Privacy and Anonymity OTR: Applied Cryptography, Lecture 13

Privacy and Anonymity
OTR
Applied Cryptography, Lecture 13
Ruben Niederhagen
January 5th, 2015

/ department of mathematics and computer science
Introduction 1/42
“Classic” goals of cryptography:

I confidentiality,
I data integrity,
I authentication, and
I non-repudiation.

Introduction 1/42

I confidentiality – symmetric encryption,
I data integrity – hash functions,
I authentication – asymmetric encrytpion, and
I non-repudiation – signatures.

Introduction 1/42

“Privacy” goals of cryptography:

I repudiation (deniability),
I anonymity,
I forward secrecy.

Introduction 1/42


I anonymity,
I forward secrecy.
May depend on meta-data: sender, receiver, keying data. . .

Introduction 1/42


I anonymity, ⇐= Tor, . . .
I forward secrecy.
May depend on meta-data: sender, receiver, keying data. . .

Privacy in the Internet — Introduction 2/42
Private communication (here):

I authenticity, (I know whom I’m talking to.)
I confidentiality, (Nobody is eavesdropping.)
I integrity, (My statements are not altered.)
I forward secrecy, (Content can not be revealed in the future.)
I repudiation. (I can deny that I said what I said.)


I authenticity, (I know whom I’m talking to.)
eMail encryption using GPG?


I authenticity, 3 (I know whom I’m talking to.)


I confidentiality, 3 (Nobody is eavesdropping.)


I integrity, 3 (My statements are not altered.)


I forward secrecy, 7 (Content can not be revealed in the future.)


I repudiation. 7 (I can deny that I said what I said.)


I repudiation. 7 (I can deny that I said what I said.)
Solution:
Use ephemeral keys.

Privacy in the Internet — Ephemeral Keys 3/42
Ephemeral:
I adjective:
1. Lasting a very short time; short-lived;
transitory: the ephemeral joys of childhood.
2. Lasting but one day: an ephemeral flower.
I noun:
3. Anything short-lived, as certain insects. [dictionary.com]

Privacy in the Internet — Ephemeral Keys 3/42
Ephemeral:
I adjective:
1. Lasting a very short time; short-lived;
transitory: the ephemeral joys of childhood.
2. Lasting but one day: an ephemeral flower.
I noun:
3. Anything short-lived, as certain insects. [dictionary.com]
Ephemeral key:
“A cryptographic key is called ephemeral if it is generated for each
execution of a key establishment process.” [Wikipedia]
Example: Keys derived from Diffie-Hellman key exchange.

Off-The-Record (OTR) Protocol (simplified) 4/42
Introduction:
I Standard key agreement and encryption protocol on top of XMPP
(Jabber).
I Available natively or as plug-in for most XMPP clients.
I Provides forward secrecy and deniable authentication.
I Designed by Ian Goldberg and Nikita Borisov.

Alice, (kA , vA ) Bob, (kB , vA )

x1 = rand()


x1 x1
g , signkA (g ), vA
x1 = rand()


x1 x1
g , signkA (g ), vA
x1 = rand()
g y1 , signkB (g y1 ), vB
y1 = rand()


x1 x1
g , signkA (g ), vA
x1 = rand()
y1 = rand()
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
m1 = hash(k1 ) m1 = hash(k1 )


x1 x1
g , signkA (g ), vA
x1 = rand()
y1 = rand()
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
C1 = enck1 (M1 ), g x2 , hmacm1 (C1 ||g x2 )
x2 = rand()


x1 x1
g , signkA (g ), vA
x1 = rand()
y1 = rand()
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
x2 = rand()
C2 = enck1 (M2 ), g y2 , hmacm1 (C2 ||g y2 )
y2 = rand()


x1 x1
g , signkA (g ), vA
x1 = rand()
y1 = rand()
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
x2 = rand()
y2 = rand()
k2 = kdf(g x2 y2 ) k2 = kdf(g x2 y2 )


x1 x1
g , signkA (g ), vA
x1 = rand()
y1 = rand()
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
x2 = rand()
y2 = rand()
k2 = kdf(g x2 y2 ) k2 = kdf(g x2 y2 )
C3 = enck2 (M3 ), g x3 , hmacm2 (C3 ||g x3 ), m1
x3 = rand()

Authentication:
I Key exchange is signed with each user’s public key.

