-
Notifications
You must be signed in to change notification settings - Fork 14
High level overview
There are two ways Alice can inform Bob that she is willing to use the OTR protocol to speak with him: by sending him the OTR Query Message, or by including a special "tag" consisting of whitespace characters in one of her messages to him. Each method also includes a way for Alice to communicate to Bob which versions of the OTR protocol she is willing to speak with him.
The semantics of the OTR Query Message are that Alice is requesting that Bob start an OTR conversation with her (if, of course, he is willing and able to do so). On the other hand, the semantics of the whitespace tag are that Alice is merely indicating to Bob that she is willing and able to have an OTR conversation with him. If Bob has a policy of "only use OTR when it's explicitly requested", for example, then he would start an OTR conversation upon receiving an OTR Query Message, but would not upon receiving the whitespace tag.
This section outlines the version of the SIGMA protocol used as the AKE. All exponentiations are done modulo a particular 1536-bit prime, and g is a generator of that group, as indicated in the detailed description below. Alice and Bob's long-term authentication public keys are pubA and pubB, respectively.
The general idea is that Alice and Bob do an unauthenticated Diffie-Hellman (D-H) key exchange to set up an encrypted channel, and then do mutual authentication inside that channel.
Bob will be initiating the AKE with Alice.
Bob:
Picks a random value r (128 bits)
Picks a random value x (at least 320 bits)
Sends Alice AESr(gx), HASH(gx)
Alice:
Picks a random value y (at least 320 bits)
Sends Bob gy
Bob:
Verifies that Alice's gy is a legal value (2 <= gy <= modulus-2)
Computes s = (gy)x
Computes two AES keys c, c' and four MAC keys m1, m1', m2, m2' by hashing s in various ways
Picks keyidB, a serial number for his D-H key gx
Computes MB = MACm1(gx, gy, pubB, keyidB)
Computes XB = pubB, keyidB, sigB(MB)
Sends Alice r, AESc(XB), MACm2(AESc(XB))
Alice:
Uses r to decrypt the value of gx sent earlier
Verifies that HASH(gx) matches the value sent earlier
Verifies that Bob's gx is a legal value (2 <= gx <= modulus-2)
Computes s = (gx)y (note that this will be the same as the value of s Bob calculated)
Computes two AES keys c, c' and four MAC keys m1, m1', m2, m2' by hashing s in various ways (the same as Bob)
Uses m2 to verify MACm2(AESc(XB))
Uses c to decrypt AESc(XB) to obtain XB = pubB, keyidB, sigB(MB)
Computes MB = MACm1(gx, gy, pubB, keyidB)
Uses pubB to verify sigB(MB)
Picks keyidA, a serial number for her D-H key gy
Computes MA = MACm1'(gy, gx, pubA, keyidA)
Computes XA = pubA, keyidA, sigA(MA)
Sends Bob AESc'(XA), MACm2'(AESc'(XA))
Bob:
Uses m2' to verify MACm2'(AESc'(XA))
Uses c' to decrypt AESc'(XA) to obtain XA = pubA, keyidA, sigA(MA)
Computes MA = MACm1'(gy, gx, pubA, keyidA)
Uses pubA to verify sigA(MA)
If all of the verifications succeeded, Alice and Bob now know each other's Diffie-Hellman public keys, and share the value s. Alice is assured that s is known by someone with access to the private key corresponding to pubB, and similarly for Bob.
This section outlines the method used to protect data being exchanged between Alice and Bob. As above, all exponentiations are done modulo a particular 1536-bit prime, and g is a generator of that group, as indicated in the detailed description below.
Suppose Alice has a message (msg) to send to Bob.
Alice:
Picks the most recent of her own D-H encryption keys that Bob has acknowledged receiving (by using it in a Data Message, or failing that, in the AKE). Let keyA by that key, and let keyidA be its serial number.
If the above key is Alice's most recent key, she generates a new D-H key (next_dh), to get the serial number keyidA+1.
Picks the most recent of Bob's D-H encryption keys that she has received from him (either in a Data Message or in the AKE). Let keyB by that key, and let keyidB be its serial number.
Uses Diffie-Hellman to compute a shared secret from the two keys keyA and keyB, and generates the sending AES key, ek, and the sending MAC key, mk, as detailed below.
Collects any old MAC keys that were used in previous messages, but will never again be used (because their associated D-H keys are no longer the most recent ones) into a list, oldmackeys.
Picks a value of the counter, ctr, so that the triple (keyA, keyB, ctr) is never the same for more than one Data Message Alice sends to Bob.
Computes TA = (keyidA, keyidB, next_dh, ctr, AES-CTRek,ctr(msg))
Sends Bob TA, MACmk(TA), oldmackeys
Bob:
Uses Diffie-Hellman to compute a shared secret from the two keys labelled by keyidA and keyidB, and generates the receiving AES key, ek, and the receiving MAC key, mk, as detailed below. (These will be the same as the keys Alice generated, above.)
Uses mk to verify MACmk(TA).
Uses ek and ctr to decrypt AES-CTRek,ctr(msg).
While data messages are being exchanged, either Alice or Bob may run SMP to detect impersonation or man-in-the-middle attacks. As above, all exponentiations are done modulo a particular 1536-bit prime, and g1 is a generator of that group. All sent values include zero-knowledge proofs that they were generated according to this protocol, as indicated in the detailed description below.
Suppose Alice and Bob have secret information x and y respectively, and they wish to know whether x = y. The Socialist Millionaires' Protocol allows them to compare x and y without revealing any other information than the value of (x == y). For OTR, the secrets contain information about both parties' long-term authentication public keys, as well as information entered by the users themselves. If x = y, this means that Alice and Bob entered the same secret information, and so must be the same entities who established that secret to begin with.
Assuming that Alice begins the exchange:
Alice:
Picks random exponents a2 and a3
Sends Bob g2a = g1a2 and g3a = g1a3
Bob:
Picks random exponents b2 and b3
Computes g2b = g1b2 and g3b = g1b3
Computes g2 = g2ab2 and g3 = g3ab3
Picks random exponent r
Computes Pb = g3r and Qb = g1r g2y
Sends Alice g2b, g3b, Pb and Qb
Alice:
Computes g2 = g2ba2 and g3 = g3ba3
Picks random exponent s
Computes Pa = g3s and Qa = g1s g2x
Computes Ra = (Qa / Qb) a3
Sends Bob Pa, Qa and Ra
Bob:
Computes Rb = (Qa / Qb) b3
Computes Rab = Rab3
Checks whether Rab == (Pa / Pb)
Sends Alice Rb
Alice:
Computes Rab = Rba3
Checks whether Rab == (Pa / Pb)
If everything is done correctly, then Rab should hold the value of (Pa / Pb) times (g2a3b3)(x - y), which means that the test at the end of the protocol will only succeed if x == y. Further, since g2a3b3 is a random number not known to any party, if x is not equal to y, no other information is revealed.