Comments (18)
I'm not sure I understand the flaw you are talking about.
Talking about the problem of establishing a secure channel on OTRv3 over XMPP: even though you are able to have some information about peer availability from the network, there's nothing you can do about it simply because the OTRv3 doesn't provide a capability that can be used when the other peer is offline.
You can use a network/messaging specific capability to develop a timeout - for example, by requesting a message delivery receipt (XEP-0184) for the first AKE message sent and timing out if the receipt doesn't arrive in a reasonable time - but there's nothing else you can do in OTRv3 if your current policy includes REQUIRE_ENCRYPTION
besides turning it off for the peer and proceed by sending unencrypted offline messages (until it goes back online).
Providing a non-interactive alternative gives one alternative to the problem, but deciding when to use it should be part of the messaging client, who has enough information to make a decision.
from otrv4.
- Alice first confirm with a server (xmpp jabber for example), that Bob is online
- Alice send Query Message for OTR version
- Bob reply a OTRv4
- Bob initiate the RSDAKE, choose an ephemeral secret
i
, and send{"I"; g^i}
to Alice - Alice receives
g^i
, and choose an ephemeral secretr
, computesk=g^(i*r)
, and send{"R"; g^r; Auth(R)}
to Bob, securely eraser
. - Bob verifies
Auth
from Alice, send{Auth(I)}
to Bob, and reveal g^r, computesk=g^(r*i)
, securely erasei
- Alice verifies
Auth
from Bob - They now have a shared and authenticated secret key,
k
from otrv4.
"Alice first confirm with a server (xmpp jabber for example), that Bob is online" - you can't have this as part of the flow. Most IM services just doesn't work like that.
The description should also be done in terms of the primitives we are using, not using exponentation and multiplication.
Also, this doesn't actually describe the AKE for OTR - we will likely need other things.
from otrv4.
Can the OTR layer ask the underlying layer about Bob's presence?
This is to avoid setting timeouts to the start of an interactive conversation in case Bob is offline.
from otrv4.
No. We can't assume we are using a transport that has presence information at all.
from otrv4.
And even for XMPP that information can go stale or be incorrect, or the person can be invisible.
from otrv4.
sounds like a timeout is still necessary?
from otrv4.
Specifying a timeout seems to be out of scope of the protocol. For me, the protocol provides 2 capabilities in regard to DAKE: an interactive key-exchange and a non-interactive key exchange.
The client should be who decides when to use each capability: a client may decide to always use the non-interactive version (for convenience) or always use the interactive version (for stronger security properties).
In order to be able to specify values for timeout, a protocol would need to know what is an acceptable RTT for the messaging protocol, or if the message protocol provides any timeout capability for messages.
It seems to me the only capability from the messaging protocol we expect is the ability to send and receive messages in order, as stated by OTRv3 network model.
from otrv4.
In that case, we will leave the spec without a clear clarification of "online" and "offline" state, which I'm not sure if it's fine for implementers.
from otrv4.
Without deciding on which DAKE to use, the output of this story is just talking about the interactive key-exchange in general terms (because all the details will depend on which DAKE we are using).
The steps will be:
- Alice starts a interactive key-exchange with Bob by generating and sending a ψ1 message (which is DAKE specific). Alice in this setting is considered to be the initiator (I).
- Bob receives ψ1, verifies it, then generates and sends ψ2. Bob is considered to be the responder (R).
- Alice and Bob keep exchanging ψ messages until the key-exchange finishes. After the interactive key-exchange succeeds, they will have a shared secret.
- Both sides derive session keys from this shared secret.
- They exchange encrypted messages using the session keys.
- They ratchet the session keys.
I'm unsure if this is the expected output of this story.
from otrv4.
Depends on #15
from otrv4.
@tcz001 there is no "online" and "offline" state from the protocol perspective: they are a client state. The client using the protocol should be able to determine this state (if available) in a network/messaging-specific way and, based on this state, choose which feature of the protocol it wants to use.
from otrv4.
but wasn't this uncertainty we felt a flaw of otr3?
from otrv4.
