[OTR-users] Otr
Ian Goldberg
ian at cypherpunks.ca
Tue Dec 18 16:10:40 EST 2007
On Mon, Dec 17, 2007 at 08:22:31PM -0800, Carman Carman wrote:
> I liked your paper about otr. But why dont you use
> public key cryptography so that any one can encrypt
> the messages. Then couldnt you just forget the mac
> keys instead of publishing them wouldnt that mean that
> the macs were meaningless then. Since Bob could be bad
> and not forget his key would it be possible to have
> only Alice have to forget her key would that be possible.
If you encrypt messages directly with a long-term public key (like PGP
usually does), you lose the perfect forward secrecy property. Suppose
someone (say, the IM server operator) is recording all of your
incoming (encrypted) messages. Then, perhaps months later, they manage
to steal your long-term private key, say via a targetted virus. Now
they can *retroactively* decrypt those months worth of messages.
The way OTR does it, messages are only ever encrypted with extremely
short-lived keys (lasting as little as a couple of messages). Once both
sides have moved on to new keys, there's no information anywhere that
can decrypt any copies of the intercepted encrypted messages.
The reason we publish the MAC keys rather than forgetting them doesn't
have to do with secrecy; it has to do with deniability. By publishing
the MAC keys, we make it easy to forge transcripts of conversations,
thus casting doubt on the veracity of any claimed transcript.
Does that make sense?
- Ian
More information about the OTR-users
mailing list