[messaging] Short Auth Strings

Trevor Perrin trevp at trevp.net
Sun Feb 2 19:48:26 PST 2014

On Fri, Jan 31, 2014 at 10:36 AM, Adam Zimmerman <adam at digitalpirate.ca> wrote:
> On 14-01-31 09:24 AM, Trevor Perrin wrote:
>>  - SAS are maybe useful for text chat, though I'm not sure how much
>> they're used in OTR compared to fingerprints or PAKE (OTR is unusual
>> in having all three options.  Is there any data on which users
>> prefer?)
> OTR used to have something called a session id (IIRC), which was
> essentially a long version of an SAS. I think they removed it around the
> same time they started using the Socialist Millionaire Protocol to do
> shared secret auth, for usability reasons.

Initially OTR's session ID was not a "SAS".  OTR v2 (2005) made it a
64-bit SAS and also introduced the "Socialist Millionaires' Protocol"
for parties to confirm that they share a secret [1].

The Session ID wasn't removed, but I'm not sure it was ever used much.
 Most discussions of OTR focus on fingerprints and SMP (eg [2,3]).

Perhaps explaining fingerprints and SMP is hard enough, and adding the
Session ID is too complicated?  That matches my sense that SAS are
best for voice and video where the value can be checked "in-band", but
for "out-of-band" checking fingerprints are better, as they can be
checked against business cards, directories, mutual friends, etc.

(And even for in-band checks, Peter and DKG raise good questions about
SAS security.)


[1] https://otr.cypherpunks.ca/Protocol-v2-3.1.0.html
[2] http://www.cypherpunks.ca/~iang/pubs/impauth.pdf
[3] http://www.cypherpunks.ca/~iang/pubs/otr_userstudy.pdf

More information about the Messaging mailing list