On 02/28/2013 04:14 PM, [email protected] wrote:
On Wed, 27 Feb 2013, Jon Kristensen wrote:
However, I still don't understand when the revealing of the MAC keys
is useful. If Eve does not manage to decrypt the ciphertext, the text
cannot be used to prove anything. If Eve does manage to acquire or
guess the encryption key, she will also have the MAC key (as the MAC
key is a simple derivation of the encryption key), and thus the power
to forge the transcript.
What would we lose by not posting the MAC keys over the wire?
With the MAC keys you can fake messages _in the past_
So while you won't be fooled in your _current_ conversation, no one can
later produce logs to claim you said something, as _anyone_ who captured
the MACs could forge message (for the past!) as you or your conversation
partner.
Paul
Paul,
Thank you for your reply, but I still don't see how this helps. I don't
see how anyone could claim that I would have said something even without
the MAC keys. The only way to decrypt our message is to have the
encryption key. And if Eve has the encryption key, she also has the MAC
key.
So I ask again: What would we lose by not posting the MAC keys over the
wire?
Actually, when I think about it, there seems to be a potential drawback
with exposing the MAC keys: If Eve have the MAC key (for example, as
revealed over the wire), and an encryption key which seems to decrypt
the message, that should pretty much prove that the encryption key in
question is actually the key that was used, as the probability of the
same MAC key being derived from another encryption key is extremely low.
Jon
_______________________________________________
OTR-dev mailing list
[email protected]
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
