[messaging] Short Auth Strings
warner at lothar.com
Wed Feb 12 11:24:00 PST 2014
On 1/31/14 10:36 AM, Adam Zimmerman wrote:
> OTR used to have something called a session id (IIRC), which was
> essentially a long version of an SAS. I think they removed it around
> the same time they started using the Socialist Millionaire Protocol to
> do shared secret auth, for usability reasons.
Note that a truncated session id (e.g. hash of the session key) is not
as secure as an interactive SAS. If the attacker knows that you'll only
be comparing the first N bits of the session-id, then they can (usually)
compute a bunch of different potential sessions offline, and go with the
one that yields enough of a collision to pass the comparison test.
SAS, because it's interactive, doesn't enable offline computation: you
get just one guess, and you get a 2^-N chance of getting it right, no
matter how fast your CPU is.
Adding roundtrips can turn a lot of short-string protocols from "only
secure against slow computers" into "only as secure as the string
length". SAS is particularly nice for real-world implementors because
it's just hashes and XOR, none of that fancy modular math :-).
More information about the Messaging