Presentation is loading. Please wait.

Presentation is loading. Please wait.

OTR: Off-the-record Communication

Published byVeronika Salim Modified over 6 years ago

Similar presentations

Presentation on theme: "OTR: Off-the-record Communication"— Presentation transcript:

1 OTR: Off-the-record Communication
Yusi Zhang

2 Outline Motivation Design Goals Message Flow of the Protocol
a step-by-step development Some Remarks

3 Motivation Suppose Alice and Bob talks privately in a closed, physical room. No one is hearing: confidentiality. They use eyes to make sure the other is the intended one to talk: authenticity. Nobody, even themselves, can prove to any third party that they talked anything: deniability. What about an online conversation?

4 Motivation This doesn't sound like a private conversation at all !!
Existing solutions like PGP work like (not exactly): pkb, skb pka, ska Enc(pkb, m), Sign(m, ska) Problems: The keys are long-term; compromise of them reveals every encrypted message, even those before the compromise. Digital signatures are non-repudiable; a valid proof that Alice has composed m. This doesn't sound like a private conversation at all !!

5 Design Goals Confidentiality Authentication Message Integrity
An eavesdropper cannot decrypt a ciphertext. In particular, forward secrecy. Authentication Each party is able to authenticate the other's identity. Message Integrity Each party is able to check if a message has been tampered. Deniability Nobody, even the parties themselves, cannot prove to a third party they've engaged in a conversation.

6 Message Flow (pkb, skb) (pka, ska) ,Sign(gx1, ska), pka gx1
,Sign(gy1, skb), pkb gy1 k11 = gx1y1 k11 = gx1y1 ,Mac({gx2, E(M1, k11)}, H(k11)) gx2, E(M1, k11) k21 = gx2y1 ,Mac({gy2, E(M2, k21)}, H(k21)) k21 = gx2y1 gy2, E(M2, k21) k22 = gx2y2 gx3, E(M3, k22) ,Mac({gx3, E(M3, k22)}, H(k22)) k22 = gx2y2 k32 = gx3y2 k32 = gx3y2 What remains: authenticity and message integrity For forward secrecy, we want the keys be short-lived.

7 Forgetting old keys and Revealing MAC keys
For forward secrecy, old DH secrets need to be erased. Need care since in reality the parties do not take turns sending messages. At this point Alice is ensured that the previous MAC key, H(k11) will never be used by Bob. The revealed MAC key is a hash of the encryption key, so no influence on confidentiality. It makes it deniable all previous transcripts up to k11. gx1, ... gy1, ... forget x1 now? gx2, ... gy1, ... gy2, ... Oops! x1 forgot, cannot read. OK to forget x1 ...., H(k11)

8 Some Remarks Anonymity v.s. Deniability
Anonymity: no adversary should be able tell who you are talking with, even if he is eavesdropping on you all the time. Deniability: An adversary might be ensured that you are talking to some certain person; but he is not able to prove that to a third party. Definition of Deniability - another branch of prior works [RGH06], [DKSW09], etc.

Download ppt "OTR: Off-the-record Communication"

Similar presentations

Oct 28, 2004WPES 20041 Off-the-Record Communication, or, Why Not to Use PGP Nikita Borisov Ian Goldberg Eric Brewer.

Oct 28, 2004WPES Off-the-Record Communication, or, Why Not to Use PGP Nikita Borisov Ian Goldberg Eric Brewer.
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Remarks on Voting using Cryptography Ronald L. Rivest MIT Laboratory for Computer Science.

Remarks on Voting using Cryptography Ronald L. Rivest MIT Laboratory for Computer Science.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Cryptographic Security Cryptographic Mechanisms 1Mesbah Islam– Operating Systems.

Cryptographic Security Cryptographic Mechanisms 1Mesbah Islam– Operating Systems.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
E-mail Security using Encryption Security Features Message Origin Authentication - verifying that the sender is who he or she says they are Content Integrity.

Security using Encryption Security Features Message Origin Authentication - verifying that the sender is who he or she says they are Content Integrity.
1 Lecture 18: E-Mail Security issues specific to email security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.

1 Lecture 18: Security issues specific to security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.
Chapter 31 Network Security

Chapter 31 Network Security
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.

Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

Similar presentations

Ads by Google