Presentation is loading. Please wait.

Presentation is loading. Please wait.

OTR AKE Protocol.

Published byreek Ζαχαρίου Modified over 6 years ago

Similar presentations

Presentation on theme: "OTR AKE Protocol."— Presentation transcript:

1 OTR AKE Protocol

2 OTR Data Protocol

3 Security Properties Authentication: Public keys and signatures
Integrity: MACs Perfect Forward Secrecy: Constant re-keying Deniability Weak Deniability: Shared secrets Strong Deniability: Malleable encryption

4 Found Attacks Version Rollback Attack Strong Deniablity Attack
An attacker may arbitrarily set the version of OTR. Strong Deniablity Attack An attacker with strong network control may disable the strong deniability property. Authentication Failure Alice may be convinced to commit to an AKE key exchange not knowing who she is speaking with. Message Integrity Attack An intruder may arbitrarily alter a message.

5 Strong Deniability Attack
invariant "Strong Deniability" forall a: PrincipalId do forall b: PrincipalId do forall i: IntruderId do int[i].mac_keys[a][b].k_A >= 0 & int[i].mac_keys[b][a].k_B >= 0 -> int[i].mac_keys[a][b].k_A = pri[a].c[b].k_ours - 2 & int[i].mac_keys[b][a].k_B = pri[a].c[b].k_theirs - 1 end end;

6 Strong Deniability Attack
An intruder may replace published MAC keys

7 Authentication Failure
Problem: Bob never makes it clear he thinks he is talking to Alice

8 Authentication Failure
Bob believes he is talking to Mallory Alice believes she is talking to Bob

9 Authentication Failure
Bob believes he is talking to Mallory Alice believes she is talking to Bob After receiving the third message, Alice commits to a successful key exchange with Bob Bob will think the exchange failed with Mallory

10 Message Integrity Attack
Re-keying in OTR: Alice Bob

11 Message Integrity Attack
Re-keying in OTR: Alice Bob

12 Message Integrity Attack
Re-keying in OTR: Alice Bob

13 Message Integrity Attack
Re-keying in OTR: Alice Bob

14 Message Integrity Attack
Mallory blocks a message containing published MAC keys Mallory uses published keys to re-send a modified message to Bob. Bob thinks it was sent before his message was received. Negative feature interaction occurring between forward secrecy, strong deniability

15 Message Integrity Attack
The Official Response: ... Good call on this one. Bizarrely, it doesn't turn out to be a security hole in the deployed software because there's a bug in it. (!) The deployed software only publishes MAC keys that were used to receive messages, not ones on messages it sent. This is safe, because it knows for sure that it'll never trust a MAC key that it's already published ... - OTR Author Ian Goldberg

Download ppt "OTR AKE Protocol."

Similar presentations

Oct 28, 2004WPES 20041 Off-the-Record Communication, or, Why Not to Use PGP Nikita Borisov Ian Goldberg Eric Brewer.

Oct 28, 2004WPES Off-the-Record Communication, or, Why Not to Use PGP Nikita Borisov Ian Goldberg Eric Brewer.
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
More on AuthenticationCS-4513 D-term 20081 More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.

Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.
Key Distribution CS 470 Introduction to Applied Cryptography

Key Distribution CS 470 Introduction to Applied Cryptography
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
1 Lecture 18: E-Mail Security issues specific to email security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.

1 Lecture 18: Security issues specific to security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.
Chapter 31 Network Security

Chapter 31 Network Security
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
May 2002Patroklos Argyroudis1 A crash course in cryptography and network security Patroklos Argyroudis CITY Liberal Studies.

May 2002Patroklos Argyroudis1 A crash course in cryptography and network security Patroklos Argyroudis CITY Liberal Studies.
1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like e-mail)

1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.

Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.

Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.

Similar presentations

Ads by Google