[OTR-users] Private Keys File
Ian Goldberg
ian at cypherpunks.ca
Mon Nov 20 15:06:00 EST 2006
On Mon, Nov 20, 2006 at 11:33:33AM -0800, Richard M. Conlan wrote:
> Actually, my reason for asking was to figure out how to manage the
> trade-off of multiple sign-on locations. At current I have a different
> key at home & at work. I was thinking that perhaps I'd just copy the
> keyfile and bring it to work...but since it is unprotected I would then
> be opening up my personal keys to my employer, which isn't cool (at
> least in principle).
Indeed, many people just have different keys at each location. But as
has been mentioned, a motivated employer could get at the keys, even if
they were encrypted. The OTR threat model assumes your local machine is
trusted.
> Anybody want to point me at regions of the code I might want to be
> looking at were I to consider providing a patch to optionally AES
> encrypt the key file?
You'll want to look at libotr/src/privkey.c, and in particular the
otrl_privkey_generate_FILEp and otrl_privkey_read_FILEp routines.
Probably also the otrl_privkey_read_fingerprints_FILEp and
otrl_privkey_write_fingerprints_FILEp routines.
> Uh...what encryption library does OTR use?
libgcrypt. Don't forget to MAC the files after encrypting them.
Thanks! I look forward to your patch! This has certainly been on the
to-do list for a while, but OTR hasn't seen many dev cycles recently. :-(
- Ian
More information about the OTR-users
mailing list