is OTR just
> > using a single DH group? Does the protocol have support for multiple
> > groups?  Group sharing/agreement?
>
> Yes, a single DH group in v2.  We can add more groups easily enough,
> though, if we need to in the future.


Does this mean multiple DH key agreements between duos, or some  way of
having a group shared secret that every member participates in?

> Thoughts on perhaps a later version of the protocol supporting the use
> > of a shared secret hashed and XORed with the DH derived key (probably
> > after a couple of seconds of key strengthening)? It would make a dandy
> > form of MITM protection for people who can easily exchange a weak
> > human compatible secret... As more sound form of authentication
> > (exchanging fingerprints) is too much of a nuisance for most people
> > other than crypto-dorks.    The side effect of mixing it with the DH
> > derived key is that were DH (or perhaps just the group we're using) be
> > found to be profoundly weaker than expected, users who authenticated
> > with a shared secret would have an additional level of protection.
>
> We've talked about this before, and in fact there's a much cooler way to
> do this, which I totally have plans to implement.  It's called the
> "socialist millionaire's protocol", and it lets two people determine if
> they both know the same secret, while revealing no information about
> each other's secret if they're not the same.  The way that it works is
> that both sides end up computing r^(sA-sB), where sA and sB are Alice
> and Bob's secrets (which don't have to have high entropy), and r is a
> random number neither side learns.  So if the secrets are the same, the
> value of this expression is 1, and if they're different, it's a random
> number.


Can you briefly describe how this happens?  How is sA-sB calculated by
either party if he can't know the other party's secret?  Who chooses what r
is...is it the xor of a random value generated by each party.

Thanks

--
(05:25:41 PM) NATE: drinking here.
(05:27:26 PM) CLAY: drinking with whom?
(05:27:32 PM) NATE: you man.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20060322/cef3c919/attachment.html>

More information about the OTR-users mailing list