LWN: Comments on "Debian forms Off-the-Record team"

Debian forms Off-the-Record team

nybble41 — Wed, 23 Apr 2014 16:19:01 +0000

> It would be hard to convince someone that you went to the trouble of encrypting a conversation, but published the key before you were caught.

That would be true if you had to manually publish the key, but that's not how OTR works. The per-message authentication key is derived from the decryption key, guaranteeing that anyone who was able to read the encrypted message could also have forged it. The key (which is not reused) is also revealed as part of the next message.

There's a better description here:
http://en.wikipedia.org/wiki/Deniable_authentication

With PGP you use the same key to sign every message, so it needs to be kept private and can be used to identify you as the source. OTR uses a different key for every message, so there's no problem with revealing the key once the message has been authenticated.

Debian forms Off-the-Record team

giraffedata — Wed, 23 Apr 2014 15:31:59 +0000

The idea here is that if you are coerced into revealing your key, you can simply publish it — then anyone privy to it has the ability to forge conversations, which provides deniability.

Again, that does not seem to distinguish OTR from email with PGP signatures. With PGP signatures, one could publish the PGP signing key and then claim someone else could have sent the email.

It also doesn't sound effective. It would be hard to convince someone that you went to the trouble of encrypting a conversation, but published the key before you were caught. And publishing it after you were caught doesn't provide deniability that you and the receiver were the only ones who could have generated the message that the police already have in hand.

Debian forms Off-the-Record team

apoelstra — Mon, 21 Apr 2014 21:10:05 +0000

> That can't be right. If the adversary can decrypt the message, he could presumably forge a PGP signature as well.

Well, the authentication and encryption keys are different. You're right that if the attacker has really broken the crypto and found a way to produce private keys you are probably screwed (since the attacker can then undectably forge transripts), but that is not the attack model OTR is for. The idea here is that if you are coerced into revealing your key, you can simply publish it — then anyone privy to it has the ability to forge conversations, which provides deniability.

In particular if you are forced to decrypt a conversation in court, you cannot prove that you actually said any of the things that were decrypted.

Also, if a signing key is publically compromised all the better as far as deniability goes.

Debian forms Off-the-Record team

giraffedata — Mon, 21 Apr 2014 16:33:57 +0000

OTR offers deniable authentication: although the chat participants can verify each other's identities at the start of the conversation, the messages themselves are unsigned, so that any adversary who somehow decrypts an intercepted message would also be fully capable of altering its contents. Thus, it cannot be proved after the fact that any allegedly recovered OTR chat log is authentic (as could be argued for intercepted emails with PGP signatures attached).

That can't be right. If the adversary can decrypt the message, he could presumably forge a PGP signature as well.

How about this instead: This is shared secret encryption, so the receiver knows the key the sender uses. So the fact that the receiver is in possession of a message that says, "I promise to pay you $100" does not prove the sender sent such a message; the receiver could have forged it.