[OTR-users] OTR-encryption not safe - DSA 1024bit is too short

. dcMhOYBdpZkH at web.de
Wed Dec 12 14:39:35 EST 2012

On 12/12/2012 07:58 PM, Ian Goldberg wrote:
> On Wed, Dec 12, 2012 at 07:51:38PM +0100, . wrote:
>> On 12/12/2012 05:06 PM, Ian Goldberg wrote:
>>> On Wed, Dec 12, 2012 at 02:48:51PM +0100, . wrote:
>>>> Off-The-Record (OTR) encryption uses DSA 1024bit (DSA goes up to only
>>>> 1024bit, equals ~1320bit RSA) and is not secure for the next 10years or
>>>> so, or do you want your messages to be readable/encryptable within your
>>>> lifetime?
>>> DSA isn't used for encryption at all, but only for authentication.  If
>>> an OTR conversation uses DSA-1024 today, and DSA-1024 is broken next
>>> year, today's conversation remains secure.  The authentication crypto
>>> only has to be secure *at the time of the conversation*.
>>> The encryption used by OTR is DH-1536 and AES-128, both of which are
>>> believed to be fine for a while.
>>>    - Ian
>>> _______________________________________________
>>> OTR-users mailing list
>>> OTR-users at lists.cypherpunks.ca
>>> http://lists.cypherpunks.ca/mailman/listinfo/otr-users
>> DH-1536 is RSA-1536 I guess (for exchanging the AES key, and use AES
>> then for speed reasons).
> No, RSA is not used at all in OTR.
DH is Diffie--Hellman, right? I thought it uses RSA to exchange the
symmetric keys.
Just read:

    Therefore, both DH and RSA recommended key sizes are the same.

>> But isn't the traffic captured anyway and if one can encrypt RSA-1536
>> and see the AES key, then the security is broken. Why not use
>> RSA-4096? Is it because of the computation time? Why is it not
>> possible to choose RSA-4096 in the pidgin-otr plugin?
> What's the advantage of RSA-4096 over RSA-1536?  Are you really worried
> that RSA-1536 will be easy to break soon?  Remember also that it doesn't
> make sense to make one piece of the crypto much stronger than other
> pieces.  So RSA-4096 (if OTR were to use RSA) would be quite mismatched
> to AES-128 and SHA-256.
1536bit is really not too much, even twitter uses 2048bit, facebook & co
will update to 2048 soon too.
You know encryption should last a lifetime.
Can I change the 1536 to higher values in the source code (looking at
the char* names I guess no)?
libotr-4.0.0$ grep -r "1536" .
dh.c:static const int DH1536_MOD_LEN_BITS = 1536;
> Why it's not possible to choose the crypto to use: that would cause
> incompatibilities.  If everyone could choose their own crypto, then some
> people wouldn't be able to talk to other people, and there would
> possibly even be rollback attacks where an adversary could trick you
> into using a weaker cipher than you expect, by claiming not to support
> strong ones.
Claiming that one can only use 2048bit instead of 4096bit should not be
possible by the program :)
Using 4096bit should at least be possible by doing ./configure --dh4096
and it should be fixed and not claimable.
I'd -- and others I guess -- even be happy (for the next 5years (in
reality 2048bit would last longer but it's about not be able to decrypt
something for a lifetime)) with 2048 ~AES-112, not AES-128, and it's
still fast to create a key.
Please switch to 2048
>    - Ian
> _______________________________________________
> OTR-users mailing list
> OTR-users at lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20121212/59e87741/attachment.html>

More information about the OTR-users mailing list