[messaging] Axolotl: Lacking deniability or MITM?

Alexey Kudinkin alexey.kudinkin at gmail.com
Mon Nov 24 13:47:45 PST 2014

Hey guys!

Cruising around Axolotl spec recently, i’ve just stumbled upon one grit constantly disturbing me:

https://whispersystems.org/blog/simplifying-otr-deniability/ <https://whispersystems.org/blog/simplifying-otr-deniability/>

Chapter dubbed “Potential Simplifications and Improvements” lists all the gains of replacement of OTR’s original handshake involving DSA, with 
“Triple DH” involving just both sides’  identity keys (A and B) and ephemeral keypairs (a and b).

What confusing me is two following statements:
> Reduced Algorithmic Complexity. We’ve eliminated DSA and have a nice authenticated key exchange that relies solely on the simplicity of Diffie-Hellman.
> Increased Forgability. Since there are no signatures involved, anyone could take A’s public key, make up an ephemeral keypair for A (“a” in the diagram above), combine that with their own identity key and ephemeral key (“C” and “c”), and produce an entire forged transcript – even if they’ve never had a conversation with “A” before. Now anyone is capable of easily producing a forged message from anyone else, whether they’ve actually had a conversation with them before or not.
Those two seems kinda mutually exclusive: if we do actually have an authenticated key exchange, then we’ re losing so promising statement of deniability, since any one could authenticate us during the handshake.
The other way around, lacking authenticity, we’re making ourselves prone to MITM unless there is an established channel to verify public keys.

Have i missed something?

Best regards,
Alexey Kudinkin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141125/85416afb/attachment.html>

More information about the Messaging mailing list