We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

No evidence of communication and implementing a protocol: Off-the-Record protocol version 4

00:00

Formal Metadata

Title
No evidence of communication and implementing a protocol: Off-the-Record protocol version 4
Subtitle
Version 4 of OTR protocol
Title of Series
Number of Parts
561
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
OTRv4 is the newest version of the Off-The-Record protocol. It is a protocol where the newest academic research intertwines with the real-world implementations. This newest version is one where we are asked to revisit our definitions around deniability (online and offline) and how important they are to the world. It is also one where we must ask ourselves around how usable a protocol has to be in order to be used by real-world people. In this talk we will try to start a discussion around the importance of deniable secure communication, how it integrates with the whole security of a system, and how a user will need it for their normal activities. As we know from past revelations, the Internet has become a place where any action is surveilled and recorded. In the light of this, the OTR protocol was created. But it was created long time ago. In the past years, there have been a increased work on cryptographic primitives, privacy and security notions, and how to incorporate them in a usable way. But these thoughts have not been incorporated yet into projects. OTRv4 is the newest version of the Off-The-Record protocol, which tries to incorporate these new ideas. In this talk, we will give an overview around why deniability matters, how it can be incorporated into protocols, how it is used by real-world people, and how to create a protocol that cares about its users.
Revision controlCommunications protocolTelecommunicationRow (database)Information and communications technologyDigital signalEmulationInstance (computer science)Term (mathematics)Computer configurationImplementationFormal verificationNumerical digitLatent heatArithmetic meanSoftwareState of matterTerm (mathematics)Client (computing)ImplementationInformation privacyMultiplication signScaling (geometry)AlgorithmPoint (geometry)SphereElectronic signatureInformation securityCommunications protocolMereologyCryptographyRatsche <Physik>Category of beingInformationDoubling the cubeDifferent (Kate Ryan album)Elliptic curveRevision controlTelecommunicationCartesian coordinate systemComputer configurationWordNational Institute of Standards and TechnologyReal numberLimit (category theory)Physical systemPerfect groupConfiguration spaceCurveComputer programmingFlow separationField (computer science)Machine visionSide channel attackOrder (biology)Video gameSign (mathematics)Roundness (object)2 (number)Row (database)Set (mathematics)Data conversionFormal verificationVapor barrierBitComputer virusPulse (signal processing)Information and communications technologyQuantumEmailForm (programming)Online chatGame theorySoftware developerPresentation of a groupExpert systemMessage passingMoving averageComputer animation
Communications protocolSigma-algebraPoint (geometry)Duality (mathematics)CryptographySmith chartType theoryCAN busRevision controlAffine spaceUniform resource locatorType theoryMoment (mathematics)Key (cryptography)Different (Kate Ryan album)2 (number)AuthenticationFingerprintCategory of beingBitData conversionSystem identificationFormal verificationPoint (geometry)Message passingArithmetic meanLevel (video gaming)Identity managementElectronic signatureCombinational logicCASE <Informatik>MereologyLatent heatTerm (mathematics)Information securityInternetworkingOrder (biology)Proof theoryRevision controlEncryptionAsynchronous Transfer ModePairwise comparisonTransport Layer SecurityCommunications protocolElliptic curveFitness functionControl flowAlgorithmCryptographyQuantum computerClassical physicsInformationOffice suitePrimitive (album)Uniqueness quantificationSchlüsselverteilungGroup actionInternet service providerMultiplication signSinc functionWeb 2.0Software bugSigma-algebraVideoconferencingDefault (computer science)Maxima and minima
Revision controlCharge carrierMessage passingData modelTelecommunicationLocal GroupEmailImplementationCryptographyRead-only memoryCommunications protocolSemiconductor memoryDisk read-and-write headCommunications protocolAddress spaceServer (computing)CompilerBenchmarkNumberMessage passingData storage deviceLatent heatEndliche ModelltheorieCryptographyElliptic curveImplementationSource code2 (number)SchlüsselverteilungPeer-to-peerSet (mathematics)Limit (category theory)BitClassical physicsInformation securityQubitProgramming languageEncryptionLibrary (computing)Level (video gaming)CodeMultiplication signReal numberClient (computing)Doubling the cubeTerm (mathematics)Software testingFluid staticsMereologyCategory of beingKey (cryptography)Right angleUniqueness quantificationElement (mathematics)Exception handlingAlgorithmCurveRatsche <Physik>Inheritance (object-oriented programming)Primitive (album)Quantum computerOperator (mathematics)Asynchronous Transfer ModeGroup actionArithmetic progressionData conversionOrder (biology)Revision controlInstant MessagingTelecommunicationLink (knot theory)Transportation theory (mathematics)Hash functionCASE <Informatik>Denial-of-service attackQuantumSoftware development kitDegree (graph theory)MathematicsMetropolitan area networkAngleFerry CorstenPrime idealArithmetic meanPlug-in (computing)InformationDescriptive statisticsGreen's functionLine (geometry)Computer animation
Computer animation
Transcript: English(auto-generated)
I have to show like up to 25 minutes. Okay, perfect. If you enter earlier, it's something for questions. Okay. It's up to you. So, hello everyone.
