[OTR-users] Can Bob break Alice's plausible deniability?

Fri Jun 29 13:10:22 EDT 2007

Hi all,

I installed the OTR plugin for kopete yesterday and had a deeper look at the 
OTR protocol. I couldn't find an answer to my following question in the docs, 
so I decided to post it here.

Imagine the following scenario:
Alice and Bob had an OTR conversation over ICQ. Let's assume the messages are 
sent over a central ICQ server which records all of Alice's conversations. 
Imagine Bob doesn't play after the rules and recorded every shared secret 
they used in their conversation. Together with the ICQ operators Bob can 
prove to any third party what Alice said. How?

Imagine the ICQ server has a legally authorized and approved message recording 
system. Together with Alice's and Bob's Internet Service Providers, the ICQ 
operators can prove that a certain set of OTR (ciphertext) messages was sent 
from Alice's IP address to the ICQ server and delivered to Bob's IP address. 
Now Bob comes into the game and states, he has got the encryption keys for 
the messages sent by Alice. The keys presented by Bob indeed reveal a 
meaningful conversation. At this point Alice intervenes and says: "You can't 
believe Bob! I can give you the real encryption keys for our conversation, 
too! Indeed I can give you keys for any conversation of the same length one 
can imagine!" (plausible deniability)
Bob counters: "But does your keys also produce the MACs that were sent with 
your messages?"

I think here's the problem which breaks plausible deniability, because the MAC 
keys MK are always derived from the encryption keys EK.

EK = H(SS), MK = H(EK) 		// according to sheet 19 of  
http://www.cypherpunks.ca/otr/otr-codecon.pdf

Bob can prove, that the keys he presents, produce a meaningful plaintext 
conversation AND that the MAC keys derived from those encryption keys are 
exactly the ones, which produce the MACs that were sent with Alice's messages 
and they are exactly the ones which Alice always published a few messages 
later.

I'm not sure if any court would accept the fact, that there is the low 
probability of a collision and that Bob was the luky one who found those 
false encryption keys, that:
a) produce a meaningful plaintext conversation
b) produce derived MAC keys, which are exactly the ones Alice published with 
subsequend messages and produce the MACs Alice sent with her messages

If there's no logical error in my consideration, the conclusion would be to 
not derive the MAC keys from the encryption keys, but to:
a) use a second Authenticated Key Exchange (AKE) to generate MAC keys which 
are independent from the encryption keys
b) use the long lived private keys to sign the ciphertext messages

Well, b) wouldn't allow Alice to deny that she sent a certain ciphertext 
message, because all messages she sent are signed with her private key. But 
that's everything a third party can be sure of.  It would allow authenticated 
messages between Alice and Bob and it would allow Alice to generate valid 
encryption keys for arbitrary plaintext messages of the same length => 
plausible deniability. Nobody could prove that Bob revealed the "right" 
encryption keys that were actually used in the conversation between Alice and 
Bob. 

Regards,
Jörg.