Authentication:
Confidentiality:
I Data exchange is encrypted with AES-CTR with a secret key.

Authentication:
Confidentiality:
I Data exchange is encrypted with AES-CTR with a secret key.
Integrity:
I An HMAC is used for all encrypted messages.

Forward secrecy:
I If a long term private key (kA , kB ) becomes public, all ephemeral
encryption keys (k1 , k2 , . . . ) are still secret.
I If an ephemeral encryption key becomes public, only a few messages
are revealed.

Repudiation:
I Bob can not blame Alice to have send him a specific message, since
Bob is in possession of both the encryption and the MAC key and
thus could have written the message himself.
I If Eve get hold on an encryption key, she can not proof that either
Alice or Bob have written a certain message, since Eve is in
possession of the MAC key as well.
I Someone who can forge a valid cipher text can not convince anybody
else that either Alice or Bob have written that message, since the
MAC key is made public after it’s expiry.

Disadvantage:
Both users must be online, no offline messaging.

Disadvantage:
Both users must be online, no offline messaging.
Advantage:
No ephemeral keys are stored persistently.

Problem: Identity Misbinding

Eve runs a MITM attack, starting simultaneous conversations with both
Alice and Bob.
A → E : g x , signkA (g x ), vA
E → B : g x , signkE (g x ), vE
B → E : g y , signkB (g y ), vB
E → A : g y , signkB (g y ), vB
I Alice receives a signature from Bob and correctly assumes she is
talking to Bob.
I Bob receives a signature from Eve and assumes he is talking to Eve
while he actually is talking to Alice.
I Eve does NOT learn the shared secret.

Off-The-Record (OTR) Protocol V2 (simplified) 11/42

x1 = rand()
r = rand()


x1 x1
x1 = rand() encr (g ), hash(g )
r = rand()


x1 x1
r = rand()
g y1 y1 = rand()


x1 x1
r = rand()
g y1 y1 = rand()
s1 = g x1 y1 r decrypt g x1
s1 = g x1 y1


x1 x1
r = rand()
g y1 y1 = rand()
s1 = g x1 y1
(k1 , k2 , m1 . . . m4 ) = kdf(s1 ) (k1 , k2 , m1 . . . m4 ) = kdf(s1 )


x1 x1
r = rand()
g y1 y1 = rand()
s1 = g x1 y1
MA = hmacm1 (g x1 ||g y1 ||vA )

XA = vA , signkA (MA )


x1 x1
r = rand()
g y1 y1 = rand()
s1 = g x1 y1
MA = hmacm1 (g x1 ||g y1 ||vA ) enck1 (XA ), hmacm2 (enck1 (XA ))



x1 x1
r = rand()
g y1 y1 = rand()
s1 = g x1 y1
MA = hmacm1 (g x1 ||g y1 ||vA ) enck1 (XA ), hmacm2 (enck1 (XA )) verify hmac, decrypt XA
verify signature on MA


x1 x1
r = rand()
g y1 y1 = rand()
s1 = g x1 y1
MB = hmacm3 (g x1 ||g y1 ||vB )
XB = vB , signkB (MB )


x1 x1
r = rand()
g y1 y1 = rand()
s1 = g x1 y1
enck2 (XB ), hmacm4 (enck2 (XB )) MB = hmacm3 (g x1 ||g y1 ||vB )



x1 x1
r = rand()
g y1 y1 = rand()
s1 = g x1 y1
verify hmac, decrypt XB enck2 (XB ), hmacm4 (enck2 (XB )) MB = hmacm3 (g x1 ||g y1 ||vB )
verify signature on MB


x1 x1
r = rand()
g y1 y1 = rand()
s1 = g x1 y1
verify hmac, decrypt XB enck2 (XB ), hmacm4 (enck2 (XB )) MB = hmacm3 (g x1 ||g y1 ||vB )
verify signature on MB

Authentication:
Users must use an out-of-band channel for authentication!

Authentication:

Authentication:

Authentication:
Man in the middle?