Welcome our next speaker, Sofia Celi and Ola Bini, and their talk about no evidence communication and implementing a protocol of the record protocol version 4.
Hello, hello. Thank you very much. I'm Ola, and yes, as we just said we're going to be talking about OTR version 4. I think we might be winning a prize for the longest title. We are actually here from an NGO called Centro de Autonomia de Guital in Quito, Ecuador. So, we have come pretty far, and we're super happy to be here,
both me and my colleague Sofia. Okay. Hello, my name is Sofia, and as Ola said already, the title of the presentation, I think we don't need introduction around that. But we also wanted to talk a little bit about, in this talk a little bit, why we need the secure messaging, and why is this a problem until this day.
So, for this we first wanted to start with a quote of one of the most famous papers in cryptography by Philip Rogaway, which is called The Moral Character of Cryptographic Work. And he states, most academic cryptographers seems to think that a field is a fun, deep, and political neutral game, a set of puzzles involving communicating parties and notion as adversities. This vision of who we are animates a field whose work is
intellectually impressive and rapidly produced, but also quite inbred and aborts from real world concerns. It is what cryptography should be like, is this is how we should spend the bulk of our intellectual capital. The reason why we decided to build this quote here is because when we are trying to design a protocol, a cryptographic algorithm, a primitive, or whatever it is,
or actually trying to implement it, we oftentimes forget that we are making this for real world users, for people who are going to use it. And sometimes the reason why we create these cryptographic algorithms is because they mean the difference between the life or death of a political activist or a journalist. Something that Philip Rovaway continues in his paper is that
while the cryptographic community have researched a lot around all the kinds of ideas, they have a little bit, not researched so much onto the secure messaging sphere. And we think this is something that we should start thinking in a more crucial way, because one of the reasons why people use the internet and use the digital world is actually to communicate
with each other. They use chat, bloopers, email, and those are all forms of communication. So giving users, clients that are actually not secure, is something that we shouldn't do because actually that's what people are using most of the times. Around this, of course, we also wanted to talk about why we need protocols, because of course you can have
a secure chat messaging application, but if you don't state to the user exactly what is being used, then it's no use for them because they don't know exactly what kind of software they are being given. We need protocols because we need options that actually work. We need to show to the user actually what is happening, what cryptographic algorithm has been chosen, why it's been used, why it was chosen this way.
We need further specification because it's not enough to say that we use elliptic curve cryptography, we use a certain algorithm. We need to state exactly how we use that elliptic curve cryptography, how we take into account several configurations that elliptic curve cryptography takes into account. I don't know, cofactual issues, timing issues,
side channel attacks. We need to also state exactly how different cryptographic algorithms interact with each other. It's not enough to say that you use the double ratchet algorithm in your protocol. It should be stated how the double ratchet algorithm works with the other algorithms your protocol has. We also need probabilities, limitations, and requirements.
Of course we need that because we need to define to the users exactly what we are giving them. If we're going to give a protocol that says that we are giving them an end-to-end point security, then of course we should state in what manner we're giving this. If we're going to say to a user that we're going to give them the ability properties, then we should state which kind of the ability properties and in that what way.
