[OTR-users] [OTR-dev] otr dh key encryption

Pete Stephenson pete at heypete.com
Tue Feb 19 14:21:59 EST 2013 

On 2/19/2013 8:07 PM, Gregory Maxwell wrote:
> On Tue, Feb 19, 2013 at 10:58 AM, Ileana <ileana at fairieunderground.info> wrote:
>> Another note on this:  doesn't this destroy your "plausible
>> deniability"?  If there is some DSA key stored on my computer, that I
>> keep showing to everyone I chat with, and is recoverable if my computer
>> is seized...what is deniable about that?
>>
>> Until someone can explain that to me, I prefer to generate new keys for
>> each communication session.
> 
> That key is never used to sign your communications.  You end up
> effectively only signing short lived symmetrical keying material.
> Basically an attacker can show that at some point you participated in
> a conversation with a particular symmetrical key... but he could
> gladly use that same symmetrical key on as many conversations as he
> likes. even ones not involving you... and he can freely author
> conversations authenticated with that that key, even ones you're not a
> part of.

Put a different way, OTR automatically generates a new symmetric key for
each communication session.

Both clients agree upon the same key by using Diffie-Hellman key exchange.

By itself, DH key exchange offers no authentication, so the two parties
have no idea if they're communicating with the person they expect or
with a "man in the middle".

OTR uses long-term keys to establish identity (e.g. so you can be
reasonably assured that the other party is who you expect them to be)
and are used to sign the DH key exchange so you avoid MITM. The
long-term keys are not used to sign individual messages, only the key
exchange.

This means that during the conversation you know that you're talking to
the correct person (as the long-term keys matched during the key
exchange) but since individual messages are not signed and both parties
have the symmetric key there's no way for either party to prove that the
conversation (or any other conversation using the symmetric key, such as
a forged one) actually took place or is unaltered.

(Note: This is a general description based on my understanding of OTR.
The exact technical details may differ or I may be in error.)

Cheers!
-Pete

More information about the OTR-users mailing list