Socialist Millionaires’ Protocol (SMP) 13/42
Introduction:
I Idea: Two millionaires want to figure out if their wealth is equal
without revealing to the public how much money they own.
(Millionaire’s Problem: Compare the wealth and figure out who is richer
without revealing the actual amount of money each owns.)

Introduction:
I Idea: Two millionaires want to figure out if their wealth is equal
without revealing to the public how much money they own.
(Millionaire’s Problem: Compare the wealth and figure out who is richer
without revealing the actual amount of money each owns.)
I Application: Two parties want to figure out if they share a common
secret value without revealing the value to the public.

Alice, x x = y? Bob, y
all operations performed modulo a prime p

a1 = rand(), a2 = rand()

g a1 , g a2

g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
g1 = g a1 b1 , g2 = g a2 b2
Pb = g2r , Qb = g r g1y

g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
g b1 , g b2 , Pb , Qb g1 = g a1 b1 , g2 = g a2 b2
Pb = g2r , Qb = g r g1y

g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
g1 = g a1 b1 , g2 = g a2 b2 g b1 , g b2 , Pb , Qb g1 = g a1 b1 , g2 = g a2 b2
s = rand() Pb = g2r , Qb = g r g1y

g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
Pa = g2s , Qa = g s g1x
Ra = (Qa /Qb )a2

g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
Pa = g2s , Qa = g s g1x Pa , Qa , Ra
Ra = (Qa /Qb )a2

g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()
Pa = g2s , Qa = g s g1x Pa , Qa , Ra Rb = (Qa /Qb )b2

Ra = (Qa /Qb )a2 Rab = Rab2

g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()

check Rab = Pa /Pb

g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()

Rb check Rab = Pa /Pb

g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()

Rab = Rba2 Rb check Rab = Pa /Pb

check Rab = Pa /Pb

g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()


check Rab = Pa /Pb
Rab = Rba2 = (Qa /Qb )b2 a2 = (g s g1x g −r g1−y )b2 a2 = (g s−r g1x−y )b2 a2

g a1 , g a2 b1 = rand(), b2 = rand()
r = rand()


check Rab = Pa /Pb
Rab = Rba2 = (Qa /Qb )b2 a2 = (g s g1x g −r g1−y )b2 a2 = (g s−r g1x−y )b2 a2
s−r
Pa /Pb = g2s g2−r = g2s−r = g a2 b2

Cryptocat 15/42
Introduction:
I Started as Java-Script implementation running in the browser.

I Now is a web-browser plug-in (Chrome, Firefox, Safari, and Opera)
and a native iOS application.
I “Easy-to-use”, was used by journalist Glenn Greenwald to
communicate with NSA whistleblower Edward Snowden.
I Uses OTR for one-to-one conversations.
I Offers a group chat with a separate protocol.

Cryptocat 16/42
History of Problems (reported by Steve Thomas):

Cryptocat is using a hand-rolled protocol for multi-party OTR.
Jul 9, 2011 (49 days) Passwords: PBKDF2-HMAC-SHA1, 1000 iterations
Aug 27, 2011 (9 days) Passwords: PBKDF2-HMAC-SHA1, 600 iterations
Sep 5, 2011 (1 days) 768 bit RSA (largest publicly factored key size)
Sep 6, 2011 (2 days) 512 bit RSA
Sep 8, 2011 (3 days) 600 bit RSA
Sep 11, 2011 (0 days) 1280 bit RSA
Sep 11, 2011 (1 days) 1024 bit RSA
Sep 12, 2011 (19 days) 1048 bit RSA
Oct 1, 2011 (9 days) 1536/1152 bit RSA (Chrome/other)
Oct 10, 2011 (5 days) 1536/1024 bit RSA (Chrome/other)
https://tobtu.com/decryptocat.php
Cryptocat 16/42

Oct 15, 2011 (2 days) DH: 1064 = 2212.6 (106.3 bits of security)
Oct 17, 2011 (12 days) DH: 1032 = 2106.3 ( 53.2 bits of security)
Dec 31, 2011 (128 days) DH: 1024 = 279.7 ( 39.8 bits of security)
May 7, 2012 (347 days) ECDH: 2 ∗ 1016 = 254.2 ( 27.1 bits of security)
Apr 19, 2013 (45 days) ECDH: 1032 /8 = 2103.3 ( 51.7 bits of security)
Jun 3, 2013 (0 days) ECDH: 1664 /32 = 2251.0 (125.5 bits of security)
Jun 3, 2013 ECDH: 1064 /8 = 2209.6 (104.8 bits of security)

