OT: IM encryption options [was: Re: Is the OpenPGP model still useful?]

[Marcio B. Jr.]

Hello Daniel,
sorry for such a delay; this has been a wild JULY.


On Wed, Jul 6, 2011 at 4:09 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> On 07/06/2011 01:28 PM, Marcio B. Jr. wrote:
>> So far, OTR adoption seems unjustifiable, really. I mean, it uses the
>> Diffie-Hellman key exchange method with block ciphers.
>
> Why does this seem unjustifiable to you?  DH and block ciphers are
> widely-reviewed parts of the standard crypto toolkit.  Do you have
> reason to believe they're generally bad?


It seems unjustifiable because there exists an option in which secret
keys need not to take risks. And if there's any security concern and
one's to choose between zero risk and any other positive-value risk,
it's reasonable to pick the former.


>> As of what I got from your (Robert) explanation plus some preliminary
>> conclusions of my studies, making use of asymmetric algos with OpenPGP
>> would be more coherent and secure, mathematically. Is it correct?
>
> Not all of these decisions should be made on purely mathematical
> grounds.  Consider, for example, pidgin's old GPG plugin (i dont know
> whether it is still in use or under development)
>
> It worked by signing and encrypting each message before it was sent, and
> decrypting and verifying each response.
>
> However, IM messages tend to be heavily context-dependent, which makes
> them vulnerable to replay attacks.


No secret key can ever be intercepted or shared.


> For example, how many times have you written on IRC (or whatever IM
> network you use) the simple phrase "i agree"?
>
> If each message is individually signed and verified, it'd be relatively
> easy for an attacker to replay your "i agree" in another conversation,
> making it look like you agreed to something you hadn't actually agreed
> to.  OTR's stream-based approach ensures that messages are only
> authenticated as part of a single, two-party conversation.  There is no
> room for a replay attack.


I am obviously considering signing and encrypting.


> OTR also is designed so that a third-party (one not involved in the
> original communication can't conclusively prove that you wrote
> something.  this is the "off the record" part of OTR.  It's debatable
> how useful this so-called "repudiability" would be in, say, a court of
> law; but individually-signed messages clearly do *not* have this kind of
> repudiability; anyone in possession of one of these messages can
> convince any third party that you did in fact write the message.


There is secrecy sharing so maintenance of this repudiability's
effectiveness is not entirely up to you.


Regards,



Marcio Barbado, Jr.