On 1/31/14 10:36 AM, Adam Zimmerman wrote: > OTR used to have something called a session id (IIRC), which was > essentially a long version of an SAS. I think they removed it around > the same time they started using the Socialist Millionaire Protocol to > do shared secret auth, for usability reasons.
Note that a truncated session id (e.g. hash of the session key) is not as secure as an interactive SAS. If the attacker knows that you'll only be comparing the first N bits of the session-id, then they can (usually) compute a bunch of different potential sessions offline, and go with the one that yields enough of a collision to pass the comparison test. SAS, because it's interactive, doesn't enable offline computation: you get just one guess, and you get a 2^-N chance of getting it right, no matter how fast your CPU is. Adding roundtrips can turn a lot of short-string protocols from "only secure against slow computers" into "only as secure as the string length". SAS is particularly nice for real-world implementors because it's just hashes and XOR, none of that fancy modular math :-). cheers, -Brian _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