Cryptocat 16/42

Oct 15, 2011 (2 days) DH: 1064 = 2212.6 (106.3 bits of security)
Dec 31, 2011 (128 days) DH: 1024 = 279.7 ( 39.8 bits of security)
May 7, 2012 (347 days) ECDH: 2 ∗ 1016 = 254.2 ( 27.1 bits of security)
Apr 19, 2013 (45 days) ECDH: 1032 /8 = 2103.3 ( 51.7 bits of security)
Jun 3, 2013 (0 days) ECDH: 1664 /32 = 2251.0 (125.5 bits of security)
Jun 3, 2013 ECDH: 1064 /8 = 2209.6 (104.8 bits of security)
Problem:
Passing an integer encoded as base-10 string
to a function expecting an array of bytes.

Cryptocat 17/42
Cryptographic Primitives:
I AES-CTR-256 with randomized IV for data encryption and
decryption.
I Curve25519 for Elliptic Curve public key generation.
I SHA-512 for generating 512-bit message authentication codes,
shared secrets, fingerprints, and message tags.
I HMAC-SHA512 for message authentication (Encrypt-then-MAC).

Cryptocat 18/42
Key Generation:
For each chat room, each user creates a private/public key pair.
Generating the private key relies on a cryptographically secure
pseudo-random number generator.
The private key n is a random 256-bit string, the public key q is
computed as
q = x(n · G )
where the x() returns the x-coordinate of a point and
g is the base point (the point with x-coordinate 9).

Cryptocat 19/42
Key Agreement:
Alice may send her/his public key to Bob using a JSON object formatted
as follows:
{"type":"publicKey", Alice:{"message": PublicKeyBob}}
where PublicKeyBob is encoded using Base64.
Once Bob receives Alice’s public key, he must send his own public key in
return.
If a client receives a public key from another user but there already is a
public key on record for them, the new public key is not accepted.

Cryptocat 20/42
User Authentication:
The fingerprint of a public key is computed as:
Fingerprint = hex(SHA-512(PublicKey )).substring(0, 40)
Users can verify someone else’s identity simply by confirming his/her
fingerprints over a trusted out-of-band channel (which may be public, but
difficult to impersonate) such as a telephone.

Cryptocat 21/42
Shared Secrets:
Each two parties use a shared secret to encrypt and auth messages.
In a chat between Alice, Bob and Carol, Alice uses the following formula
to establish her shared secret with Bob:
SharedSecretAB = SHA-512(scalarMult(privateKeyA, publicKeyB))
and the following formula to establish her shared secret with Carol:
SharedSecretAC = SHA-512(scalarMult(privateKeyA, publicKeyC ))
Bob similarly calculates SharedSecretBA and SharedSecretBC.
Carol also creates SharedSecretCA and SharedSecretCB.
The first 256 bits of shared secrets are used as the encryption key for
AES-CTR-256 operations, while the last 256 bits are used as the key for
HMAC-SHA-512 operations.

Cryptocat 22/42
Messaging:
A message being sent by user Alice to a chat with users Alice, Bob and
Carol is a JSON object structured as follows:
{"type":"message",
"text": {
Bob: {"message":CiphertextB,"iv":ivB,"hmac":hmacB},
Carol:{"message":CiphertextC,"iv":ivC,"hmac":hmacC }},
"tag":Tag }
All binary data (ciphertexts, IVs, and HMACs) is encoded as Base64.
64 random bytes are added to the end of the message before encryption.
The IV is composed of 16 bytes: 12 bytes that are randomly generated,
followed by 4 bytes acting as a counter, incremented once per block.

Cryptocat 23/42
Message Authentication:
HMACs are generated as follows:
HMAC-SHA-512(BiphertextB || ivB || CiphertextC || ivC || ...}
The sender N uses the last 256 bits of SharedSecretNM as the HMAC key
for the ciphertext sent to the user M.
The message tag is calculated by hashing the plaintext concatenated with
the HMAC of every recipient
plaintext || hmacB || hmacC || ...
through 8 passes of SHA-512.

