[messaging] Short Auth Strings

Brian Warner warner at lothar.com
Wed Feb 12 11:24:00 PST 2014

On 1/31/14 10:36 AM, Adam Zimmerman wrote:

> OTR used to have something called a session id (IIRC), which was
> essentially a long version of an SAS. I think they removed it around
> the same time they started using the Socialist Millionaire Protocol to
> do shared secret auth, for usability reasons.

Note that a truncated session id (e.g. hash of the session key) is not
as secure as an interactive SAS. If the attacker knows that you'll only
be comparing the first N bits of the session-id, then they can (usually)
compute a bunch of different potential sessions offline, and go with the
one that yields enough of a collision to pass the comparison test.

SAS, because it's interactive, doesn't enable offline computation: you
get just one guess, and you get a 2^-N chance of getting it right, no
matter how fast your CPU is.

Adding roundtrips can turn a lot of short-string protocols from "only
secure against slow computers" into "only as secure as the string
length". SAS is particularly nice for real-world implementors because
it's just hashes and XOR, none of that fancy modular math :-).


More information about the Messaging mailing list