[Ach] OTR crypto

ianG iang at iang.org
Thu Jun 12 16:36:59 CEST 2014 

On 12/06/2014 14:04 pm, Hanno Böck wrote:
> On Thu, 12 Jun 2014 11:49:16 +0200
> Adi Kriegisch <adi at kriegisch.at> wrote:
> 
>> I just had a short look at OTR and noticed that OTR is using DSA keys;
>> trying to find more details I found this:
>> https://www.mail-archive.com/otr-dev@lists.cypherpunks.ca/msg00977.html
>> "the current long term keys in OTR are using old DSA standard
>>  NIST 800-57 with 1024 bit prime and with SHA-1 as hash function."


As we've mentioned many times, DSA is to be avoided because it requires
good random numbers.  This makes it strictly inferior to RSA in an
implementation-robustness sense.  Deprecate where we can.


>> Is there anyone who may comment on the security of OTR? we have OTR
>> featured in src/practical_settings/im.tex
> 
> They use forward secrecy with a larger DH group size afaik. That makes
> the short DSA key less of an issue, although its still not nice.


I think given the overall value proposition of OTR, the choice of crypto
params isn't such a big issue.


> However, I think there are some more fundamental problems with OTR -
> the main being that it is an online-only protocol (which is due to the
> fact that they use forward secrecy which is nontrivial to make
> offline-compatible).


Right, that too.

> Most clients fall back to not encrypting at all if the chat partner is
> offline. IMHO a usability nightmare.

Right, because it is layered over the top of an existing
client/messaging infra, it bumps up against the mechanisms of that
layer, e.g., cannot assume any storage.  The initial message can be
unencrypted, which rubs up against the 2% rule.  The end result is quite
fraught, and IMHO it doesn't work as well as Skype, even considering the
NSA/MS revelations.

Seeing as we're on that topic, OTR also has a confused and dangerous
security proposition.  It tries to present a notion of "off the record"
but as a protocol and not a client, it cannot do more than hand wave at
that.  In reality, the client holds the record, and the games that OTR
plays by publishing keys to create plausible deniability backfire:  if
you are in court and you say that you rely on OTR to create plausible
deniability of your transcripts, you've just destroyed your credibility
as a witness because you took steps to lie before the court.

Nice experiment.  Perverse results.  Use it but don't rely on it.  I
understand that the Jabber world are looking to replace it...


> The whole area of encrypted messaging is kind of a mess. Textsecure
> looks quite nice in that regard and uses something called the
> Axolotl-Protocol to combine forward secrecy and offline messages.
> However it's currently android-only.


One of the things that futzes with the mind here is that there are
multiple conflicting requirements.  For example forward secrecy is fine
on paper but if we also add group chat, forward secrecy starts to look
eccentric and beyond reasonableness.  So far, I don't think the whisper
team have published their answer to group chat.

(I'm in this area atm, an intern is working on the secure chat for my
money system.  We have other issues such as extortion/blackmail to deal
with which also causes headaches for traditional and simplistic CIA and
point to point.)



iang

More information about the Ach mailing list