We should also tell them the limitations that our protocol has. For example, in OTR before we had the limitation that we didn't use any post-quantum algorithm because actually any of the post-quantum algorithms that have been chosen in the second round of candidates by the NIST competition has not been actually implemented in a worldwide way. So we shouldn't strive to create a protocol
that says this has a post-quantum algorithm when none of the post-quantum algorithms that exist right now can be deployed at a worldwide scale. And we should also state to them which requirements do they need in order to have the protocol. We also need protocols that update existing definition because big terms get to better define.
Sometimes in the cryptographic community you don't have a term that is well defined. But years later you will have it defined. So you always need to update protocols. The reason that a protocol exists doesn't mean that it's the best protocol or it's the last word of a protocol. It's just said that it matches up with existing cryptographic literature
that exists at that point. And of course we need reviews and verifications. We need ideas from different places and we need implementations. This is all related because we need when we create a protocol not to say that I created and it should be perfect because I created. It should have reviews and verifications from other parties, from different parties, from the software developers, from implementers,
from the cryptographers, from the security experts, et cetera. And we need ideas from different places and this is something that we try to emphasize in OTR before because it's not enough to say that we have protocols that oftentimes always come from the global north. We also need solutions that come from the global south because if you're giving us software for the whole world then the whole world also means the global south.
This is something that we are also very proud actually OTR before was mainly developed in Brazil and Ecuador. And yeah, we need implementations because if you are developing a protocol then of course you need it to show that it actually can be implemented. So actually going back to two points that I think I really want to emphasize and the first one is that this question
of specification is quite interesting. I don't know if anyone in this room has spent any time looking at the specifications that underlie the applications that are used today. For example, typical example would be signal. If anyone tried to implement the signal specification you will find that actually exactly this
is a real problem. It's actually really hard to implement signal and as far as I know most of the people that have tried to implement signal ends up using one of the existing implementations because the specifications that are out there simply doesn't give enough information to specify it. And another part of this is the reason why we need the properties and limitations
and requirements really deeply specified in the specification is that we want it to be possible for the academic community to review the work we have done. And if we don't specify what properties we're actually seeking to achieve, if we're not specific enough about these things it will be very hard for the academic community to look at the work we have done
and tell us hey, you actually do this. You actually do what you set out to do. And this is also one of the things that you will find if you look at the security audits and reviews of many of the existing programs and systems out there such as Telegram, such as Signal and many other that actually it's hard for the academic community to contribute because they can't actually
look at the specifications and see what they're trying to do. Half the work that academics have to do, researchers have to do is to look at the implementations to see wait, okay, they say, I don't know, forward secrecy here but actually they mean something completely different. And at the end of the day that makes it much, much harder and the barrier to entry
for review much trickier. So we forgot to say in the introduction we should have mentioned that we're actually we're leading the current team implementing OTR version four as well. So we're representing the full OTR team and we're implementing it. Now we've talked about a bunch of stuff and maybe we should actually talk a little bit about what OTR is.
So OTR is a protocol that stands for off the record messaging. It was created in 2004 by a team of academics, Ian Goldberg, Nikita Borisov, and Eric Brewer. And the idea was that basically when we're having a conversation in the real world, assuming that there are no recording devices, we can have a conversation, just me and another person.
And you and I, we know that we were talking to each other and we know that the other person said what they said but there is no way for that other person to go away and claim to a third person, hey, Ola said this, and prove it. Of course they can say that I said something but they can't actually prove it.
However, in our current world we have two different situations. We have situations where plain text is being thrown around and of course plain text means that anyone can read it so there is no privacy in those conversations. Or we have situations like with PGP where we're signing all of our stuff in a way that means that anyone can forward a signature to someone else.
And at that point it becomes very, very hard to deny that you said anything. So the idea of OTR is actually that we want something that takes back this middle ground. We want conversations to be like in the real world instead of making them more problematic by giving more evidence that something actually was said.