Cryptocat 24/42
Conversation Flow: Consider an empty chat room R.

I User A joins R and creates a private key.

Cryptocat 24/42

I User B joins R and creates a private key.
A asks for B’s public key and vice-versa.

Cryptocat 24/42

I Once public keys are exchanged, fingerprints are calculated.

Cryptocat 24/42

I Shared secrets are calculated.

Cryptocat 24/42

I Message exchange can now begin as described.

Cryptocat 24/42

I User C joins R and creates a private key.
C sends its public key to A and B in two separate public key
messages. A and B do the same.

Cryptocat 24/42

I Once A, B and C all have each other’s shared secrets, normal
messaging continues.

Cryptocat 24/42

I Once A, B and C all have each other’s shared secrets, normal
messaging continues.
I User B leaves R and destroys his private key.
Cryptocat 25/42
Disadvantages:
I One-to-one encryption:
• Many messages in order to exchange keys.
• Large message sizes with separate encryption for each user.
• Many HMAC computations for a single message.

Cryptocat 25/42
Disadvantages:
I Authentication needs to be re-done for each conversation.

Cryptocat 25/42
Disadvantages:
I Authentication needs to be re-done for each conversation.

I Forward secrecy only for separate conversations.

Multi-party OTR (mpOTR) 26/42
Introduction:
Based on the paper “Multi-party Off-the-Record Messaging” by Goldberg,
Ustaoğlu, Van Gundy, and Chen.

Introduction:
Based on the paper “Multi-party Off-the-Record Messaging” by Goldberg,
Ustaoğlu, Van Gundy, and Chen.
Setup Phase:
1. Perform an exchange with each member to derive a session id.
2. Do a pairwise, deniable, authenticated key exchange based on
long-term keys with each member.
3. Use the key exchange to exchange and prove possession of ephemeral
(thus deniable) signature keys with each member.
4. Perform a separate “group key agreement”, authenticated by the
signature keys.
5. Attest that everyone is seeing the same thing.

Communication Phase:
During the communication phase, members broadcast their messages to
the group by
I encrypting them with the group key and
I signing the ciphertext with their ephemeral signing key pair
(from step 3 in the Setup Phase).
No forward secrecy during the communication phase!

Shutdown Phase:
1. All members agree that there are no more messages in transit.
2. All members calculate the hash of all messages they authored during
the session, sorted in lexicographical order, and send those to all
other members.
3. All members receive the hash values of all messages authored by
other members, and compare those to local values of what they
originally received.

Disadvantages:
I No implementation, yet?
I Overhead: Setup requires 4N to 12N round trip messages (N
participants).
I Ephemeral Session: No perfect forward secrecy within session,
session must be “short”.
I Consistency Surprise: User learns with the shutdown if all users
received all messages.
I Complexity: Protocol and building blocks are complex.

Disadvantages:
I No implementation, yet?
I Overhead: Setup requires 4N to 12N round trip messages (N
participants).
I Ephemeral Session: No perfect forward secrecy within session,
session must be “short”.
I Consistency Surprise: User learns with the shutdown if all users
received all messages.
I Complexity: Protocol and building blocks are complex.
Any body interested to do an implementation?

Silent Circle Instant Message Protocol 30/42
Introduction:
I Developed by Vinnie Moscaritolo, Gary Belvin,
and Phil Zimmermann.
I Was used in Silent Circles app “Silent Text”.
I Discontinued on September 28, 2015;
replaced by Axolotl key management protocol when merged with the
app “Silent Phone”.

Alice Bob
x1 = rand()

Alice Bob
hash(g x1 ), hmack−1 (g x1 )
x1 = rand()

Alice Bob
x1 = rand()
g y1 , hmack−1 (g y1 )
y1 = rand()

Alice Bob
x1 = rand()
y1 = rand()
k1 = kdf(g x1 y1 )

Alice Bob
x1 = rand()
y1 = rand()
x1 x1
g , hmack1 (g )
k1 = kdf(g x1 y1 )

Alice Bob
x1 = rand()
y1 = rand()
x1 x1
g , hmack1 (g )
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )

Alice Bob
x1 = rand()
y1 = rand()
x1 x1
g , hmack1 (g )
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
hmack1 (“CONFIRM”)

