[OTR-users] Stronger crypto?

Gregory Maxwell gmaxwell at gmail.com
Sat May 10 13:09:17 EDT 2008


On Sat, May 10, 2008 at 12:51 PM, Ian Goldberg <ian at cypherpunks.ca> wrote:
[snip]
> Speaking of the DH, if we were to switch to 256-bit symmetric keys, we'd
> have to switch the DH to something in the 10,000-bit range for
> equivalent security.  (Otherwise, it would be way easier to break the DH
> to determine the symmetric key than it would be to break the AES
> directly, and you gain nothing.)  This would be way too slow, since it's
> performed almost every time a message is sent.  We'd probably need
> something elliptic-curve based, which opens up other cans of worms.
[snip]

Hey, I did propose something OTR could do to improve key establishment
security without expanding the DH size:

Cache an established shared secret and mix it with the DH negoitated
key.   I.e. take the password provided on each side for
authentication, strengthen it with a zillion rounds of a hash, store
it, then use it to encrypt the DH provided keys.

This means that if DH is found to be weaker than expected OTR between
authenticated users reduces to symmetric crypto without PFS rather
than being totally broken.

In any case... it still would be an insignificant improvement in
security compared to what would be provided just about any usability
improvement.



More information about the OTR-users mailing list