[OTR-users] The effectiveness of deniability
Ximin Luo
infinity0 at gmx.com
Fri Nov 29 11:19:59 EST 2013
I know that deniability is marketed on the OTR homepage, but thinking about it some more, I'm not convinced it's such a big deal. Even worse, the official literature is misleading with regards to what "deniability" actually means.
IIRC it was presented as an advantage over PGP email, since if you see a single OTR message auth-encrypted with a session key, then there is indeed no way to link it back to any long-term identity keys. (Compare this with a single email directly signed with a long-term PGP key.)
However, I don't think this is a very realistic scenario - if an attacker can see a single OTR message, they very likely can see the original handshake anyway, which *is* linked (logistically, if not cryptographically from the POV of the attacker) to the long-term identity keys, breaking deniability.
I do agree that forward secrecy is important, meaning that future compromises don't affect past messages. However even in this case, if Bob decides not to discard the session key, and there is a network-level attacker that can verify the direction of messages, then later they can collude to partially cryptographically show that Alice sent a message - the attacker can voucher that Alice sent the message, and Bob can supply the session key to decrypt/verify it.
Is my reasoning correct? If so, this would contract the claim made here[1]:
"Alice is given deniability; that is, no one, including Bob, can prove the authorship of Alice’s messages to third parties."
since Bob *can* provide such a (partially) cryptographic proof with a network-level colluder.
Additionally this snippet[2] is somewhat naive:
"To ensure that the keys are short-lived, Alice and Bob can choose to perform a new Diffie-Hellman key agreement, discarding the old key and xA , xB values. At this point, it will be impossible for Alice or Bob to decrypt old messages, even with help from an attacker who might remember the transmitted values of g xA and g xB , without violating the Diffie-Hellman security assumption."
If either party is going to collude with an attacker, then why would they obey protocol and discard the old keys?
X
[1] http://www.cypherpunks.ca/~iang/pubs/otr_userstudy.pdf
[2] https://otr.cypherpunks.ca/otr-wpes.pdf
--
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20131129/9bb925ff/attachment.pgp>
More information about the OTR-users
mailing list