[OTR-users] OTR mentioned in Snowden documents?
Gregory Maxwell
gmaxwell at gmail.com
Thu Sep 12 15:40:09 EDT 2013
On Thu, Sep 12, 2013 at 11:09 AM, Nathan of Guardian
<nathan at guardianproject.info> wrote:
> On 09/12/2013 02:00 PM, Paul Wouters wrote:
>> I hope OTR clients on Android would detect the bad RNG class and warn
>> the user. Once fixed (if) hopefully detect and tell the user to cycle
>> keys.
> Yes, we include our own patch in our app (Gibberbot/ChatSecure), and are
> already shipping the fix in beta.
>
> My point was more related to a fear that the bug was not really a bug.
Frustratingly, Google hasn't disclosed the specifics of the bug (a lot
of people are erroneously pointing to the old harmony issues, which
were not the problem on current android).
However, it appears clear enough that the problem was due to forking
copying the OpenSSL state, and thus muliple processes getting the same
random numbers. This was obviously fatal for some Bitcoin wallet
applications (where it was first publicly noticed) which reused keys
and so the problem resulted in duplicate nonces in DSA.
For OTR, however, I don't see how this could result in traffic
interception unless it was also coupled with MITM (e.g. use a DSA
attack with duplicated R to recover the users authentication private
key, them MITM the DH). If that was going on at any scale we could
detect it by comparing the session keys on each side. Sadly, in
pidgin otr there doesn't appear to be a way to get a fingerprint of
the current session key.
More information about the OTR-users
mailing list