[OTR-users] multi-party OTR communications? (and other OTR details)

Ian Goldberg ian at cypherpunks.ca
Mon Sep 22 09:29:32 EDT 2008 

On Thu, Sep 18, 2008 at 01:50:44PM -0400, Daniel Kahn Gillmor wrote:
> Hey OTR folks--
> 
> I'm still wrapping my head around the ideas of OTR, and i just wanted
> to float a question or two to people who understand the crypto better
> than myself.
> 
> My understanding is that OTR is designed such that it can only be used
> in two-party communication (private message), and that it cannot be
> used in multi-party comunication (e.g. an IRC channel, or an XMPP
> conference room).
> 
> I believe this is because the reason you can get authenticated
> communications in OTR is that only the two parties involved know the
> session key involved.  And if a message arrives that is properly
> wrapped in the session key, you know that it was written by your
> conversation partner simply because you personally did not write it.
> 
> This clearly doesn't scale to the n > 2 case (if you all share a
> session key, how do you know which of the other parties wrote a given
> message?), but is also why OTR has the deniability feature: if the
> other party decides to share your conversation with a third party (and
> they had somehow cached and stored the session info), you can simply
> point out that they knew the session key as well as you did, and they
> could have authored any of the messages themselves.

The above is all exactly right.  That said, there are a couple of people
working on just what a group version of OTR should look like, and what
its properties should be.

> But you cannot deny that you *had* a conversation, assuming the other
> party cached all the traffic and their ephemeral session key, because
> the key verification step is unimpeachable if the DH keys for the
> session are known.

Indeed, with the current version of OTR, if Bob keeps a copy of his
secrets, he can prove that someone he's in cahoots with at some point in
the past started an OTR session with Alice's client.  (Because Alice
signs a MAC over Bob's ephemeral DH key.)  But anyone can start an OTR
conversation with anyone else (quite intentionally).  On the drawing
board is a variation that will remove even this.

> Is my understanding of these points correct?  Am i using terms in ways
> they shouldn't be used?  Am i confused and don't know it?  Any
> insights would be appreciated.  I'd like to make sure i understand
> what assurances are actually being offered by this protocol, because
> i'd like to be able to advocate for its use in the appropriate
> situations.

Looks reasonable to me.

> Regards,
> 
>         --dkg
> 
> PS for the list admin: when i tried to subscribe to this list by
>    replying to the confirmation e-mail, i got the following bounce.  I
>    managed to confirm via the web UI, but you might want to look into
>    this:

Fixed, thanks.

   - Ian

More information about the OTR-users mailing list