Hey guys! Cruising around Axolotl spec recently, i’ve just stumbled upon one grit constantly disturbing me:
https://whispersystems.org/blog/simplifying-otr-deniability/ <https://whispersystems.org/blog/simplifying-otr-deniability/> Chapter dubbed “Potential Simplifications and Improvements” lists all the gains of replacement of OTR’s original handshake involving DSA, with “Triple DH” involving just both sides’ identity keys (A and B) and ephemeral keypairs (a and b). What confusing me is two following statements: > Reduced Algorithmic Complexity. We’ve eliminated DSA and have a nice > authenticated key exchange that relies solely on the simplicity of > Diffie-Hellman. > Increased Forgability. Since there are no signatures involved, anyone could > take A’s public key, make up an ephemeral keypair for A (“a” in the diagram > above), combine that with their own identity key and ephemeral key (“C” and > “c”), and produce an entire forged transcript – even if they’ve never had a > conversation with “A” before. Now anyone is capable of easily producing a > forged message from anyone else, whether they’ve actually had a conversation > with them before or not. Those two seems kinda mutually exclusive: if we do actually have an authenticated key exchange, then we’ re losing so promising statement of deniability, since any one could authenticate us during the handshake. The other way around, lacking authenticity, we’re making ourselves prone to MITM unless there is an established channel to verify public keys. Have i missed something? Best regards, Alexey Kudinkin
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
