[OTR-users] Can Bob break Alice's plausible deniability?
Ian Goldberg
ian at cypherpunks.ca
Fri Jun 29 14:37:07 EDT 2007
On Fri, Jun 29, 2007 at 07:10:22PM +0200, Joerg Hermsdorf wrote:
> Hi all,
>
> I installed the OTR plugin for kopete yesterday and had a deeper look at the
> OTR protocol. I couldn't find an answer to my following question in the docs,
> so I decided to post it here.
>
> Imagine the following scenario:
> Alice and Bob had an OTR conversation over ICQ. Let's assume the messages are
> sent over a central ICQ server which records all of Alice's conversations.
> Imagine Bob doesn't play after the rules and recorded every shared secret
> they used in their conversation. Together with the ICQ operators Bob can
> prove to any third party what Alice said. How?
But IP addresses are totally insecure. I can grab the first few packets
of any OTR conversation Alice has (with me, for sure, and possibly with
anyone at all; I'd have to think more about this), and use it to
completely forge an entirely new conversation between "Alice" and me
(using the toolkit that comes with OTR software). Because the MAC keys
are published a few packets on, I can modify the "next D-H pubkey" field
of the first message after her signature, and from then on, I can
completely fake everything. I then play that conversation through the
real ICQ servers (and loggers), forging Alice's IP address on the
packets that are supposed to come from her.
That all being said, courts accept plaintext logs with no authentication
all the time. The point of OTR's methodology is that it gives you the
same deniability as plaintext, while at the same time, giving the
participants strong authentication *during* the conversation.
Does that make sense?
- Ian
More information about the OTR-users
mailing list