So OTR gives you authentication, meaning that we know who the other person is that we're talking to. It gives you encryption so that we know that someone else can't actually intercept what we're talking about. And the authentication is done in a deniable way. And we're gonna come back to deniability in a second. In version two there was also another
kind of step forward introduced called the Socialist Millionaires Protocol that allows us to actually verify that the other person is who we think they are by using another means instead of comparing fingerprints. Now comparing fingerprints is still possible but SMP is also another way of doing authentication. Now OTR, since OTR is quite old,
was kind of a trailblazer and inspired many other protocols because this idea of combining authentication with deniability was quite new at that point in time. And we are now in a situation where OTR version three has existed for roughly eight or 10 years and at that point we decided a few years ago
that version four needed to be created for a lot of reasons. We're gonna come back to the reasons why. So basically we have three different parts of this that I've already talked about. We have authentication. In OTR version three it's using an authenticated key exchange using a variant
of something called the Sigma Protocol which is a combination of signatures and MACs to be able to do this deniability. With verification I already mentioned SMP and fingerprint comparison. And finally we have end-to-end encryption where all messages are encrypted but all messages are also authenticated in a deniable way. Okay.
Okay, so around the properties that OTR in general wanted to attain. So of course OTR wanted to attain forward secrecy which means that you should have unique keys with encryption of its message. Yeah, which is break back wall protection which means that forward secrecy is quite related to post compromised security
or what was called in the past backward secrecy which means that even if you compromise one of the message keys, one of the unique keys that was used to encrypt a message you will not be able to decrypt previous or future messages. And why is this important and why does the academics that created OTR decided to have it? Because of course for example in PGP
if you get hold of the long term secret key then people will be able to actually decrypt future and past messages. And we didn't want it to have that in OTR so we did so. A lot of people decided that there will be unique keys for each message and if you get hold of one of them then you will not be able to decrypt past the future messages.
This is post compromised secrecy which I already talked about. Of course, and then of course what is OTR mainly known about? OTR is mainly known about a thing called inability. As all of us already said, this is a quite important property and why it's important to have it in a digital world is because in real conversations you have this property granted by default.
No one can actually say that you said anything unless you are recorded by video and audio. On most countries, not on all countries, but in most countries you will have to get, you will have to accept that you will be recorded by video or by audio if you're saying something into a conversation. But we don't have this in the digital world because actually all over the world when you use the internet you're always recorded.
Some data will exist that will link you to a certain conversation and we don't want that. So that's basically the inability in the terms of OTR. Well it's a common goal for secure messaging. Consider as in you were both accused as Alice of sending a specific message. Just in the judge must decide whether or not he believes that Alice actually did so.
If both can provide evidence that Alice sent the message such as a bi-link cryptographic signature of the message under Alice's long-term key, then we say that the action is non-reputable. Of course this happens in GPG because you actually authenticate the message and anyone can say, oh this digital signature is actually linked to your identity so whatever you said in this is actually you.
We don't want that in OTR. In OTR what we want is that you will have the same identifications you have in GPG but in a way that you can also deny it. There's different types of deniability and this is something we wanted to update it in OTR. We have only an offline message and participation deniability. Message and participation deniability are the easiest to explain because that actually means
that you can deny having sent a message or that you can deny having participated into a conversation. Now online and offline deniability are quite interesting in the sense that offline deniability is the classical deniability we knew from past versions of OTR. Basically means that after a conversation has happened
you can actually deny having said anything because anyone could have forged a transcript afterwards. Online deniability is a new property that is quite important in the sense that during the conversation someone can actually someone can actually try to collude with you in order to make someone say something for you.
So for example something that actually happens with people like me that come from the global south is that you will go to a border and a patrol of the border, an officer of the border will actually ask you to surrender your phone and unlock it. And what they often do is that something they open up your chat application and start messaging with someone else.
This is actually colluding with something you have on your phone to make someone say something that they otherwise would not say. So for example let's say that I'm an activist and that the border is surrounding my phone and they started to talk to other activists so they can get information about these other activists or make them say something
so they can get later prosecuted. So actually giving online deniability means that during that moment that person actually has during that moment a proof that he actually can deny whatever he said during that moment, not after the conversation ended. Okay. Okay, so why version four, right?
