[OTR-users] does authentication depend on secrecy of private key

Greg Reagle reagle at cepr.net
Fri Apr 17 11:38:01 EDT 2015


On Fri, Apr 17, 2015, at 11:10 AM, Daniel Kahn Gillmor wrote:
> On Fri 2015-04-17 10:53:01 -0400, Greg Reagle wrote:
> > Then why don't the docs explain this?  I assume that the docs are also
> > for people who want security but don't understand the details of
> > cryptography?  How can the docs claim that "They are also confident that
> > no one watching the network can read their messages" [1]. That seems
> > like an obviously false statement to me.
> 
> This statement clarifies the threat model that OTR tries to address.
> the attacker is someone "watching the network", up to and including
> sitting on the chat server itself and able to see its transit.

The statement is wrong.  If Mallory is watching the network and can use
spyware to get Bob's private key, there should be no confidence in the
privacy.

> The threat model necessarily excludes (doesn't address) some forms of
> attackers, including attackers who have control over the end user's
> device to the point where they can grab the user's secret key.

Why isn't this in the docs?  I think we have a bunch of people who
understand cryptography so well that they don't know how to write docs
for the general public.

> I'm unaware of any cryptosystem that can defend message confidentiality
> against any attacker that has full control over the endpoint device on
> which the message is ultimately read.

I am not suggesting that there are.  I am suggesting that the docs are
overconfident and misleading to those who don't understand cryptography.
 They don't understand all this stuff about what is out of scope and
"obviously the private key has to be kept secret".  That's what
*crytographers* understand.   What would it hurt to make these
assumptions explicit in documentation?

>  complete endpoint security is a long and deep
> topic, and probably out of scope for the OTR web site.

I am not suggesting the docs comprehensively address complete endpoint
security, just that they mention that the system is completely dependent
on keeping the private keys private, and give a couple of very simple
examples of vulnerabilities like I already did in a previous message. 
I'm sure this is very obvious to all of you, but it's not to people who
aren't versed in cryptography.

> > It is really not that hard for Mallory to get Bob's private key.  If he
> > leaves his computer unattended for 5 minutes Mallory could stick in a
> > USB flash drive and copy his private key.
> 
> OTR does not defend against this attack.

Yes, I understand this.  But I understand cryptography to some extent,
and a lot better than the general public.

>  Locking your computer when you
> are away from it defends against this attack.

Yes, I understand this.  But I understand cryptography to some extent,
and a lot better than the general public.

> > Or Mallory could use spyware or some sort of other hacking.
> Again, if your endpoint is compromised, all the software running on it
> is suspect.

So what?  Why are you telling me this?  I already know this, and the
people who develop OTR already know this.  It is beside my point.  My
point is to put it into the public docs.  And my point is that it makes
the statement about confidence false (unless you explicitly add a
disclaimer about spyware).

> > Or Bob might include his private key file in an online backup or
> > Dropbox not realizing it.
> 
> This is an excellent point, 

It is just a part of my point:  The end-user needs to be *informed* by
the OTR docs that all security is completely dependent on the secrecy of
the private key.

> and it is something that i think the OTR web
> site (and OTR plugins) could make more prominent in the documentation.

Yes, exactly!


More information about the OTR-users mailing list