Post on 13-Dec-2015
2
Differences between Off-the-Record Communication and PGP System
PGP System Long-live encryption key Non-Repudiable authentication
Off-the-Record communication Perfect forward secrecy Repudiability (verifiable only to receiver but not other
people )
11/8/2010Off the Record Communication, or, Why Not To Use PGP
3
What Security Properties do We Want?
Encryption -- Hide the content of conversation
Perfect Forward Secrecy -- Protect against future compromises
Authentication -- Make sure the person you are talking to is the right one
Repudiation – Make sure the communications are personal and unverifiable to third parties
11/8/2010Off the Record Communication, or, Why Not To Use PGP
4
Why Hard to Guarantee Online Security Properties?
Compromising decrypt key will expose past and future encrypted messages with that key
Any third party could verify the identity of the sender through verifying the signature on the (digital signature is used by protocols like PGP)
11/8/2010Off the Record Communication, or, Why Not To Use PGP
5
Perfect Forward Secrecy
Using short-lived encryption/decryption keys
Impossible to re-derive from their long-term keys
No one (including sender and receiver) couldn’t re-construct the key
Keys are generated through Diffie-Hellman key agreement protocol
11/8/2010Off the Record Communication, or, Why Not To Use PGP
6
Cryptographic Primitives Used by OTR
Digital Signatures
Message Authentication Codes (MAC)
Malleable encryption (AES)
11/8/2010Off the Record Communication, or, Why Not To Use PGP
7
Digital Signatures
Long-lived Signature keys (acceptable) Key compromising won’t affect past authentication (since
authenticated messages are successfully received) Non-repudiation (undesirable)
Signer couldn’t disclaim the authorship of a message she signed
Signed messages could be verified by anyone without signer’s cooperation
Save a lot of space O(n) keys (shared secret has O(n2) keys )
11/8/2010Off the Record Communication, or, Why Not To Use PGP
8
Message Authentication Code
MAC can check the integrity of the message
Cannot provide Non repudiation (repudiable)
Two parties could authenticate each other (by using their shared secret) but others couldn’t
11/8/2010Off the Record Communication, or, Why Not To Use PGP
9
Malleable Encryption and Forgeability
Everyone could have changed the message before it arrive at the receiver end (or before attacker get it) Modifying some cipher text could change the meaning of plain
text even without knowing encryption key. (e.g. stream cipher)
Attacker could choose another message which could have a same length of cipher text then replace it with original one
This is to show that anyone could have modified the message so nobody (except Bob) could find any clue about Alice from the message she sent.
11/8/2010Off the Record Communication, or, Why Not To Use PGP
10
The Off-the-Record Messaging Protocol
Using the primitive encryptions mentioned above
Achieve the aforementioned security properties
Mainly for low-latency communication protocols
11/8/2010Off the Record Communication, or, Why Not To Use PGP
11
Off-the-Record -- Encryption
Encryption algorithm—AES (Malleable)
Encryption key – Generated through Diffie-Hellman agreement
Short-term key (forward secrecy): re-generated keys frequently
11/8/2010Off the Record Communication, or, Why Not To Use PGP
12
Off-the-Record – Message Exchange
11/8/2010Off the Record Communication, or, Why Not To Use PGP
Exchange course A B : gx1
B A : gy1
A B : gx2 ,E(M1, k11)
B A : gy2 ,E(M2, k21)
A B : gx3 ,E(M3, k22)
Key construction gxiyj is called shared secret in DH protocol Encryption key kij = H(gxiyj )
13
Off-the-Record --Forgetting Keys
A couldn’t forget Xi-1 and its afterwards keys until it received a message encrypted with Xi from B
A only generate a new key after she received a reply from B (So A holds at most two keys at a time.)
Send empty message if one haven’t sent for a while
11/8/2010Off the Record Communication, or, Why Not To Use PGP
14
Off-the-Record -- Authentication
At the beginning, using digital signature to verify each other’s identity. A B : Sign(gx1, ka), KA
B A : Sign(gy1, kb), KB
Then message encrypted with H(gx1y1) could be accepted
Use MAC keys as following authenticators Even if eve got encryption key, she still couldn’t know
the identities of the sender or receiver
11/8/2010Off the Record Communication, or, Why Not To Use PGP
15
Off-the-Record – Authentication (cont)
Following protocol message:
gx(i+1), E(Mk, kij ), MAC({gx(i+1), E(Mk, kij )}, H(kij)) MAC key: H(kij) =H( H(gxiyj ))
Both message and the encryption key are authenticated
11/8/2010Off the Record Communication, or, Why Not To Use PGP
16
Revealing MAC keys
Let everyone could use the MAC keys as authenticator. (No one can prove message authenticated by these keys are from Alice)
Past authenticated messages through these keys are validated (Because these messages are successfully received.)
11/8/2010Off the Record Communication, or, Why Not To Use PGP
17
Implementation of OTR- Design
Off-the-Record protocol is built on top of an IM protocol
Incremental deployment A user could use their IM client to communicate with
people have the security plug-in or not
Virtual session Last until the client terminated or a period of inactive
11/8/2010Off the Record Communication, or, Why Not To Use PGP
18
Implementation of OTR- Implementation
IM Client: GAIM Could integrate several different IM applications
API dealing with Off-the-Record Received an encrypted message Received a clear texted message Received an error information Received an ignorable message (doesn’t include user
message)
11/8/2010Off the Record Communication, or, Why Not To Use PGP
19
Using OTR on high-latency application -Email
Impractical on key agreement Diffie-Hellman protocol needs two parties to be online
Solution: Ring signatures A set of people could sign a signature but others couldn’t tell
which one signed. (Similar to MAC authentication but less privacy (since sender will be confined into a small range))
Mitigate the less privacy issue Publish signature key after all signed messages have been
authenticated (make short term keys)
11/8/2010Off the Record Communication, or, Why Not To Use PGP
20
Conclusions
Off-the-Record realized ideal security properties Repudiable online communication
Perfect forward secret manner
Maintaining confidentiality and authenticity assurances
11/8/2010Off the Record Communication, or, Why Not To Use PGP