As we mentioned already there is a bunch of stuff in OTR version three and everything we've said up until the deniability stuff was in version three. The biggest difference when it comes to deniability just to make this clear is that OTR version three does not have participation deniability and version three does not have online deniability.
Now Sophie just explained online deniability and it's a little bit of a strange concept. It takes a while reading through the papers to understand what it actually means. Participation deniability is a little bit easier. Basically it just means that you can deny that you said anything specific but you cannot deny that you had a conversation.
So if I've had an OTR conversation with Sophie using OTR version three there is digital proof that I actually had that conversation. But there is no digital proof that can't be denied that I said anything specific. Now in some cases this can be important because in some cases having a conversation with a specific individual might be dangerous
or might be something that you can be prosecuted for by itself in certain regimes. So we want all these types of deniability. We've already talked about forward and post-compromise secrecy. These are very important properties that every single property, if you don't have a very specific reason to not have them, every protocol should have them.
This is actually really true, forward secrecy, the last five years has become accepted in most of the world and TLS 1.3, if I remember correctly, actually deprecates the key exchange modes that are not forward secure, which is great. It's a great step forward. But post-compromise security and secrecy is also an important property.
We want to create a higher security level. OTR version 3 is roughly at a level of 80 bits and that's primarily because of the DSA keys used that use a 1,536-bit Diffie-Hellman key as the main key and that's simply too low for comfort at this point. So we are raising the security level
quite significantly to 224 bits. We also needed to update some of the other cryptographic primitives like OTR version 3 has SHA-1 in some places using classic Diffie-Hellman, it's using DSA. All of these algorithms are not really a great fit for 2019.
We also have this a little bit weird situation where we really want elliptic curves because elliptic curves are great. At the same time, elliptic curves can be not so great because there are specific... Okay, so assuming that quantum computers arrive and assuming that they arrive and it takes some time
in how they progress in terms of speed of breaking cryptographic algorithms, you can get into this weird situation where elliptic curves will be faster to break than Diffie-Hellman, classic Diffie-Hellman. And the reason for this is because elliptic curve keys are significantly smaller than classic Diffie-Hellman.
So assuming that the progress of creating qubits is slow enough, we actually could be in a situation where elliptic curves could be broken five years before classic Diffie-Hellman. So we have also added what we call this limited quantum computing transcript description, which kind of helps a little bit for a few years,
hopefully, assuming some of our assumptions are correct. And yeah, we also need a new communication model. When OTR was created, OTR, the first plug-in for OTR was created for a chat client called GAIM. I don't know if anyone remembers it. That was the previous name for Pidgin.
And in 2004, that was kind of like great. There were many protocols, and you could run OTR on top of any one of these protocols. All of these protocols had a few things in common, meaning, for example, all of them were in order. And in general, you could kind of be okay with everything being online. In our world right now, a lot of people use cell phones
and a lot of people come online and offline all the time. And we have transports that are not necessarily guaranteeing in order. So we need OTR to support out of order. We need it to support offline conversations. This has some consequences. Offline conversations lower some of the security properties, specifically when it comes to online deniability.
It's not much, but it's slightly different. And if you want more information, it's all in the specification for that. We also have different modes, which means that for people that really want only the highest secure version of OTR, there is a possibility of implementing that specific restricted mode that actually allows that. And then finally, OTR has always been serverless.
OTR version four will require servers if you want offline capability. For online capability, you don't need servers, but for offline, of course, you need to trust the server to some degree. Actually, this is an interesting situation because obviously, if you're gonna send an offline message,
there has to be some kind of server to store that message. We don't really trust these servers. We're using a pre-key model that is quite similar to what Signal is doing. So the server is only trusted to store these things and then give them out when someone is asking for them. So this server is trusted to not be an asshole
and do denial of service, but except for that, it's not really trusted because it can't actually do anything else. All of these messages are signed and there is no way to actually attack a user using these pre-key messages. Okay, just a little bit about the design, which I will go very fast because we don't have a lot of time.
