off-the-record communication, or, why not to use pgp

Off-the-Record Communication, or, Why Not To Use PGP

Slides by Su ZhangNov 8th, 2010

2

Differences between Off-the-Record Communication and PGP System

PGP System Long-live encryption key Non-Repudiable authentication

Off-the-Record communication Perfect forward secrecy Repudiability (verifiable only to receiver but not other

people )

11/8/2010Off the Record Communication, or, Why Not To Use PGP

3

What Security Properties do We Want?

Encryption -- Hide the content of conversation

Perfect Forward Secrecy -- Protect against future compromises

Authentication -- Make sure the person you are talking to is the right one

Repudiation – Make sure the communications are personal and unverifiable to third parties


4

Why Hard to Guarantee Online Security Properties?

Compromising decrypt key will expose past and future encrypted messages with that key

Any third party could verify the identity of the sender through verifying the signature on the (digital signature is used by protocols like PGP)


5

Perfect Forward Secrecy

Using short-lived encryption/decryption keys

Impossible to re-derive from their long-term keys

No one (including sender and receiver) couldn’t re-construct the key

Keys are generated through Diffie-Hellman key agreement protocol


6

Cryptographic Primitives Used by OTR

Digital Signatures

Message Authentication Codes (MAC)

Malleable encryption (AES)


7

Digital Signatures

Long-lived Signature keys (acceptable) Key compromising won’t affect past authentication (since

authenticated messages are successfully received) Non-repudiation (undesirable)

Signer couldn’t disclaim the authorship of a message she signed

Signed messages could be verified by anyone without signer’s cooperation

Save a lot of space O(n) keys (shared secret has O(n2) keys )


8

Message Authentication Code

MAC can check the integrity of the message

Cannot provide Non repudiation (repudiable)

Two parties could authenticate each other (by using their shared secret) but others couldn’t


9

Malleable Encryption and Forgeability

Everyone could have changed the message before it arrive at the receiver end (or before attacker get it) Modifying some cipher text could change the meaning of plain

text even without knowing encryption key. (e.g. stream cipher)

Attacker could choose another message which could have a same length of cipher text then replace it with original one

This is to show that anyone could have modified the message so nobody (except Bob) could find any clue about Alice from the message she sent.


10

The Off-the-Record Messaging Protocol

Using the primitive encryptions mentioned above

Achieve the aforementioned security properties

Mainly for low-latency communication protocols


11

Off-the-Record -- Encryption

Encryption algorithm—AES (Malleable)

Encryption key – Generated through Diffie-Hellman agreement

Short-term key (forward secrecy): re-generated keys frequently


12

Off-the-Record – Message Exchange


Exchange course A B : gx1

B A : gy1

A B : gx2 ,E(M1, k11) B A : gy2 ,E(M2, k21) A B : gx3 ,E(M3, k22)

Key construction gxiyj is called shared secret in DH protocol Encryption key kij = H(gxiyj )

13

Off-the-Record --Forgetting Keys

A couldn’t forget Xi-1 and its afterwards keys until it received a message encrypted with Xi from B

A only generate a new key after she received a reply from B (So A holds at most two keys at a time.)

Send empty message if one haven’t sent for a while


14

Off-the-Record -- Authentication

At the beginning, using digital signature to verify each other’s identity. A B : Sign(gx1, ka), KA

B A : Sign(gy1, kb), KB

Then message encrypted with H(gx1y1) could be accepted

Use MAC keys as following authenticators Even if eve got encryption key, she still couldn’t know

the identities of the sender or receiver


15

Off-the-Record – Authentication (cont)

Following protocol message:

gx(i+1), E(Mk, kij ), MAC({gx(i+1), E(Mk, kij )}, H(kij)) MAC key: H(kij) =H( H(gxiyj ))

Both message and the encryption key are authenticated


16

Revealing MAC keys

Let everyone could use the MAC keys as authenticator. (No one can prove message authenticated by these keys are from Alice)

Past authenticated messages through these keys are validated (Because these messages are successfully received.)


17

Implementation of OTR- Design

Off-the-Record protocol is built on top of an IM protocol

Incremental deployment A user could use their IM client to communicate with

people have the security plug-in or not

Virtual session Last until the client terminated or a period of inactive


18

Implementation of OTR- Implementation

IM Client: GAIM Could integrate several different IM applications

API dealing with Off-the-Record Received an encrypted message Received a clear texted message Received an error information Received an ignorable message (doesn’t include user

message)


19

Using OTR on high-latency application -Email

Impractical on key agreement Diffie-Hellman protocol needs two parties to be online

Solution: Ring signatures A set of people could sign a signature but others couldn’t tell

which one signed. (Similar to MAC authentication but less privacy (since sender will be confined into a small range))

Mitigate the less privacy issue Publish signature key after all signed messages have been

authenticated (make short term keys)


20

Conclusions

Off-the-Record realized ideal security properties Repudiable online communication

Perfect forward secret manner

Maintaining confidentiality and authenticity assurances


21

Questions & Discussion

Thank you!


off-the-record communication, or, why not to use pgp

Documents

key keys

on2 keys

longterm keys

past authentication

signature keys acceptablekey

decrypt key

repudiation repudiable

online security properties