#766936 [libotr5] Extended description: "Deniability" is not a feature per se

Package:
libotr5
Source:
libotr
Description:
Off-the-Record Messaging library
Submitter:
Filipus Klutiero
Date:
2014-10-31 03:45:10 UTC
Severity:
minor
#766936#5
Date:
2014-10-27 01:22:39 UTC
From:
To:
The extended description contains:

So-called "deniability" is not a feature per se, unless authentication is taken for granted, which is clearly not the case here.

Rather than advertising 2 independant items, these could be merged in a "Deniable authentication" item which would contain both sublists.


By the way, I do not understand what "Anyone can forge messages after a conversation to make them look like they came from you." means.

#766936#10
Date:
2014-10-27 03:08:44 UTC
From:
To:
One reason why I think "deniability" is important as a separate feature
is that it is differentiating in the face of other, similar kinds of
programs.  Most encryption systems are not deniable; in fact, many
systems are not deniable /by design/.  This message, for example, is PGP
signed and is not deniable at all.  Anyone who gets a copy of the
message can verify that I, or someone with control over my private key,
composed and sent this message.  The Pidgin-Encryption plugin similarly
doesn't have deniability built into its threat model at all.

In that context, I think it might be deserving of being listed as its
own feature.

It's part of the deniability feature.  While it's very difficult for an
attacker to forge a signature while the conversation is going on, the
ephemeral key used for signatures is publicly revealed after the
conversation is over.  That means that you could forge any messages, and
theoretically, provide some defense against someone who /did/ manage to
compromise the communication being able to prove that you said what you
said.

#766936#15
Date:
2014-10-28 01:11:27 UTC
From:
To:
A related point is that "forward secrecy" is a secondary property of the underlying encryption system. It makes no sense without encryption (i.e. confidentiality).

Personally, I like to introduce these concepts as "forward-secure confidentiality" and "deniable authentication".

X

#766936#20
Date:
2014-10-28 16:38:47 UTC
From:
To:
Hi,

Ximin Luo wrote (28 Oct 2014 01:11:27 GMT) :

With OTR, users get deniability, which is an important feature for
them. It seems to me that most users don't care at all that
deniability is a secondary property of the underlying authentication
system. If we have to make a choice, I'd rather focus on what is
important from the user PoV. It may be that we don't have to make
a choice, see below.

I suspect that with all this info in hand, someone who cares strongly
about this could come up with a phrasing that:

* structurally, focuses on users' needs, and features they can see
* manages to sneak in the correct terminology that Ximin is proposing,
  somehow

Any taker?

Cheers,

#766936#25
Date:
2014-10-29 00:56:07 UTC
From:
To:
Hi Harlan,

I agree it is an important feature...

I didn't mean it doesn't "deserve" being listed on its own. What I meant is that I consider it a subfeature of authentication, so I find it confusing to see it independent from authentication. Grouping would make it more understandable.

Thank you, I now understand what this sentence is about.

I am not convinced this is a good thing, but for sure the current phrasing is incorrect. According to the technical paper, OTR would merely send the key to the other participant, so only him could forge messages, unless someone captured the message. So the only person who can forge messages after the conversation is the other participant. Since he could already forge messages, that measure does not increase deniability in normal circumstances.

It is also unclear what "after a conversation" means. When does a conversation end? In any case, the technical paper doesn't say keys are revealed after a conversation.

It is confusing to write that "However, _during_ a conversation, your correspondent is assured the messages they see are authentic and unmodified."
While it is true, your correspondent obviously does not lose that assurance after a conversation.

"Deniable authentication" is IMO contradictory. A better term might be "private authentication", for example, meaning you privately authenticate to your correspondent. In any case, we shouldn't simply name the property, we should describe what it provides.

#766936#30
Date:
2014-10-29 09:49:25 UTC
From:
To:
No, that's not quite right; OTR sends the authentication (MAC) key *in
the clear* so that anyone capturing the traffic on the wire can
subsequently modify transcripts however they like.

#766936#35
Date:
2014-10-31 03:41:31 UTC
From:
To:
That's also what I was saying. It is not encrypted, but it has no effect except in cases where the communication is captured.