Hi Jake, Gregory, others, I think the protocol Moxie sketched is "deniable" in the sense of [1] - roughly, the complete-protocol transcripts Alice has after performing key agreement with Bob aren't different from transcripts she could produce herself, without interacting with Bob.
As a SIGMA-based key exchange that uses signatures, OTR is a bit less deniable per [1]. Performing OTR key agreement with Bob gives Alice a signature from him, which she could not produce herself. I'm not sure what publishing MAC keys adds. Gregory wrote: > In particular, you can just _make up_ an AES key, modify the > transcript to say whatever you want assuming that AES key and you get > a completely plausable transcript which you know the AES key for that > appears to be between the named parties. The transcripts I was talking about represent complete protocol runs. AFAICT, Gregory's just describing "making up" an AES key and some plaintext, encrypting it, then splicing it into a bunch of ciphertext and claiming it came from Bob. If the attacker can make up new keys, splice in new ciphertext, and get some 3rd party to believe this all came from Bob, why can't the attacker make up a new MAC key, too? Trevor [1]http://eprint.iacr.org/2006/280 _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
