Hi, after reading the SIGMA and OTR papers I was wondering why 4 instead of only two MAC keys are needed for the protocol.
In the protocol description[1] in the third step, Bob derives the MAC keys m1 and m2 (among other keys not being relevant for my question). The MAC key m2 is used in an usual way to authenticate the encrypted packet. However, the key m1 is used to create a MAC over the ephemeral DH public keys (g^x, g^y), the longterm public key and the keyid. By looking at the libotr code, it can be seen that HMAC-SHA256 is used for the MAC. After that this MAC is signed with Bob's long term private key. Another look at the code reveals that for signing DSA with SHA256 is used. Thus, over the existing MAC hash (HMAC-SHA256) another hash (SHA256) is calculated in the process of signing. * Why is this form of "double hashing" necessary ? * Is it just because two keys (m1 and the private sign key) is better than just one (private sign key) ? * Why is this data (g^x, g^y, the longterm public key and the keyid) not just signed traditionally and the additional MAC can be omitted ? cheers, stefan [1] http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
