Off-the-Record Communication Or, Why Not To Use PGP Borisov, Goldberg, Brewer Presented by Wes Chow, @weschow, slides at http://bit.ly/whispering-jellyfish

What Does Off the Record Mean? - Alice is a reporter. - Bob is a whistleblower. He wants to remain anonymous to the public. - They meet secretly to chat. - Alice writes nothing down, and verifies information with other sources. - Eve may overhear their conversation. - How do we mimic this online?

PGP, Pretty Good Privacy (public-key crypto) p, r = key pair (p is public, r is private) E(M, p) = ciphertext of M, using function E with p Essential property: D(E(M, p), r) = M and D(E(M, r), p) = M In other words, encrypting with one requires decrypting with the other.

PGP, Pretty Good Privacy (public-key crypto) Encrypt to Alice is obvious: E(M, p) = ciphertext

PGP, Pretty Good Privacy (public-key crypto) Authenticated by Alice is less obvious: E(DIGEST(M), r) = signature Digest: Short and hard to reverse computation on M, ie sha1. Verifiable by Bob.

PGP, Pretty Good Privacy (public-key crypto) E(M, p) = ciphertext E(DIGEST(M), r) = signature (Bob has his own pair.)

Public-Key Implications - Keypairs are long lived. - Eve can’t see what’s in encrypted messages. - But if Eve breaks a message, keypair may be compromised. - A compromised keypair means all past and future messages are readable, and messages are forgeable. - A signature is proof of authorship, no deniability.

Structure of Talk - We’ll follow paper closely, build up the OTR protocol. - I’ll digress to explain some basic crypto.

How to Encrypt - Alice wants to send M to Bob. - Eve can’t learn M, so M should be encrypted.

Diffie-Hellman Key Exchange Start with public seed and * function. * is hard to unmix (not in scope of this talk, sorry) Alice generates random private key, xa. Bob generates random private key, xb.

Diffie-Hellman Key Exchange Alice sends (seed * xa) → Bob Bob sends (seed * xb) → Alice Alice computes (seed * xb) * xa Bob computes (seed * xa) * xb Notice: (seed * xb) * xa = (seed * xa) * xb if …?

Diffie-Hellman Key Exchange (seed * xb) * xa = (seed * xa) * xb = k sb * xa = sa * xb = k k is the secret key used for encrypting M, established over an insecure public channel!

OTR Encryption Method - Alice and Bob determine k. - Alice sends Bob E(M, k). - What is E?

Block Cipher vs Stream Cipher - Block ciphers take a n-bit block of plaintext and map it into a n-bit block of ciphertext. - Manipulating block ciphers creates chaos. - Stream ciphers are byte or bitwise transformations of a keystream on plaintext. Ok, let’s unpack that.

Stream Cipher k = secret key keystream = sequence of {0,1} as function of k ciphertext = pairwise xor of keystream with plaintext

Stream Cipher k = [unintelligible mass of numbers…] keystream = 011011011010 plaintext = 101010101101 xor ciphertext = 110001110111 If you guess plaintext, you can back out keystream.

OTR Encryption - Uses stream cipher, so that M is purposely forgeable by Eve! - Repudiable = plausible deniability - Repudiable between Alice and Bob (because k is symmetric). - Repudiable if Eve rats on them. - So how do Alice and Bob know Eve isn’t forging messages? We’ll come back to that.

Protocol So Far E(M, k) where E is stream cipher, and k comes from Diffie-Hellman key exchange

Perfect Forward Secrecy - If Eve captures a message and determines k, then she can now read all messages encrypted with k. - So, we change k on every message. Now compromise of one message doesn’t compromise them all. - We could initiate Diffie-Hellman on every message, but that’s wasteful. - Instead, we send next half on every message. - Note, Alice and Bob only have to remember the last half from each other. - They discard secret keys and Diffie-Hellman halves when done.

Recall Diffie-Hellman Alice sends (seed * xa) = sa Bob sends (seed * xb) = sb sb * xa = sa * xb = k

OTR Protocol w/ Forward Secrecy Compute sa2 = (seed * xa2) Send E(M1, k1), sa2 Where M1 is the first message, k1 is the initial Diffie-Hellman key, and sa2 is Alice’s next Diffie-Hellman half. Bob computes k2 = sa2 * xb1.

Is the Message Forgeable? E(M1, k1), sa2

Public-key Crypto to the Rescue - Alice and Bob have public-private keypairs. - They sign their Diffie-Hellman halves on initial exchange. If this is compromised, they have only signed half a k. - Now they trust each other’s halves. - They compute MAC on messages.

Message Authentication Code - Similar to digests, but take M and k, and produce a cryptographic signature of the two. - MAC is easy to compute, can be used to verify that k was used to encrypt M. - HMAC is popular, which is: H(K^opad || H(K^ipad) || M)

OTR Protocol So Far E(M1, k1), sa2, MAC(..., H(k1)) Bob independently computes MAC and verifies. Only someone who knows k1 can write this message. Because k1 is trusted (signed), Bob trusts this is from Alice. M2 authentication follows from induction.

Final Trick! - Alice publishes the MAC after Bob has acknowledged receipt. - Eve (or anybody else) could make up a message that fits any MAC. Extra repudiability cleverness.

OTR Protocol (Final) Use Diffie-Hellman to exchange sa1 and sb1. Sign sa1 and sb1. Compute k1 = sb1 * xa1 Alice sends E(M1, k1), sa2, MAC(..., H(k1)) Bob computes k2 = sa1 * xb1 Bob sends encrypted M2 to Alice and publishes MAC1.

Cryptographic Properties - Perfect forward secrecy - Digital signatures - Message Authentication Codes - Malleable Encryption - Repudiability