Re: [cryptography] Jingle and Otr
On Wed, Aug 21, 2013 at 01:47:33PM +1000, James A. Donald wrote: The Jitsi FAQ https://jitsi.org/Documentation/FAQ says that chat sessions are protected by OTR, which implies that nothing else is. i think before considering using jitsi-s otr: http://lists.jitsi.org/pipermail/users/2013-July/004370.html http://lists.jitsi.org/pipermail/dev/2011-May/001484.html someone needs to contribute a port to otr4j or evaluate their inhouse implementation. -- pgp: https://www.ctrlc.hu/~stef/stef.gpg pgp fp: FD52 DABD 5224 7F9C 63C6 3C12 FC97 D29F CA05 57EF otr fp: https://www.ctrlc.hu/~stef/otr.txt ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Jingle and Otr
Jingle supports voice, video, and text messaging. OTR is a reasonably user friendly encryption system, or at least less user hostile than most, that, unlike skype, does not suffer a central point of failure pidgin supports both jingle and otr, as well as just about everything else in the known universe. Is there any convenient way to communicate by video protected by otr? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Jingle and Otr
https://jitsi.org/Documentation/ZrtpFAQ ZRTP and the GNU ZRTP implementation provide features to communication programs to setup of secure audio and video session without additional infrastructure, server programs, registration, and alike. While this doesn't state outright that Jitsi uses ZRTP for video (it does for voice), I believe it does. From what I read online, the ZRTP protocol only uses encryption schemes that have perfect-forward-secrecy, just like OTR does. 2013/8/21 James A. Donald jam...@echeque.com: Jingle supports voice, video, and text messaging. OTR is a reasonably user friendly encryption system, or at least less user hostile than most, that, unlike skype, does not suffer a central point of failure pidgin supports both jingle and otr, as well as just about everything else in the known universe. Is there any convenient way to communicate by video protected by otr? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Jingle and Otr
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/20/13 8:31 PM, Natanael wrote: https://jitsi.org/Documentation/ZrtpFAQ ZRTP and the GNU ZRTP implementation provide features to communication programs to setup of secure audio and video session without additional infrastructure, server programs, registration, and alike. While this doesn't state outright that Jitsi uses ZRTP for video (it does for voice), I believe it does. Yes, Jitsi uses ZRTP for video. Peter - -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSFCbkAAoJEOoGpJErxa2pIZQP/jOZ0GTxE36sDGOfV7xUR3oX trGczSP97kStxZZlEbsdG/P3uiwyMcqsfWwj+iVWJiYW3hwzHRXuWpaGgW/Z0vUL 3EU/536vsis8th2oxLomkunvD6lg4I33Jsxp9fEnx7ru2o6cfx1qRlWAMl0knZBG HxPPMx+/hkERLezAsDOBSTdAw3JsQbY6+gOcvaaBvMnuYA3ouQqeYaT7oOb51Lhj CLtLC4qa4rYq+39yqTM1fEXyMAkK4qX2gcoh2pf+iHMKlnDBkKsbJdcLkSbLbST8 XAWVNQIzMJI9bDaRpcjaMo/rG/wbLi9Nnsn6lsVziDYQSvilTtA+yCRQ5xtHdO6X jS6NQBSW28lTtA9LnTfdkzEiUXBzH8ABbEARTN5EbAJ51Ig8XWblN1l9N7I7dQ36 /Lxw3DHS78G4fwd0w4Hluq8UMsQUOkenBHhJrE5zCd1Yg+WdH1m8VoWn+AeGZpdC S3a7PSxCCIaDAm2yDDBHvgBryraT/+/6QKJaFK/OgD650bXFlIp+Oq4gXkd114Uj IsYomWWFH+NlzMhXOCHBwMthVZ/Koc+BVnaD0UgT+jemFxEmw8F5+q0UmlC2V4bR vG9nHlMq9CZgGqJ2ckIQDXKjRgRyvDk/FLFEIyzHIL26N92XQtkXXNqNoA3TuBYi OdYBIjo6uVSGr/hcE1n1 =GP8S -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Jingle and Otr
On 2013-08-21 12:33 PM, Peter Saint-Andre wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/20/13 8:31 PM, Natanael wrote: https://jitsi.org/Documentation/ZrtpFAQ ZRTP and the GNU ZRTP implementation provide features to communication programs to setup of secure audio and video session without additional infrastructure, server programs, registration, and alike. While this doesn't state outright that Jitsi uses ZRTP for video (it does for voice), I believe it does. Yes, Jitsi uses ZRTP for video. The Jitsi FAQ https://jitsi.org/Documentation/FAQ says that chat sessions are protected by OTR, which implies that nothing else is. In which case, one is better off using skype, where at least only Skype central is ratting you out. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Jingle and Otr
Well, the point here is that ZRTP for video and voice pretty much is functionally equivalent to OTR for IM. OTR is designed for messages, ZRTP is designed for data streams. 2013/8/21 James A. Donald jam...@echeque.com: On 2013-08-21 12:33 PM, Peter Saint-Andre wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/20/13 8:31 PM, Natanael wrote: https://jitsi.org/Documentation/ZrtpFAQ ZRTP and the GNU ZRTP implementation provide features to communication programs to setup of secure audio and video session without additional infrastructure, server programs, registration, and alike. While this doesn't state outright that Jitsi uses ZRTP for video (it does for voice), I believe it does. Yes, Jitsi uses ZRTP for video. The Jitsi FAQ says that chat sessions are protected by OTR, which implies that nothing else is. In which case, one is better off using skype, where at least only Skype central is ratting you out. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Jingle and Otr
On 2013-08-21 2:00 PM, Natanael wrote: Well, the point here is that ZRTP for video and voice pretty much is functionally equivalent to OTR for IM. OTR is designed for messages, ZRTP is designed for data streams. Ah yes, I see: I was thinking of the problem from a text point of view, where cryptographically identifying the right target is hard. In video, not hard. *ZRTP] allows the detection of man-in-the-middle (MiTM) attacks by displaying a short authentication string (SAS) for the users to read and verbally compare over the phone**.* ... But even if the users are too lazy to bother with short authentication strings, we still get reasonable authentication against a MiTM attack, based on a form of key continuity. *It does this by caching some key material to use in the next call, to be mixed in with the next call's DH shared secret, giving it key continuity properties analogous to Secure SHell (SSH)*. If you know the face of the person you are talking to, you can surely tell if the right person is speaking the right SAS, which makes the methods used by OTR overkill for video. Since humans are good at live face recognition, this makes it possible to locate the target person by insecure identifiers. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography