[OTR-users] new user, comments on authentication
Gregory Maxwell
gmaxwell at gmail.com
Thu Nov 29 11:52:19 EST 2007
On Nov 29, 2007 2:57 AM, Michael Reichenbach
<michael_reichenbach at freenet.de> wrote:
> 1) Well, if the shared secret is weak against mitm (because of dh) then
> you should drop it.
It's not. Thats the *whole point*. Shared secret is only weak against
MTIM if you give away the secret first: "lets authenticate, the
password is the type of pet you have cat or dog." or if the underlying
cryptographic construct turns out to be weak, which is a risk of the
same nearly unavoidable sort we get from using DH to build keys or
even AES to encrypt messages.
> 2) I think otr is about chatting secure with friends. In this case there
> can be not trusted third party like a web of trust. With a web of trust
> there is always the risk these days that some authority uses legal power
> to compromise that system.
>
> Web of trust can be only useful in commercial use (like ssl for
> communicating with bank. A web of trust has a point in this situation,
> but can be broken by authority with power over the web of trust / or
> even more simply the bank).
SSL certs are not web of trust.
(http://en.wikipedia.org/wiki/Web_of_trust#Contrast_with_typical_PKI)
By definition web of trust lacks a single party to turn. Web of trust
has other problems, unrelated to the points you've raised against
signing authorities.
> 3) As long checking the fingerprint is secure (even if there is an
> active mitm from beginning from the first time for all times) I am happy.
>
> 4) This fingerprint needs to be checked either over a pre-secure channel
> or in a real life meeting. While saying "pre-secure" channel we are also
> back at complicated encryption and pgp.
>
> Phone is not that good for checking fingerprint (ok, voice synthetic
> attack is only in very little cases these days but it`s no real secure
> solution).
Which is why virtually no one does it.
> I wish there would be a more easy solution, but I am afraid there isn`t.
There is. OTR includes it now. You can authenticate with a previously
established shared secret. Using the zero-knowledge socialist
millionaire protocol.
> 5) The otr team did their job. Secure encryption between friends always
> need confirmation anything (fingerprint or public key) within a meeting
> in real life.
Or a shared secret, which is easier for humans to work with...
More information about the OTR-users
mailing list