On 26/02/2013 01:33 a.m., Paul Wouters wrote: > On Thu, 21 Feb 2013, Sergio Lerner wrote: > >> One of the most interesting thinks I've found in OTR is the ability to >> provide forward secrecy. Nevertheless, as I've read in the section 4.2 >> of the paper http://www.cypherpunks.ca/otr/otr-wpes.pdf, some times keys >> are kept in memory for long times if the remote used does not reply. >> >> I can think of two scenarios where this is a drawback: >> >> 1. Alice sends many messages in a row, but Bob does not reply. >> 2. Alice want to send a big file to Bob while (say 10 Mbytes) using OTR >> with forward secrecy. Examples >> 2.a) Alice is sending audio/video chunks recorded with his >> microphone/camera over OTR. >> 2.b) Alice is downloading a file and at the same time she is sending >> it to Bob. > > How would you be sending all of that if Bob does not reply? You want to > have millions of messages outstanding without an ack? > You acknowledge each message as usual. The point is that a Hash evaluation is much faster than a D-H exchange, and requires no round trip time. So even the most basic tablet or slowest laptop, microcontroller or watch or microcontrolled-embedded tiny microphone or any other pervasive computing device will be able to talk using OTR, since the D-H part is executed only once. I don't mind waiting 10 seconds if then I won't have to wait a single millisecond for the rest of the communication.
Think about the voice-over-OTR case. No jitter, no abrupt silences... >> In both three cases she wants that at any time, if her computer is >> compromised, then the data already sent is protected unconditionally. >> Also in these last two cases, going though D-H for every block >> transmitted may imply a very high overhead, and a reduction in >> throughput because of the RTT latency needed to exchange D-H messages. > > Read the spec. there is a separate method for negotiating a symmetric > key using OTR. You then use that key for the bulk transport encryption. > I don't know from the top of my head if Alice and Bob have a way of > acknowledging the key for destruction, but I would expect so. > Yes but you don't get forward secrecy for the file during transmission of a 1 Gb file. Sergio. _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