The issue seems to be more because of REQUIRE_ENCRYPTION
and the lack of a non-interactive key-exchange rather than lack of online/offline state. I've added #25 to address consequences of OTRv4 to the policies.
from otrv4.
Yeah, that's actually what I mean, thanks.
from otrv4.
Assuming SPAWN as the DAKE, it becomes:
(Here the initiator -I- will be referred as Alice and Receiver -R- as Bob).
This should be specified in another section, to avoid duplication with #18:
TODO: move to another section.
G
: group to be used for all key exchanges.q
: the (prime) order of the group.p
: a safe prime generated with a Sophie Germain prime q.g1
andg2
: the distinct Cramer-Shoup generators for the group, suitable for Diffie-Hellman key exchanges and the Cramer-Shoup cryptosystem.
Alice long-term Cramer-Shoup key-pair is SKa = (x1A, x2A, y1A, y2A, zA)
and PKa = (cA, dA, hA)
.
Bob long-term Cramer-Shoup key-pair is SKb = (x1B, x2B, y1B, y2B, zB)
and PKb = (cB, dB, hB)
.
Alice:
- Generates an ephemeral Diffie-Hellman private key
i
and public keyg1^i
, with parameters(p, q, g1)
, uniformly at random. - Sends
ψ1 = ("I"; g1^i)
to Bob.
Bob:
- Generates an ephemeral Diffie-Hellman private key
r
and public keyg1^r
, with parameters (p, q, g1). - Computes γ =
DREnc(PKb, PKa, “I” ∥ “R” ∥ g1^i ∥ g1^r)
. The identifiers for the parties ("I"
and"R"
) may be cryptographic hashes of usernames or other identifiers provided by the higher-level protocol. - Computes
σ = Auth(hA, zB, {hA , hB, g1^i }, “I” ∥ “R” ∥ g1^i ∥ γ)
. - Computes
k = (g1^i ) * r
and securely erasesr
. (And derive session keys from the shared secret k at this point, if she wants to embed an encrypted data message onψ2
). - Sends
ψ2 = (“R”, γ, σ)
to Alice. At this moment,k
can be used to encrypt an initial message to Alice (and save one round-trip).
Alice:
- Verifies the proof
σ
. - Decrypts
γ
usingSKa
. TODO: dec verification can fail at this point. - Verifies the following properties of the decrypted message:
- The message is of the correct form (e.g., the fields are of the expected length);
- Alice's identifier is the first one listed;
- Bob's identifier is the second one listed, and it matches the identifier transmitted outside of the ciphertext; and
g1^i
is a pre-key that Alice previously sent and remains unused.
- Computes
k = (g1^r) * i
and securely erasesi
. If an initial message was attached, Alice can decrypt the message using k.
from otrv4.
Needs to be moved to the spec. On hold until we solve the hard questions.
from otrv4.
can be closed after 06a5998 and c991b01
from otrv4.
Related Issues (20)
- Check that we are advising to queue messages in the correct places
- Recover rights of github.com/off-the-record and update HOT 6
- Where to find Double Ratchet implementation in libotr-ng HOT 2
- Issue in `ECDH(a, B)` with check calculating shared secret? HOT 1
- When should we delete skipped_MKenc? HOT 1
- Create a contributing document
- Migrate to gitlab HOT 5
- Create a CONTRIBUTING page
- Synchronize with gitlab instance HOT 12
- Key Registration with Knowledge HOT 1
- Create a plan for 2020 in relationship with the new outcomes as defined in some meetings HOT 2
- Conversations Legacy has been removed HOT 4
- Update for Psi and Psi+ in Wiki page HOT 5
- Clarify what it means to "Send new Auth-R message with new values"
- Add an extension TLV to upgrade to v4 HOT 11
- Application/protocol-specific TLVs
- [Idea] PSK-authenticated fingerprint verification
- http://bugs.otr.im/otrv4/otrv4 is down. HOT 3
- Status of the OTRv4 specification HOT 1
- Concerns regarding verification of generated shared secret (identity checking)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from otrv4.