OTR AKE Protocol - PowerPoint PPT Presentation

About This Presentation
Title:

OTR AKE Protocol

Description:

Strong Deniability: Malleable encryption. Found Attacks. Version Rollback Attack ... Alice may be convinced to commit to an AKE key exchange not knowing who she ... – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 16
Provided by: stan7
Learn more at: https://web.stanford.edu
Category:
Tags: ake | otr | malleable | protocol

less

Transcript and Presenter's Notes

Title: OTR AKE Protocol


1
OTR AKE Protocol
2
OTR Data Protocol
3
Security Properties
  • Authentication Public keys and signatures
  • Integrity MACs
  • Perfect Forward Secrecy Constant re-keying
  • Deniability
  • Weak Deniability Shared secrets
  • Strong Deniability Malleable encryption

4
Found Attacks
  • Version Rollback Attack
  • An attacker may arbitrarily set the version of
    OTR.
  • Strong Deniablity Attack
  • An attacker with strong network control may
    disable the strong deniability property.
  • Authentication Failure
  • Alice may be convinced to commit to an AKE key
    exchange not knowing who she is speaking with.
  • Message Integrity Attack
  • An intruder may arbitrarily alter a message.

5
Strong Deniability Attack
  • invariant "Strong Deniability"
  • forall a PrincipalId do
  • forall b PrincipalId do
  • forall i IntruderId do
  • inti.mac_keysab.k_A gt 0
  • inti.mac_keysba.k_B gt 0
  • -gt
  • inti.mac_keysab.k_A
    pria.cb.k_ours - 2
  • inti.mac_keysba.k_B
    pria.cb.k_theirs - 1
  • end
  • end
  • end

6
Strong Deniability Attack
  • An intruder may replace published MAC keys

7
Authentication Failure
  • Problem Bob never makes it clear he thinks he
    is talking to Alice

8
Authentication Failure
  • Bob believes he is talking to Mallory
  • Alice believes she is talking to Bob

9
Authentication Failure
  • Bob believes he is talking to Mallory
  • Alice believes she is talking to Bob
  • After receiving the third message, Alice commits
    to a successful key exchange with Bob
  • Bob will think the exchange failed with Mallory

10
Message Integrity Attack
  • Re-keying in OTR
  • Alice Bob

11
Message Integrity Attack
  • Re-keying in OTR
  • Alice Bob

12
Message Integrity Attack
  • Re-keying in OTR
  • Alice Bob

13
Message Integrity Attack
  • Re-keying in OTR
  • Alice Bob

14
Message Integrity Attack
  • Mallory blocks a message containing published MAC
    keys
  • Mallory uses published keys to re-send a modified
    message to Bob. Bob thinks it was sent before his
    message was received.
  • Negative feature interaction occurring between
    forward secrecy, strong deniability

15
Message Integrity Attack
  • The Official Response
  • ... Good call on this one. Bizarrely, it doesn't
    turn out to be a security hole in the deployed
    software because there's a bug in it. (!) The
    deployed software only publishes MAC keys that
    were used to receive messages, not ones on
    messages it sent. This is safe, because it knows
    for sure that it'll never trust a MAC key that
    it's already published ...
  • - OTR Author Ian Goldberg
Write a Comment
User Comments (0)
About PowerShow.com