OT: IM encryption options [was: Re: Is the OpenPGP model still useful?]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jul 6 21:09:02 CEST 2011


On 07/06/2011 01:28 PM, Marcio B. Jr. wrote:
> resuming this thread because I'm studying encryption options for KDE's
> Kopete IM client.

Hmm, i'm not sure this is the best place for this discussion, so i've
marked the subject line OT for "off-topic" -- if you think there might
be a better discussion list, feel free to follow up there.

> So far, OTR adoption seems unjustifiable, really. I mean, it uses the
> Diffie-Hellman key exchange method with block ciphers.

Why does this seem unjustifiable to you?  DH and block ciphers are
widely-reviewed parts of the standard crypto toolkit.  Do you have
reason to believe they're generally bad?

> As of what I got from your (Robert) explanation plus some preliminary
> conclusions of my studies, making use of asymmetric algos with OpenPGP
> would be more coherent and secure, mathematically. Is it correct?

Not all of these decisions should be made on purely mathematical
grounds.  Consider, for example, pidgin's old GPG plugin (i dont know
whether it is still in use or under development)

It worked by signing and encrypting each message before it was sent, and
decrypting and verifying each response.

However, IM messages tend to be heavily context-dependent, which makes
them vulnerable to replay attacks.

For example, how many times have you written on IRC (or whatever IM
network you use) the simple phrase "i agree"?

If each message is individually signed and verified, it'd be relatively
easy for an attacker to replay your "i agree" in another conversation,
making it look like you agreed to something you hadn't actually agreed
to.  OTR's stream-based approach ensures that messages are only
authenticated as part of a single, two-party conversation.  There is no
room for a replay attack.

OTR also is designed so that a third-party (one not involved in the
original communication can't conclusively prove that you wrote
something.  this is the "off the record" part of OTR.  It's debatable
how useful this so-called "repudiability" would be in, say, a court of
law; but individually-signed messages clearly do *not* have this kind of
repudiability; anyone in possession of one of these messages can
convince any third party that you did in fact write the message.

Note that we're just talking here about message/conversation signing,
encryption, and verification; iirc, the original thread was asking about
OpenPGP's certification model (that is, how multi-issuer OpenPGP
certificates are used to bind identities to public keys), which is an
entirely different (though related) topic.

hope this helps,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110706/597bd82d/attachment.pgp>


More information about the Gnupg-users mailing list