[OTR-users] Question about the authenticated key exchange
Ian Goldberg
ian at cypherpunks.ca
Sun Oct 28 19:27:36 EDT 2012
On Sun, Oct 28, 2012 at 03:25:01PM -0700, Viktor Stanchev wrote:
> Hi,
>
> I'm trying to understand why an Authenticated Key Exchange protocol is used
> in OTR instead of just exchanging public keys in plaintext. Where can I
> read more about AKE?
The public keys in OTR are indeed just exchanged in plaintext. But the
AKE then uses those public keys to securely establish session keys.
This allows for forward secrecy and deniability.
> I'm building a cyrpto based system that uses the socialist millionaire
> protocol to verify public keys, but I don't need a session at the time of
> the authentication. Users will be sending each other messages later on and
> I don't think I'll be using perfect forward secrecy because the messages
> are not chat messages.
What kind of messages are they? Does it matter if they can be read by
an adversary next week, next month, or next year?
What do you mean by "later on"? There's a long time between the
"authenticate public key" step and when the encrypted messages are
actually sent? Will you have bidirectional communication at the time
messages are sent, or just one-way?
> What do you guys think? Should I skip the AKE?
If you can do the AKE right before sending the messages, that's best.
If you can't, you'll probably also lose deniability. If you really
don't need deniability or forward secrecy, then you may as well just use
gpg. You can still verify the GPG public keys with SMP if you like.
- Ian
More information about the OTR-users
mailing list