Off-the-Record Communication, or, Why Not To Use PGP

Download Report

Transcript Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication,
or, Why Not To Use PGP
Slides by
Su Zhang
Nov 8th, 2010
2
Differences between Off-the-Record
Communication and PGP System

PGP System
 Long-live
encryption key
 Non-Repudiable authentication

Off-the-Record communication
 Perfect
forward secrecy
 Repudiability (verifiable only to receiver but not other
people )
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
What Security Properties do We Want?
3

Encryption -- Hide the content of conversation

Perfect Forward Secrecy -- Protect against future
compromises

Authentication -- Make sure the person you are talking
to is the right one

Repudiation – Make sure the communications are
personal and unverifiable to third parties
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Why Hard to Guarantee Online Security Properties?
4

Compromising decrypt key will expose past and
future encrypted messages with that key

Any third party could verify the identity of the
sender through verifying the signature on the
(digital signature is used by protocols like PGP)
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Perfect Forward Secrecy
5

Using short-lived encryption/decryption keys

Impossible to re-derive from their long-term keys


No one (including sender and receiver) couldn’t reconstruct the key
Keys are generated through Diffie-Hellman key
agreement protocol
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Cryptographic Primitives Used by OTR
6

Digital Signatures

Message Authentication Codes (MAC)

Malleable encryption (AES)
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Digital Signatures
7

Long-lived Signature keys (acceptable)


Non-repudiation (undesirable)



Key compromising won’t affect past authentication (since
authenticated messages are successfully received)
Signer couldn’t disclaim the authorship of a message she
signed
Signed messages could be verified by anyone without
signer’s cooperation
Save a lot of space

O(n) keys (shared secret has O(n2) keys )
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Message Authentication Code
8

MAC can check the integrity of the message

Cannot provide Non repudiation (repudiable)

Two parties could authenticate each other (by using
their shared secret) but others couldn’t
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Malleable Encryption and Forgeability
9

Everyone could have changed the message before it
arrive at the receiver end (or before attacker get it)

Modifying some cipher text could change the meaning of
plain text even without knowing encryption key. (e.g.
stream cipher)

Attacker could choose another message which could have a
same length of cipher text then replace it with original one

This is to show that anyone could have modified the
message so nobody (except Bob) could find any clue about
Alice from the message she sent.
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
The Off-the-Record Messaging Protocol
10

Using the primitive encryptions mentioned above

Achieve the aforementioned security properties

Mainly for low-latency communication protocols
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Off-the-Record -- Encryption
11



Encryption algorithm—AES (Malleable)
Encryption key – Generated through DiffieHellman agreement
Short-term key (forward secrecy): re-generated
keys frequently
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Off-the-Record – Message Exchange
12

Exchange course
A
B : gx1
 B  A : gy1
 A  B : gx2 ,E(M1, k11)
 B  A : gy2 ,E(M2, k21)
 A  B : gx3 ,E(M3, k22)

Key construction
 gxiyj
is called shared secret in DH protocol
 Encryption key kij = H(gxiyj )
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Off-the-Record --Forgetting Keys
13



A couldn’t forget Xi-1 and its afterwards keys until
it received a message encrypted with Xi from B
A only generate a new key after she received a
reply from B (So A holds at most two keys at a
time.)
Send empty message if one haven’t sent for a while
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Off-the-Record -- Authentication
14

At the beginning, using digital signature to verify
each other’s identity.
B : Sign(gx1, ka), KA
 B A : Sign(gy1, kb), KB
 A


Then message encrypted with H(gx1y1) could be
accepted
Use MAC keys as following authenticators
 Even
if eve got encryption key, she still couldn’t know
the identities of the sender or receiver
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Off-the-Record – Authentication (cont)
15

Following protocol message:
 gx(i+1),
E(Mk, kij ), MAC({gx(i+1), E(Mk, kij )}, H(kij))
 MAC
 Both
key: H(kij) =H( H(gxiyj ))
message and the encryption key are authenticated
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Revealing MAC keys
16

Let everyone could use the MAC keys as
authenticator. (No one can prove message
authenticated by these keys are from Alice)

Past authenticated messages through these keys are
validated (Because these messages are successfully
received.)
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Implementation of OTR- Design
17

Off-the-Record protocol is built on top of an IM
protocol

Incremental deployment
 A user
could use their IM client to communicate with
people have the security plug-in or not

Virtual session
 Last
until the client terminated or a period of inactive
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Implementation of OTR- Implementation
18

IM Client: GAIM
 Could

integrate several different IM applications
API dealing with Off-the-Record
 Received
an encrypted message
 Received a clear texted message
 Received an error information
 Received an ignorable message (doesn’t include user
message)
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Using OTR on high-latency application -Email
19

Impractical on key agreement


Solution: Ring signatures


Diffie-Hellman protocol needs two parties to be online
A set of people could sign a signature but others couldn’t
tell which one signed. (Similar to MAC authentication but
less privacy (since sender will be confined into a small
range))
Mitigate the less privacy issue

Publish signature key after all signed messages have been
authenticated (make short term keys)
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Conclusions
20

Off-the-Record realized ideal security properties
 Repudiable
 Perfect
online communication
forward secret manner
 Maintaining
confidentiality and authenticity assurances
Off the Record Communication, or, Why Not To Use PGP
11/8/2010
Questions & Discussion
21
Thank you!
Off the Record Communication, or, Why Not To Use PGP
11/8/2010