Presentation is loading. Please wait.

Presentation is loading. Please wait.

OTR: Off-the-record Communication

Similar presentations


Presentation on theme: "OTR: Off-the-record Communication"— Presentation transcript:

1 OTR: Off-the-record Communication
Yusi Zhang

2 Outline Motivation Design Goals Message Flow of the Protocol
a step-by-step development Some Remarks

3 Motivation Suppose Alice and Bob talks privately in a closed, physical room. No one is hearing: confidentiality. They use eyes to make sure the other is the intended one to talk: authenticity. Nobody, even themselves, can prove to any third party that they talked anything: deniability. What about an online conversation?

4 Motivation This doesn't sound like a private conversation at all !!
Existing solutions like PGP work like (not exactly): pkb, skb pka, ska Enc(pkb, m), Sign(m, ska) Problems: The keys are long-term; compromise of them reveals every encrypted message, even those before the compromise. Digital signatures are non-repudiable; a valid proof that Alice has composed m. This doesn't sound like a private conversation at all !!

5 Design Goals Confidentiality Authentication Message Integrity
An eavesdropper cannot decrypt a ciphertext. In particular, forward secrecy. Authentication Each party is able to authenticate the other's identity. Message Integrity Each party is able to check if a message has been tampered. Deniability Nobody, even the parties themselves, cannot prove to a third party they've engaged in a conversation.

6 Message Flow (pkb, skb) (pka, ska) ,Sign(gx1, ska), pka gx1
,Sign(gy1, skb), pkb gy1 k11 = gx1y1 k11 = gx1y1 ,Mac({gx2, E(M1, k11)}, H(k11)) gx2, E(M1, k11) k21 = gx2y1 ,Mac({gy2, E(M2, k21)}, H(k21)) k21 = gx2y1 gy2, E(M2, k21) k22 = gx2y2 gx3, E(M3, k22) ,Mac({gx3, E(M3, k22)}, H(k22)) k22 = gx2y2 k32 = gx3y2 k32 = gx3y2 What remains: authenticity and message integrity For forward secrecy, we want the keys be short-lived.

7 Forgetting old keys and Revealing MAC keys
For forward secrecy, old DH secrets need to be erased. Need care since in reality the parties do not take turns sending messages. At this point Alice is ensured that the previous MAC key, H(k11) will never be used by Bob. The revealed MAC key is a hash of the encryption key, so no influence on confidentiality. It makes it deniable all previous transcripts up to k11. gx1, ... gy1, ... forget x1 now? gx2, ... gy1, ... gy2, ... Oops! x1 forgot, cannot read. OK to forget x1 ...., H(k11)

8 Some Remarks Anonymity v.s. Deniability
Anonymity: no adversary should be able tell who you are talking with, even if he is eavesdropping on you all the time. Deniability: An adversary might be ensured that you are talking to some certain person; but he is not able to prove that to a third party. Definition of Deniability - another branch of prior works [RGH06], [DKSW09], etc.


Download ppt "OTR: Off-the-record Communication"

Similar presentations


Ads by Google