So yeah, we use a deniable authenticated key exchange. What does this mean? This basically means that you will have a way in which you authenticated each one of the parties in the conversation, the two parties in the conversation, but in a deniable way. We use for these two primitives that is called the XZ and XZDH, the first one for online, the second one for offline.
Of course, we use elliptic curve cryptography and we use ET448 Goldilocks, where we decided to use that and have Daniels burn since 25,119. We decided to go with my hamburger's curve because it gave us a higher security level, the one that we needed. We use also a difficulty element of a size of 3,072
because as Ola already said, we wanted to also have a little bit of extra security in case that elliptic curve cryptography gets broken faster with a quantum computer. We decided to use SHAKE and also XALSA, SHAKE as the hash function, XALSA as encryption algorithm. We use the double ratchet algorithm to derive the unique message keys per each message.
And of course, we have already talked a little bit about this, why we didn't want to post quantum algorithms. Of course, we also have a thing that is called the toolkit. The toolkit is basically a toolkit that actually proves that all of the deniability properties
are actually happening. Why we don't want group chat? Because we wanted to attain certain deniability properties and right now, all of the cryptographic literature has not really attained that deniability properties in a group chat setting. So I just want to expand on the toolkit for one second. You will find a lot of people talking about deniability
and there are specifications out there that talk about these properties in the abstract. That's not really good enough. The idea of the toolkit is to give you a command line tool that will allow you to forge messages. Basically, the idea here is that we don't just say in the specification, hey, it's possible to forge messages. We make it so you have a command line tool
that will allow you to forge messages as simply as using the tool itself. So we can actually show this is actually true. Anyone can do this and by having this toolkit, we're putting it into the real world that anyone can forge messages and that this deniability we're talking about is not just academic. It's real world and anyone in this room could pick up the toolkit and forge messages
for anyone else. It's great fun. Okay, real world implementation super fast. Of course, we're doing the implementations that we first did of OTA before. We did it in C. And of course, implementing something in C has its thoughts.
We also need, during the implementation also, the design of the protocol, we also collaborated along with all of the cryptographers, with Ian Goldberg, with Nick Hunger, with Mike Humber because sometimes we didn't know exactly about some cryptographic algorithms so we needed some kind of advice on that. As I said, we implemented in C.
Why in C? Well, most of the libraries, oftentimes the protocols get implemented in C so later all the libraries in other programming languages can actually be implemented by having the inspiration in C. Of course, working in C has its problem. Of course, you have the memory handling so we have to be very, very careful with that. We used a lot of compiler flags, a lot of address sanitizers from the LLVM foundation.
Of course, we did a static testing client ID and we used Splint. We used Balgrind and various sanitizers. But something that we also tried to incorporate is the idea of the code that has to be readable because sometimes on libraries what happens is the code is huge as spaghetti code
and we try to create actually a code that can be readable and that people can later use it as an inspiration to implement it in whatever, all the programming language. Should we jump to the questions? Yes, and I'm very sorry but we run out of time so questions. In the meantime, links. Whoa, sorry. Here.
Yes, links for anyone that wants to look at the source code and I think maybe we would have time for maybe one or two questions maybe.
Do we have benchmarks in terms of like a peer-to-peer messaging protocol for example? Well, okay. So first of all, we do have messages for, sorry, we have benchmarks in the paper for the AKEs because the authenticated key exchange are kind of the most significant part of this.
They're much more costly and how much time they take. The paper from Nick Unger that actually establishes these has benchmarks comparing lots of the different existing dates in terms of operational costs. In terms of sizes, we know how big the messages are gonna be. That's easy to calculate. I don't have that in my head. And in terms of the actual ratcheting algorithm,
the ratcheting for each message is quite inexpensive in general. I don't have numbers in my head right now but it's quite easy to find out and that's something that we should definitely do. Of course, we also have the benchmarks of the library of the elliptic curve that we're using by my humble.
He already has benchmark from what I remember. And one of the reasons why you use elliptic curve cryptography is actually because this is faster than using a large prime Diffie-Hellman. So by giving the same security level that we wanted to attain. So it's a little bit faster for us in that way. And we're out of time. Thank you. Thank you.