[OTR-users] Question about the authenticated key exchange
Viktor Stanchev
me at viktorstanchev.com
Mon Oct 29 23:44:19 EDT 2012
Okay, maybe my questions will make more sense if I explain what I'm doing,
so let me try that and maybe you would have some suggestions about what
features I can provide without inconveniencing users.
My plan is to build a social network where users encrypt everything they
share with a limited audience in a way that the server can't read it. Users
need to be able to send messages to multiple recipients (including
themselves) when they share something like a photo. Anything stored on the
server would be encrypted with someone's public key, so the server will
never know the contents of any of the data. Sure, they can keep track of
who is talking to whom, but I think if I'm careful I can add deniability by
allowing users to send messages without authenticating to the server as a
specific user. This opens up the possibility of spam, but I'll worry about
that later.
My plan is to assign everyone a key pair and store it on the server,
protecting the private key with a password. (Yes, I know it can be attacked
offline by the server. It will be up to the user to choose an appropriate
password.) Each user will add friends by basically sending themselves an
encrypted message containing their public keys. After a friend is added, I
plan to give them the ability to use SMP/manual verification to
authenticate the public key stored for their friend.
In many cases the users will not be both online at the time the messages
are sent, but ideally, they will have previously verified each other's
public keys.
As I'm writing this, I'm becoming more convinced that GPG + SMP might be
more suitable for what I'm doing. Maybe I can use OTR just for chat and
skip the verification of public keys because I've already done that when
the friend was added. I guess I still need AKE, just not SMP.
Is there anything I can do to add deniability to an asynchronous
conversation?
- Viktor
On Sun, Oct 28, 2012 at 4:27 PM, Ian Goldberg <ian at cypherpunks.ca> wrote:
> On Sun, Oct 28, 2012 at 03:25:01PM -0700, Viktor Stanchev wrote:
> > Hi,
> >
> > I'm trying to understand why an Authenticated Key Exchange protocol is
> used
> > in OTR instead of just exchanging public keys in plaintext. Where can I
> > read more about AKE?
>
> The public keys in OTR are indeed just exchanged in plaintext. But the
> AKE then uses those public keys to securely establish session keys.
> This allows for forward secrecy and deniability.
>
> > I'm building a cyrpto based system that uses the socialist millionaire
> > protocol to verify public keys, but I don't need a session at the time of
> > the authentication. Users will be sending each other messages later on
> and
> > I don't think I'll be using perfect forward secrecy because the messages
> > are not chat messages.
>
> What kind of messages are they? Does it matter if they can be read by
> an adversary next week, next month, or next year?
>
> What do you mean by "later on"? There's a long time between the
> "authenticate public key" step and when the encrypted messages are
> actually sent? Will you have bidirectional communication at the time
> messages are sent, or just one-way?
>
> > What do you guys think? Should I skip the AKE?
>
> If you can do the AKE right before sending the messages, that's best.
> If you can't, you'll probably also lose deniability. If you really
> don't need deniability or forward secrecy, then you may as well just use
> gpg. You can still verify the GPG public keys with SMP if you like.
>
> - Ian
> _______________________________________________
> OTR-users mailing list
> OTR-users at lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20121029/27a755a6/attachment.html>
More information about the OTR-users
mailing list