Debian forms Off-the-Record team
Debian forms Off-the-Record team
Posted Apr 21, 2014 16:33 UTC (Mon) by giraffedata (guest, #1954)Parent article: Debian forms Off-the-Record team
OTR offers deniable authentication: although the chat participants can verify each other's identities at the start of the conversation, the messages themselves are unsigned, so that any adversary who somehow decrypts an intercepted message would also be fully capable of altering its contents. Thus, it cannot be proved after the fact that any allegedly recovered OTR chat log is authentic (as could be argued for intercepted emails with PGP signatures attached).
That can't be right. If the adversary can decrypt the message, he could presumably forge a PGP signature as well.
How about this instead: This is shared secret encryption, so the receiver knows the key the sender uses. So the fact that the receiver is in possession of a message that says, "I promise to pay you $100" does not prove the sender sent such a message; the receiver could have forged it.
Posted Apr 21, 2014 21:10 UTC (Mon)
by apoelstra (subscriber, #75205)
[Link] (2 responses)
Well, the authentication and encryption keys are different. You're right that if the attacker has really broken the crypto and found a way to produce private keys you are probably screwed (since the attacker can then undectably forge transripts), but that is not the attack model OTR is for. The idea here is that if you are coerced into revealing your key, you can simply publish it — then anyone privy to it has the ability to forge conversations, which provides deniability.
In particular if you are forced to decrypt a conversation in court, you cannot prove that you actually said any of the things that were decrypted.
Also, if a signing key is publically compromised all the better as far as deniability goes.
Posted Apr 23, 2014 15:31 UTC (Wed)
by giraffedata (guest, #1954)
[Link] (1 responses)
Again, that does not seem to distinguish OTR from email with PGP signatures. With PGP signatures, one could publish the PGP signing key and then claim someone else could have sent the email.
It also doesn't sound effective. It would be hard to convince someone that you went to the trouble of encrypting a conversation, but published the key before you were caught. And publishing it after you were caught doesn't provide deniability that you and the receiver were the only ones who could have generated the message that the police already have in hand.
Posted Apr 23, 2014 16:19 UTC (Wed)
by nybble41 (subscriber, #55106)
[Link]
That would be true if you had to manually publish the key, but that's not how OTR works. The per-message authentication key is derived from the decryption key, guaranteeing that anyone who was able to read the encrypted message could also have forged it. The key (which is not reused) is also revealed as part of the next message.
There's a better description here:
With PGP you use the same key to sign every message, so it needs to be kept private and can be used to identify you as the source. OTR uses a different key for every message, so there's no problem with revealing the key once the message has been authenticated.
Debian forms Off-the-Record team
Debian forms Off-the-Record team
The idea here is that if you are coerced into revealing your key, you can simply publish it — then anyone privy to it has the ability to forge conversations, which provides deniability.
Debian forms Off-the-Record team
http://en.wikipedia.org/wiki/Deniable_authentication