[messaging] Short Auth Strings

[Trevor Perrin]

On Wed, Feb 12, 2014 at 11:24 AM, Brian Warner <warner at lothar.com> wrote:
> On 1/31/14 10:36 AM, Adam Zimmerman wrote:
>
>> OTR used to have something called a session id (IIRC), which was
>> essentially a long version of an SAS. I think they removed it around
>> the same time they started using the Socialist Millionaire Protocol to
>> do shared secret auth, for usability reasons.
>
> Note that a truncated session id (e.g. hash of the session key) is not
> as secure as an interactive SAS. If the attacker knows that you'll only
> be comparing the first N bits of the session-id, then they can (usually)
> compute a bunch of different potential sessions offline, and go with the
> one that yields enough of a collision to pass the comparison test.
>
> SAS, because it's interactive, doesn't enable offline computation: you
> get just one guess, and you get a 2^-N chance of getting it right, no
> matter how fast your CPU is.

That's a good description, but note that the session ID in modern
versions of OTR (v2 and v3) *is* a SAS:

https://moderncrypto.org/mail-archive/messaging/2014/000049.html


> Adding roundtrips can turn a lot of short-string protocols from "only
> secure against slow computers" into "only as secure as the string
> length". SAS is particularly nice for real-world implementors because
> it's just hashes and XOR, none of that fancy modular math :-).

I was thinking of SAS as something used in conjunction with a
Diffie-Hellman key agreement, were you thinking of something
different?

SAS don't add any complex or expensive computation, but do add another
message, which can be painful in some scenarios (e.g. async protocols
like Pond or TextSecure where you don't want a lot of round trips
before parties can communicate).

But I think you're less interested in SAS to authenticate
conversations between remote participants, and more interested in SAS
to authenticate a "pairing" between devices in proximity.  I agree
that's a good use.


Trevor