Alice Bob
x1 = rand()
y1 = rand()
x1 x1
g , hmack1 (g )
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
C1 = auth-enck1 (M1 )

Alice Bob
x1 = rand()
y1 = rand()
x1 x1
g , hmack1 (g )
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
k2 = hash(k1 )

Alice Bob
x1 = rand()
y1 = rand()
x1 x1
g , hmack1 (g )
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
k2 = hash(k1 )

Alice Bob
x1 = rand()
y1 = rand()
x1 x1
g , hmack1 (g )
k1 = kdf(g x1 y1 ) k1 = kdf(g x1 y1 )
k2 = hash(k1 ) k2 = hash(k1 )

Alice Bob
x1 = rand()
y1 = rand()
x1 x1
k1 = kdf(g x1 y1 ) g , hmack1 (g ) k1 = kdf(g x1 y1 )
s1 = sas(k1 ) s1 = sas(k1 )
k2 = hash(k1 ) C1 = auth-enck2 (M2 ) k2 = hash(k1 )

s2 = sas(k2 ) s2 = sas(k2 )

Authentication:
I A cached secret (if available) and a Short Authentication String
(SAS) is used to authenticate users; the SAS is compared by the
users out-of-band.

Authentication:
users out-of-band.
Confidentiality:
I Data exchange is encrypted with AES-CCM (Counter with
CBC-MAC) with a secret key.

Authentication:
users out-of-band.
Confidentiality:
I Data exchange is encrypted with AES-CCM (Counter with
CBC-MAC) with a secret key.
Integrity:
I An authenticated encryption scheme (AES-CCM) is used for all
encrypted messages.

Forward secrecy:
I There are no longterm keys; all keys are ephemeral.
I If an ephemeral encryption key becomes public, no previous messages
are revealed.
However, all following messages of that session are affected.

Repudiation:
Bob is in possession of the authenticated-encryption key and thus
could have written the message himself.
I If Eve gets hold on an encryption key, she can not proof that either
Alice or Bob have written a certain message for the same reason.
I There are no longterm identity keys, authentication is performed on
a different channel. Thus, anybody can produce a communication
transcript and claim to have had a conversation with Bob.

Axolotl Protocol (simplified) 35/42
Introduction:
I Developed by Moxie Marlinspike and Trevor Perrin.
I Used by TextSecure and Signal from Open Whisper Systems.
I Used by WhatsApp (is it?).
I Designed for asynchronous, text-message-like communication:
Users do not need to be on-line at the same time.

Alice, aG Bob, bG
ea ← rand()

Alice, aG Bob, bG
ea ← rand()
ea G

Alice, aG Bob, bG
ea ← rand()
ea G
eb ← rand()

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G )

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
r ← kdf(aeb G ||ea bG ||ea eb G ) r ← kdf(eb aG ||bea G ||eb ea G )

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
ea ← rand()

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
ea ← rand()
(r , −
→
c ) ← hkdfea eb G (r )
−
→
m ← hkdf→ −
→
−c (0); c ← hkdf→ −c (1)

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
ea ← rand()
(r , −
→
c ) ← hkdfea eb G (r ) ea G ; C0 = enc→ m (M0 )
−
−
→ −
→
m ← hkdf→
−c (0); c ← hkdf→ −c (1) hmac→ m (C0 ||ea G )
−

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
ea ← rand()
(r , −
→
− (r , −
→
c ) ← hkdfeb ea G (r )
−
→ −
→ −
→ −
→
m ← hkdf→
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
ea ← rand()
(r , −
→
− (r , −
→
−
→ −
→ −
→ −
→
m ← hkdf→
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→
m ← hkdf→ −
→
c (0); c ← hkdf→
− c (1)
−

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
ea ← rand()
(r , −
→
− (r , −
→
−
→ −
→ −
→ −
→
m ← hkdf→
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
−
m ← hkdf→
c (0); c ← hkdf→
− c (1)
−

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
ea ← rand()
(r , −
→
− (r , −
→
−
→ −
→ −
→ −
→
m ← hkdf→
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
ea ← rand()
(r , −
→
− (r , −
→
−
→ −
→ −
→ −
→
m ← hkdf→
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
eb ← rand()

