Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP Slides by Su Zhang Nov 8th, 2010 Differences between Off-the-Record Communication and PGP System 2 PGP System Long-live encryption key Non-Repudiable authentication Off-the-Record communication

Perfect forward secrecy Repudiability (verifiable only to receiver but not other people ) Off the Record Communication, or, Why Not To Use PGP 11/8/2010 What Security Properties do We Want? 3 Encryption -- Hide the content of conversation Perfect Forward Secrecy -- Protect against future compromises

Authentication -- Make sure the person you are talking to is the right one Repudiation Make sure the communications are personal and unverifiable to third parties Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Why Hard to Guarantee Online Security Properties? 4 Compromising decrypt key will expose past and future encrypted messages with that key

Any third party could verify the identity of the sender through verifying the signature on the (digital signature is used by protocols like PGP) Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Perfect Forward Secrecy 5 Using short-lived encryption/decryption keys Impossible to re-derive from their long-term keys No one (including sender and receiver) couldnt reconstruct the key

Keys are generated through Diffie-Hellman key agreement protocol Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Cryptographic Primitives Used by OTR 6 Digital Signatures Message Authentication Codes (MAC) Malleable encryption (AES)

Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Digital Signatures 7 Long-lived Signature keys (acceptable) Non-repudiation (undesirable) Key compromising wont affect past authentication (since authenticated messages are successfully received)

Signer couldnt disclaim the authorship of a message she signed Signed messages could be verified by anyone without signers cooperation Save a lot of space O(n) keys (shared secret has O(n2) keys ) Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Message Authentication Code 8 MAC can check the integrity of the message Cannot provide Non repudiation (repudiable)

Two parties could authenticate each other (by using their shared secret) but others couldnt Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Malleable Encryption and Forgeability 9 Everyone could have changed the message before it arrive at the receiver end (or before attacker get it) Modifying some cipher text could change the meaning of plain text even without knowing encryption key. (e.g. stream cipher)

Attacker could choose another message which could have a same length of cipher text then replace it with original one This is to show that anyone could have modified the message so nobody (except Bob) could find any clue about Alice from the message she sent. Off the Record Communication, or, Why Not To Use PGP 11/8/2010 The Off-the-Record Messaging Protocol 10 Using the primitive encryptions mentioned above Achieve the aforementioned security properties

Mainly for low-latency communication protocols Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Off-the-Record -- Encryption 11 Encryption algorithmAES (Malleable) Encryption key Generated through DiffieHellman agreement Short-term key (forward secrecy): re-generated

keys frequently Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Off-the-Record Message Exchange 12 Exchange course A B : gx1 B A : gy1 A B : gx2 ,E(M1, k11)

B A : gy2 ,E(M2, k21) A B : gx3 ,E(M3, k22) Key construction gxiyj is called shared secret in DH protocol Encryption key kij = H(gxiyj ) Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Off-the-Record --Forgetting Keys 13 A couldnt forget Xi-1 and its afterwards keys until

it received a message encrypted with Xi from B A only generate a new key after she received a reply from B (So A holds at most two keys at a time.) Send empty message if one havent sent for a while Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Off-the-Record -- Authentication 14 At the beginning, using digital signature to verify each others identity.

A B : Sign(gx1, ka), KA B A : Sign(gy1, kb), KB Then message encrypted with H(gx1y1) could be accepted Use MAC keys as following authenticators Even if eve got encryption key, she still couldnt know the identities of the sender or receiver Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Off-the-Record Authentication (cont) 15

Following protocol message: gx(i+1), E(Mk, kij ), MAC({gx(i+1), E(Mk, kij )}, H(kij)) MAC key: H(kij) =H( H(gxiyj )) Both message and the encryption key are authenticated Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Revealing MAC keys 16

Let everyone could use the MAC keys as authenticator. (No one can prove message authenticated by these keys are from Alice) Past authenticated messages through these keys are validated (Because these messages are successfully received.) Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Implementation of OTR- Design 17 Off-the-Record protocol is built on top of an IM protocol

