[OTR-users] How is OTR messaging with Socialist Millionaire Protocol (SMP) protected from Man In The Middle?

Ian Goldberg ian at cypherpunks.ca
Tue Aug 20 11:31:14 EDT 2013


On Tue, Aug 20, 2013 at 03:56:43PM +0300, Marin Dzhigarov wrote:
>  Hello all,
> 
> I'm working on a OTR/SMP related problem and I would appreciate anything to help me better understand how OTR/SMP works.
> 
> Imagine the next situation:
> 
> Alice wants to initiate OTR instant messaging session with Bob but Joe is Man In The Middle.
> 
> Alice negotiates a shared secret 'X' with Joe (thinking he is Bob) using Diffie-Hellman.
> 
> Joe negotiates another shared secret 'Y' with Bob(Bob is thinking that he is negotiating with Alice) using Diffie-Hellman.
> 
> Now Alice and Bob both know that they have established the so called "unverified OTR session", meaning that they are encrypted but none of them have verified their identities (none of them know about the existence of Joe).
> 
> So from what I understand, the Socialist Millionaire Protocol is supposed to be the solution of this problem. Alice has to match her shared secret 'X' with Bob's 'Y' and if they don't match - they will know that they have someone (Joe) in the middle, haven't they?
> 
> Anyway... Obviously X != Y because Joe is in the middle.
> 
> Now, I think I understand the steps in the Socialist Millionaire Protocol but still... I can't see what is stopping Joe from pretending in front of Alice that he is indeed Bob and use SMP to match with her their shared secret 'X' (which they both know)?
> 
> Am I missing something? What is the thing that makes OTR with SMP protected from MitM?
> 
> Any help would be appreciated!
> 
> Thanks in advance!
> 
> Regards, 
> Marin

Alice and Bob don't just compare 'X' with the SMP.  They also compare
some (out-of-band) secret they both know, either as a pre-established
one (scribble some random numbers on a pair of napkins at a bar before
going home and using OTR), or as the question-answer protocol (where the
answer becomes the shared secret).  As long as Joe doesn't have the
shared secret, he cannot impersonate Bob to Alice.

   - Ian



More information about the OTR-users mailing list