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
ea ← rand()
(r , −
→
− (r , −
→
−
→ −
→ −
→ −
→
m ← hkdf→
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
eb ← rand()
(r , ←
−
←−
m ← hkdf← ←
−
− (0); c ← hkdf←− (1)
c c

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
ea ← rand()
(r , −
→
− (r , −
→
−
→ −
→ −
→ −
→
m ← hkdf→
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
eb ← rand()
eb G ; C2 = enc← − (M2 )
m (r , ←
−
hmac← − (C2 ||eb G ) ←−
m ← hkdf← ←
−
− (0); c ← hkdf←− (1)
m c c

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
ea ← rand()
(r , −
→
− (r , −
→
−
→ −
→ −
→ −
→
m ← hkdf→
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
eb ← rand()
(r , ←
−
c ) ← hkdfea eb G (r ) eb G ; C2 = enc← − (M2 )
m (r , ←
−
←
−
m ← hkdf← ←− hmac← − (C2 ||eb G ) ←− ←
−
c (0); c ← hkdf←
− c (1)
− m m ← hkdf← − (0); c ← hkdf←
c − (1)
c

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
ea ← rand()
(r , −
→
− (r , −
→
−
→ −
→ −
→ −
→
m ← hkdf→
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
eb ← rand()
(r , ←
−
m (r , ←
−
←
−
m ← hkdf← ←− hmac← − (C2 ||eb G ) ←− ←
−
c (0); c ← hkdf←
− c (1)
− m m ← hkdf← − (0); c ← hkdf←
c − (1)
c
−
→
m ← hkdf→ −
→ ←
− ← hkdf← ←−
c (0); c ← hkdf→
− c (1)
− m c (0); c ← hkdf←
− c (1)
−

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
ea ← rand()
(r , −
→
− (r , −
→
−
→ −
→ −
→ −
→
m ← hkdf→
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
eb ← rand()
(r , ←
−
m (r , ←
−
←
−
m ← hkdf← ←− hmac← − (C2 ||eb G ) ←− ←
−
c (0); c ← hkdf←
− c (1)
− m m ← hkdf← − (0); c ← hkdf←
c − (1)
c
−
→
m ← hkdf→ −
→ ←
− ← hkdf← ←−
c (0); c ← hkdf→
− c (1)
− m c (0); c ← hkdf←
− c (1)
−

Alice, aG Bob, bG
ea ← rand()
ea G
eb G eb ← rand()
ea ← rand()
(r , −
→
− (r , −
→
−
→ −
→ −
→ −
→
m ← hkdf→
− m ← hkdf→ −c (0); c ← hkdf→c (1)
−
−
→ −
→ C1 = enc→
m (M1 ); hmac→
− m (C1 )
− −
→ −
→
m ← hkdf→
c (0); c ← hkdf→
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−
eb ← rand()
(r , ←
−
m (r , ←
−
←
−
m ← hkdf← ←− hmac← − (C2 ||eb G ) ←− ←
−
c (0); c ← hkdf←
− c (1)
− m m ← hkdf← − (0); c ← hkdf←
c − (1)
c
−
→
m ← hkdf→ −
→ ←
− ← hkdf← ←−
c (0); c ← hkdf→
− c (1)
− m c (0); c ← hkdf←
− c (1)
−
←
− ← hkdf← ←− −
→ −
→
m c (0); c ← hkdf←
− c (1)
− m ← hkdf→
c (0); c ← hkdf→
− c (1)
−

Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m

Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
aeb G , ea bG , ea eb G

Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
ea eb G

Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
ea eb G

Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
ea eb G

Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
ea eb G
ea eb G

Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
ea eb G
ea eb G

Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
ea eb G
ea eb G

Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
ea eb G
ea eb G

Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
ea eb G
ea eb G
ea eb G

Alice
sending receiving
→
−
m →
−
c r ←
−
c ←
−
m
ea eb G
ea eb G
ea eb G

Authentication:
I The initial root key is authenticated with the public keys of the
participants.
I Each root-key refresh is chained to the initial root key;
authentication is propagated.

Authentication:
participants.
Confidentiality:
I Data exchange is encrypted with AES-256 in counter mode with a
secret key.

