Presentation is loading. Please wait.

Presentation is loading. Please wait.

Off-the-Record Communication, or, Why Not To Use PGP Slides by Su Zhang Nov 8th, 2010.

Similar presentations


Presentation on theme: "Off-the-Record Communication, or, Why Not To Use PGP Slides by Su Zhang Nov 8th, 2010."— Presentation transcript:

1 Off-the-Record Communication, or, Why Not To Use PGP Slides by Su Zhang Nov 8th, 2010

2 Differences between Off-the-Record Communication and PGP System  PGP System  Long-live encryption key  Non-Repudiable authentication  Off-the-Record communication  Perfect forward secrecy  Repudiability (verifiable only to receiver but not other people ) 11/8/ Off the Record Communication, or, Why Not To Use PGP

3 What Security Properties do We Want?  Encryption -- Hide the content of conversation  Perfect Forward Secrecy -- Protect against future compromises  Authentication -- Make sure the person you are talking to is the right one  Repudiation – Make sure the communications are personal and unverifiable to third parties 11/8/ Off the Record Communication, or, Why Not To Use PGP

4 Why Hard to Guarantee Online Security Properties?  Compromising decrypt key will expose past and future encrypted messages with that key  Any third party could verify the identity of the sender through verifying the signature on the (digital signature is used by protocols like PGP) 11/8/ Off the Record Communication, or, Why Not To Use PGP

5 Perfect Forward Secrecy  Using short-lived encryption/decryption keys  Impossible to re-derive from their long-term keys  No one (including sender and receiver) couldn’t re- construct the key  Keys are generated through Diffie-Hellman key agreement protocol 11/8/ Off the Record Communication, or, Why Not To Use PGP

6 Cryptographic Primitives Used by OTR  Digital Signatures  Message Authentication Codes (MAC)  Malleable encryption (AES) 11/8/ Off the Record Communication, or, Why Not To Use PGP

7 Digital Signatures  Long-lived Signature keys (acceptable)  Key compromising won’t affect past authentication (since authenticated messages are successfully received)  Non-repudiation (undesirable)  Signer couldn’t disclaim the authorship of a message she signed  Signed messages could be verified by anyone without signer’s cooperation  Save a lot of space  O(n) keys (shared secret has O(n 2 ) keys ) 11/8/ Off the Record Communication, or, Why Not To Use PGP

8 Message Authentication Code  MAC can check the integrity of the message  Cannot provide Non repudiation (repudiable)  Two parties could authenticate each other (by using their shared secret) but others couldn’t 11/8/ Off the Record Communication, or, Why Not To Use PGP

9 Malleable Encryption and Forgeability  Everyone could have changed the message before it arrive at the receiver end (or before attacker get it)  Modifying some cipher text could change the meaning of plain text even without knowing encryption key. (e.g. stream cipher)  Attacker could choose another message which could have a same length of cipher text then replace it with original one  This is to show that anyone could have modified the message so nobody (except Bob) could find any clue about Alice from the message she sent. 11/8/ Off the Record Communication, or, Why Not To Use PGP

10 The Off-the-Record Messaging Protocol  Using the primitive encryptions mentioned above  Achieve the aforementioned security properties  Mainly for low-latency communication protocols 11/8/ Off the Record Communication, or, Why Not To Use PGP

11 Off-the-Record -- Encryption  Encryption algorithm—AES (Malleable)  Encryption key – Generated through Diffie- Hellman agreement  Short-term key (forward secrecy): re-generated keys frequently 11/8/ Off the Record Communication, or, Why Not To Use PGP

12 Off-the-Record – Message Exchange 11/8/ Off the Record Communication, or, Why Not To Use PGP  Exchange course  A  B : g x1  B  A : g y1  A  B : g x2,E(M 1, k 11 )  B  A : g y2,E(M 2, k 21 )  A  B : g x3,E(M 3, k 22 )  Key construction  g xiyj is called shared secret in DH protocol  Encryption key k ij = H(g xiyj )

13 Off-the-Record --Forgetting Keys  A couldn’t forget X i-1 and its afterwards keys until it received a message encrypted with X i from B  A only generate a new key after she received a reply from B (So A holds at most two keys at a time.)  Send empty message if one haven’t sent for a while 11/8/ Off the Record Communication, or, Why Not To Use PGP

14 Off-the-Record -- Authentication  At the beginning, using digital signature to verify each other’s identity.  A  B : Sign(g x1, k a ), K A  B  A : Sign(g y1, k b ), K B  Then message encrypted with H(g x1y1 ) could be accepted  Use MAC keys as following authenticators  Even if eve got encryption key, she still couldn’t know the identities of the sender or receiver 11/8/ Off the Record Communication, or, Why Not To Use PGP

15 Off-the-Record – Authentication (cont)  Following protocol message:  g x(i+1), E(M k, k ij ), MAC({g x(i+1), E(M k, k ij )}, H(k ij )) MAC key: H(k ij ) =H( H(g xiyj ))  Both message and the encryption key are authenticated 11/8/ Off the Record Communication, or, Why Not To Use PGP

16 Revealing MAC keys  Let everyone could use the MAC keys as authenticator. (No one can prove message authenticated by these keys are from Alice)  Past authenticated messages through these keys are validated (Because these messages are successfully received.) 11/8/ Off the Record Communication, or, Why Not To Use PGP

17 Implementation of OTR- Design  Off-the-Record protocol is built on top of an IM protocol  Incremental deployment  A user could use their IM client to communicate with people have the security plug-in or not  Virtual session  Last until the client terminated or a period of inactive 11/8/ Off the Record Communication, or, Why Not To Use PGP

18 Implementation of OTR- Implementation  IM Client: GAIM  Could integrate several different IM applications  API dealing with Off-the-Record  Received an encrypted message  Received a clear texted message  Received an error information  Received an ignorable message (doesn’t include user message) 11/8/ Off the Record Communication, or, Why Not To Use PGP

19 Using OTR on high-latency application -  Impractical on key agreement  Diffie-Hellman protocol needs two parties to be online  Solution: Ring signatures  A set of people could sign a signature but others couldn’t tell which one signed. (Similar to MAC authentication but less privacy (since sender will be confined into a small range))  Mitigate the less privacy issue  Publish signature key after all signed messages have been authenticated (make short term keys) 11/8/ Off the Record Communication, or, Why Not To Use PGP

20 Conclusions  Off-the-Record realized ideal security properties  Repudiable online communication  Perfect forward secret manner  Maintaining confidentiality and authenticity assurances 11/8/ Off the Record Communication, or, Why Not To Use PGP

21 Questions & Discussion Thank you! 11/8/ Off the Record Communication, or, Why Not To Use PGP


Download ppt "Off-the-Record Communication, or, Why Not To Use PGP Slides by Su Zhang Nov 8th, 2010."

Similar presentations


Ads by Google