mailing list archives
Re: Skype chat encryption with OTR
From: JM <ubahmapk () gmail com>
Date: Thu, 19 Jun 2008 08:55:01 -0500
On Thu, Jun 19, 2008 at 01:28, Tonnerre Lombard
<tonnerre.lombard () sygroup ch> wrote:
On Thu, 19 Jun 2008 13:00:49 +1000, rawket wrote:
/There is no denying that an OTR Conversation has been encrypted..
Its because the private keys change ultra-frequently, and the keys
are short lived that it provides the 'plausible deniability'
Not exactly. The plausible deniability is due to the fact that the
signature is executed using a symmetric key known to both parties, so
that either party (but noone else) could have sent the message.
Actually, the shared keys are *published* once they're discarded to
improve plausible deniability. That lets anyone forge an *old*
message, but ensures you wont' accept a forged message during the
course of the conversation.
Revealing MAC keys
Whenever you are about to forget either one of your old D-H key pairs,
or one of your correspondent's old D-H public keys, take all of the
receiving MAC keys that were generated by that key (note that there
are up to two: the receiving MAC keys produced by the pairings of that
key with each of two of the other side's keys; but note that you only
need to take MAC keys that were actually used to verify a MAC on a
message), and put them (as a set of concatenated 20-byte values) into
the "Old MAC keys to be revealed" section of the next Data Message you
send. This in done to allow the forgeability of OTR transcripts: once
the MAC keys are revealed, anyone can modify an OTR message and still
have it appear valid. But since we don't reveal the MAC keys until
their corresponding pubkeys are being discarded, there is no danger of
accepting a message as valid which uses a MAC key which has already
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/