Authentication:
participants.
Confidentiality:
I Data exchange is encrypted with AES-256 in counter mode with a
secret key.
Integrity:
I An HMAC is used for all encrypted messages.

Forward secrecy:
I Breaking long-term identity keys does not reveal any messages.
I Due to the root-key chain, breaking one single “key-exchange”
(ea , eb ) key does not reveal any messages.
I Breaking a message key only reveals the information of a single
message.
I Revealing a chain key only reveals messages up to the next key
exchange.
I Seizing a device does not reveal any messages (if they are nor stored
locally); however, possession of the chain key allows to decrypt future
messages, possession of the ephemeral key allows to perform future
root-key refresh, possession of the identity key allows impersonation.

Repudiation:
Bob is in possession of the authentication and encryption key and
thus could have written the message himself.
I If Eve gets hold on a message key, she can not proof that either Alice
or Bob have written a certain message for the same reason.
I Anybody can produce a fake transcript of a conversation with Bob
without ever actually having spoken to him.

Axolotl Protocol (simplified) — Group Chat 41/42
Classical group chat: Server copies messages to Nreceivers; requires N

copies.

Secure group chat in Cryptocat: Sender individually encrypts message for

each receiver; requires N individual messages and N 2 pairwise keys in
total.

Optimized secure group chat: Sender encrypts each message with an

individual random key K and encrypts K individually for each receiver;
requires one large and N small messages to the server.
Still requires N 2 pairwise keys =⇒ reuse individual ratchet keys.

Further optimized secure group chat: reuse K (with ratchet hashing) for
a certain amount of messages or a certain time.

Conclusion 42/42
I OTR is the de-facto standard for online chats over XMPP.

I OTR is not suitable for asynchronous, text-message-like
communication.
I The Axolotl ratchet protocol is widely used in that case.
I “Proper” secure group-communication is still an open problem,
in particular with “proper” ephemeral keys.

Privacy and Anonymity OTR: Applied Cryptography, Lecture 13

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Privacy and Anonymity OTR: Applied Cryptography, Lecture 13

Încărcat de

Drepturi de autor:

Formate disponibile

Privacy and Anonymity

January 5th, 2015

“Classic” goals of cryptography:

/ department of mathematics and computer science

“Classic” goals of cryptography:

/ department of mathematics and computer science

“Classic” goals of cryptography:

“Privacy” goals of cryptography:

/ department of mathematics and computer science

“Classic” goals of cryptography:

“Privacy” goals of cryptography:

/ department of mathematics and computer science

“Classic” goals of cryptography:

“Privacy” goals of cryptography:

/ department of mathematics and computer science

Private communication (here):

/ department of mathematics and computer science

Private communication (here):

eMail encryption using GPG?

/ department of mathematics and computer science

Private communication (here):

eMail encryption using GPG?

/ department of mathematics and computer science

Private communication (here):

eMail encryption using GPG?

/ department of mathematics and computer science

Private communication (here):

eMail encryption using GPG?

/ department of mathematics and computer science

Private communication (here):

eMail encryption using GPG?

/ department of mathematics and computer science

Private communication (here):

eMail encryption using GPG?

/ department of mathematics and computer science

Private communication (here):

eMail encryption using GPG?

/ department of mathematics and computer science

/ department of mathematics and computer science

/ department of mathematics and computer science

/ department of mathematics and computer science

Alice, (kA , vA ) Bob, (kB , vA )

/ department of mathematics and computer science

Alice, (kA , vA ) Bob, (kB , vA )

/ department of mathematics and computer science

Alice, (kA , vA ) Bob, (kB , vA )

/ department of mathematics and computer science

Alice, (kA , vA ) Bob, (kB , vA )

/ department of mathematics and computer science

Alice, (kA , vA ) Bob, (kB , vA )

/ department of mathematics and computer science

Alice, (kA , vA ) Bob, (kB , vA )

/ department of mathematics and computer science

Alice, (kA , vA ) Bob, (kB , vA )

/ department of mathematics and computer science

Alice, (kA , vA ) Bob, (kB , vA )

/ department of mathematics and computer science

/ department of mathematics and computer science

/ department of mathematics and computer science

/ department of mathematics and computer science

/ department of mathematics and computer science

/ department of mathematics and computer science