[OTR-users] OTR-encryption not safe - DSA 1024bit is too short

Ian Goldberg ian at cypherpunks.ca
Wed Dec 12 13:58:41 EST 2012

On Wed, Dec 12, 2012 at 07:51:38PM +0100, . wrote:
> On 12/12/2012 05:06 PM, Ian Goldberg wrote:
> > On Wed, Dec 12, 2012 at 02:48:51PM +0100, . wrote:
> >> Off-The-Record (OTR) encryption uses DSA 1024bit (DSA goes up to only
> >> 1024bit, equals ~1320bit RSA) and is not secure for the next 10years or
> >> so, or do you want your messages to be readable/encryptable within your
> >> lifetime?
> > DSA isn't used for encryption at all, but only for authentication.  If
> > an OTR conversation uses DSA-1024 today, and DSA-1024 is broken next
> > year, today's conversation remains secure.  The authentication crypto
> > only has to be secure *at the time of the conversation*.
> >
> > The encryption used by OTR is DH-1536 and AES-128, both of which are
> > believed to be fine for a while.
> >
> >    - Ian
> > _______________________________________________
> > OTR-users mailing list
> > OTR-users at lists.cypherpunks.ca
> > http://lists.cypherpunks.ca/mailman/listinfo/otr-users
> DH-1536 is RSA-1536 I guess (for exchanging the AES key, and use AES
> then for speed reasons).

No, RSA is not used at all in OTR.

> But isn't the traffic captured anyway and if one can encrypt RSA-1536
> and see the AES key, then the security is broken. Why not use
> RSA-4096? Is it because of the computation time? Why is it not
> possible to choose RSA-4096 in the pidgin-otr plugin?

What's the advantage of RSA-4096 over RSA-1536?  Are you really worried
that RSA-1536 will be easy to break soon?  Remember also that it doesn't
make sense to make one piece of the crypto much stronger than other
pieces.  So RSA-4096 (if OTR were to use RSA) would be quite mismatched
to AES-128 and SHA-256.

Why it's not possible to choose the crypto to use: that would cause
incompatibilities.  If everyone could choose their own crypto, then some
people wouldn't be able to talk to other people, and there would
possibly even be rollback attacks where an adversary could trick you
into using a weaker cipher than you expect, by claiming not to support
strong ones.

   - Ian

More information about the OTR-users mailing list