On Thu, Jan 2, 2014 at 6:05 PM, Ian Goldberg <[email protected]> wrote: > On Thu, Jan 02, 2014 at 10:44:34AM -0500, Nathan of Guardian wrote: >> >> I was thinking about how to pre-key'ing work designed by OWS >> (https://whispersystems.org/blog/asynchronous-security/) could be >> implemented in a more generic way, that would not be tied to a specific >> server or app. >> >> Would it be possible using either an XMPP file transfer mechanism, or >> something like our OTRDATA protocol, to send a number of pre-keys to a >> contact, say at the time of an existing chat? Would this require >> modification of existing OTR implementation, or could the pre-keys be >> injected into the existing logic? > > How would you prevent the identity misbinding attack (the major change > from OTRv1 to OTRv2) in this setting?
I think that could be prevented by using a key-agreement that mixes the long-term keys into the session key, e.g. "triple Diffie-Hellman" [1]. Alternatively, if you really want to do signed key agreement as Ian describes, you could prevent identity misbinding by hashing the parties' identities (e.g. long-term key fingerprints) into the derived session key. But if doing that, an expiry should be applied to the signatures, so that a stolen ephemeral DH private key can't be reused forever. To Nathan's original point: I'm not sure the value of sharing pre-keys with a pre-existing contact. I think Nathan is trying to enable parties to communicate asynchronously even when the recipient is offline. But the parties could simply remember their session state to do this. (That's how TextSecure works - prekeys/tripleDH allow asynchronous communication between parties with no prior contact, but for subsequent messages the "ratchet state" is cached. Since this means the ratchet state might be cached for a long-time, the TextSecure ratcheting algorithm differs from OTR in deleting keys immediately after sending a message, instead of waiting for an acknowledgement [2]). Trevor [1] https://whispersystems.org/blog/simplifying-otr-deniability/ [2] https://whispersystems.org/blog/advanced-ratcheting/ _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