Incremental deployment A user could use their IM client to communicate with people have the security plug-in or not Virtual session Last until the client terminated or a period of inactive Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Implementation of OTR- Implementation 18 IM Client: GAIM

Could integrate several different IM applications API dealing with Off-the-Record Received an encrypted message Received a clear texted message Received an error information Received an ignorable message (doesnt include user message) Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Using OTR on high-latency application -Email 19

Impractical on key agreement Solution: Ring signatures Diffie-Hellman protocol needs two parties to be online A set of people could sign a signature but others couldnt tell which one signed. (Similar to MAC authentication but less privacy (since sender will be confined into a small range)) Mitigate the less privacy issue Publish signature key after all signed messages have been

authenticated (make short term keys) Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Conclusions 20 Off-the-Record realized ideal security properties Repudiable online communication Perfect forward secret manner Maintaining confidentiality and authenticity assurances

Off the Record Communication, or, Why Not To Use PGP 11/8/2010 Questions & Discussion 21 Thank you! Off the Record Communication, or, Why Not To Use PGP 11/8/2010

Recently Viewed Presentations

  • Chapter 9

    Chapter 9

    The empire's fortunes fluctuated as it resisted pressures from the Arabs and Slavic kingdoms. Bulgaria was a strong rival, but Basil II defeated and conquered it in the 11th century. At the close of the 10th century, the Byzantine emperor...
  • President'S Task Force on Applied Data Science Summary ...

    President'S Task Force on Applied Data Science Summary ...

    , Director of Web, Applications, and Technology Studies, School for New and Continuing Studies. McLean Sloughter, Associate Professor of Mathematics, College of Science and Engineering. Brendon Taga, Associate Dean, Academic and Student Services, College of Education. Steve Tapia, Distinguished Practitioner...
  • Activated Sludge Modeling - Iowa State University

    Activated Sludge Modeling - Iowa State University

    Particulate removal rate. ... Monod Equation and Unified Model. One of the main things to realize about the traditional model is that it only accounts for the biochemical reactions of readily degradable soluble substrate at steady state conditions. It's a...
  • S T N IE R T S L

    S T N IE R T S L

    Barley. Peas * Not all sources are listed. There are many other sources of protein that can be obtained through a variety of food groups. PROTEIN MYTH DEBUNKED: Eat as much protein as possible to build muscle faster.
  • Intonation and Discourse Marking in Oral Presentations Delivered

    Intonation and Discourse Marking in Oral Presentations Delivered

    laryngealisation (creaky voice) and /or loss of amplitude. At start of new paratone. marked pause. first tone unit raised in key. high key evident in subsequent tone units creating declination. Thompson (2003); (McAlear, 2008)
  • 7Dates to Remember 1. Civil war (Divided Kingdom)

    7Dates to Remember 1. Civil war (Divided Kingdom)

    The Forerunner Message in Isaiah 32-33. Isaiah 32-33 was an especially important prophetic message to the leaders of Jerusalem.Given within two years of Assyria laying siege to Jerusalem in 701BC (32:10), the historical events mentioned here occurred around 704-701BC. *...
  • Power Electronic Systems Power electronics refers to control

    Power Electronic Systems Power electronics refers to control

    Power Electronic Systems Power electronics refers to control and conversion of electrical power by power semiconductor devices wherein these devices operate as switches.
  • MATSE 259 Properties and Processing of Engineering Materials

    MATSE 259 Properties and Processing of Engineering Materials

    Specimen geometry Experimental setup ASTM Standards E8 and E9 Callister, Materials Science and Engineering: An Introduction (2003) Ashby, Materials Selection in Mechanical Design (1999) A material property chart of Young's modulus and density. 0.30 207 Steel 0.34 107 Ti 0.33...