Hey! As suggested by Trevor, we are also sending this over here ;)
I am Sofia from the team that previously sent a draft of the OTRv4 protocol over the OTR-dev mailing list[1]. We, as a team, would like to present the third version of this draft. It has been reviewed by Ian Golberg and Nik Unger two times in the interim[2]. The draft is at Github[3]. There are many changes on this version as compared with the version 3 of the OTR protocol. Just to briefly summarize them: * Security level raised to 224 bits and based on Elliptic Curve Cryptography (ECC) (using ed448, Goldilocks, -huge thanks to Mike Hamburg!-). * Additional protection against transcript decryption in the case of ECC compromise. * Support for both online and offline conversations. * Support for an out-of-order network model. * The following cryptographic primitives and protocols have been updated: * Deniable authenticated key exchanges (DAKE) using "DAKE with Zero Knowledge" (DAKEZ) and "Extended Zero-knowledge Diffie-Hellman" (XZDH). DAKEZ corresponds to conversations when both parties are online (interactive) and XZDH to conversations when one of the parties is offline (non-interactive). * Key management using the Double Ratchet Algorithm. * Upgraded SHA-1 and SHA-2 to SHAKE-256. * Switched from AES to XSalsa20. * Support for different modes in how the specification can be used (OTRv4 only, OTRv4+v3 compatibility mode, OTRv4 interactive only). * Explicit instructions for producing forged transcripts using the same functions used to conduct honest conversations. The DAKEs we are using are based upon the ones defined by Nik and Ian in their paper: Improved Strongly Deniable Authenticated Key Exchanges for Secure Messaging[4]. Nik will be talking about them at the next PETS[5], if you are interested, or you can check this diagram around them [6]. Previously, there were some comments inquiring whether this was the "official" draft of OTRv4. As we have been closely working with Ian and Nik on this, we consider this an official version 4 of the OTR protocol. Just for context, this version of the protocol started with a discussion held at the beginning of March, 2015, at the IFF - you can see the report and discussion about that beginning here [7]. This proposal have had two reviews. We briefly held a meeting around it with Ian at Real World Crypto, 2018. Notice that the draft points to another specification for how a prekey server used for offline conversations works. This specific specification is still a work in progress. But we will finish it soon, and send it along for review ;) We are sending this in order to get a third review from Nik and Ian, but also to get the opinions, thoughts, discussions and much more from the OTR community and the privacy/security community. This is by no means a finished draft, so, we welcome your feedback on it (please, do so). Let's discuss and share our opinions! :) Thanks and have a very good weekend! The OTRv4 team 1- https://lists.cypherpunks.ca/pipermail/otr-dev/2018-March/002512.html 2- https://lists.cypherpunks.ca/pipermail/otr-dev/2016-December/002502.html 3- https://github.com/otrv4/otrv4/blob/master/otrv4.md 4- http://cacr.uwaterloo.ca/techreports/2016/cacr2016-06.pdf 5- https://petsymposium.org/2018/paperlist.php 6- https://cs.uwaterloo.ca/~njunger/dake_csdf17_poster_72dpi.png 7- https://lists.cypherpunks.ca/pipermail/otr-dev/2016-March/002447.html -- SofĂa Celi (aka cherenkov) @claucece / @cherenkov_d EF74 1A5F 5692 E56F 14F6 243C 3992 6144 F89D 996F _______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
