[OTR-users] What type of encryption?

[Gregory Maxwell]

On 3/24/06, CLAY SHENTRUP <CLAY at brokenladder.com> wrote:
> This is probably a stupid question, but if DH was profoundly less secure
> than expected, and a passive attacker Eve could therefore calculate the
> shared secret of Bob and Alice, how would it help that Bob and Alice have
> another way to verify that they have the same secret?

Verify they had the same?
No.  If DH was profoundly less secure than expected a passive attacker
could read the traffic. There would be no detection.

If the secret were further combined with another key established via
some other means, then yes, security would be improved against a
failure of DH.   However, if DH was weak security would depend solely
on this extra secret material, unless this extra secret were derived
through a method similar DH, we would then lose most of the cool OTR
properties in the event of a DH break...

I still like the idea of having the idea of backing DH up with a
shared secret... There is still so much obvious room for advancement
for some forms of crypto that it may well be that RSA, ECC, and all
the DHP based public key systems may all be broken tomorrow by a
single discovery or engineering advance...  Such a sudden and
widespread break is just a lot less likely for the more conventional
symmetric methods (i.e. even if someone found a practical weakness in
AES for our use, it's highly unlikely that it would be a 'cheap' or
total break, and we could very easily change symmetric ciphers)... 
The challenge would be setting up the protocol so that no information
about the shared secret is leaked unless DH is broken... without
falling back to 'deeply unproven assumption' crypto.  The conflicting
goal here is that it's easy to ruin the security of a system which
uses solid algorithims with a single protocol mistake... thus
complexity is the enemy of security.