[messaging] Value of deniability

Nikita Borisov nikita at illinois.edu
Thu Dec 11 07:40:40 PST 2014

On Thu, Dec 11, 2014 at 9:23 AM, Nadim Kobeissi <nadim at nadim.computer> wrote:
> One clarification:
> Ending conversations in OTR does have everything to do with deniability and specifically forgeabilitty, since the end algorithm publishes information that makes the ended conversation forgeable‎ (and thus 'deniable').
> Forward secrecy in OTR is not thanks to the end step, but rather is provided through a perpetual re-agreement on new session keys as part of the regular messages sent by the two OTR chat participants.

The MACs used to make the transcript forgeable are also published
progressively, but with a delay. You don't have forward secrecy on the
last message you send (i.e., you still keep enough information for
decryption in memory) until you receive a reply from the other end,
which acknowledges the receipt of the next keyid. The next message you
send will include the MAC key from the previous message. The end
message lets you take care of both things.

- Nikita
Nikita Borisov - http://hatswitch.org/~nikita/
Associate Professor, Electrical and Computer Engineering
Tel: +1 (217) 244-5385, Office: 460 CSL

More information about the Messaging mailing list