[OTR-users] question on Authenticated Key Exchange (AKE)

Ian Goldberg ian at cypherpunks.ca
Sat May 5 09:54:47 EDT 2012 

On Sat, May 05, 2012 at 12:01:38PM +0100, ix4svs at gmail.com wrote:
> I recently got a question on a blog post that talks a little bit about
> OTR usage. The question concerned initial key exchange.
> 
> [QUESTION]
> ... I noticed on the chat history in browser that even before the
> first encrypted message is sent, the accounts exchanged some random
> large string of text and numbers. Much like the subsequent encrypted
> chats. My question is: was the first exchange the key used for
> encryption? Because Google has that text, can they decrypt the chats?
> [/QUESTION]
> 
> [MY ANSWER]
> Quick answer: No and no.
> 
> Longer answer: I’m not a cryptographer, but the protocol description
> and the levels of trust I have for the people who designed the
> protocol compel me to answer “no, that first exchange was not the key
> used for encryption” (since OTR does not use symmetric crypto anyway,
> but rather Diffie/Hellman aka asymmetric aka public-key cryptography).
> 
> See http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html for a
> high-level description of the steps taken for the Authenticated Key
> Exchange (AKE) and
> https://en.wikipedia.org/wiki/Off-the-Record_Messaging#Implementation
> for an overview of the protection you get with OTR.
> 
> It’s not just public crypto – it also provides deniability (i.e. your
> messages are not digitally signed by you) and perfect forward secrecy
> (i.e. even successful cryptanalysis of one of your messages does not
> compromise your other messages).
> 
> OTR is pretty serious crypto, with a solid theoretical background and
> well-respected people implementing and improving the protocol and
> implementations.
> [/MY ANSWER]
> 
> Can someone who really knows how AKE works please verify that the
> answer is not inaccurate/misleading?
> 
> Context: https://apapadop.wordpress.com/2012/04/15/stop-google-recording-your-chats/#comments

Nice response.  The only slightly inaccurate thing is "(since OTR does
not use symmetric crypto anyway, but rather Diffie/Hellman aka
asymmetric aka public-key cryptography)".  OTR does not *only* use
symmetric-key crypto, but it does use it.  The key for that
symmetric-key crypto is in fact exchanged using public-key crypto,
though, as is the usual way to do these things.  For sure the encryption
key is never sent over the wire.

   - Ian

More information about the OTR-users mailing list