OTR 3.0
This weekend I got to meet Ian Goldberg, author of the OTR protocol that I use at home and work in Gaim/Pidgin/Adium. Ian is a pleasant and wicked smart guy, and our conversation revealed a few interesting things.
First and most importantly, you *must* confirm your friends' OTR keys. It's not just theoretically possible for a server to perform a man-in-the-middle attack: someone has written a Jabber server module to do this. It's plug-and-play. Do not assume that OTR encryption is protecting anything at all if you do not confirm that the key of the person on the other end is the key they are using.
Fortunately, OTR-3.0 makes authentication pretty easy. You don't have to compare key fingerprints anymore, you can use a new form of encryption called "the socialist millionaire's protocol". One person asks a question with a secret answer - a shared secret. The other person provides what they think is the answer to that question. If the two people provide the same answer then they know they are talking to each other. The cool trick is that if the two people *don't* provide the same answer they can't tell what each other's answer was, just that the answers did not match. You don't ruin the secret by attempting to confirm it. The protocol resists brute force attempts because you get *one* try to get the answer right. If the other person (or the man in the middle) supplies the wrong answer then the authentication fails. ("The Millionaire's Protocol" allows two millionaires to determine who has more money without revealing the exact amounts of their fortures. "The Socialist Millionaire's Protocol" allows two millionaires to see if they have the same amount of money without knowing who is richer.)
Also, it turns out that OTR is a little *more* secure than I thought. I figured that since some of my OTR keys are stored on my employer's servers they could decrypt any conversations they've logged. This is not actually true because OTR generates a new D-H key pair for *every* new conversation. The "OTR key" is not used to encrypt, it's just used to prove the validity of the key you're offering. OTR doesn't save these keys, which means nobody (including you and I) can decrypt the conversation after it's over.
None of this is particularly secret or new, it's just stuff that I didn't realize.
First and most importantly, you *must* confirm your friends' OTR keys. It's not just theoretically possible for a server to perform a man-in-the-middle attack: someone has written a Jabber server module to do this. It's plug-and-play. Do not assume that OTR encryption is protecting anything at all if you do not confirm that the key of the person on the other end is the key they are using.
Fortunately, OTR-3.0 makes authentication pretty easy. You don't have to compare key fingerprints anymore, you can use a new form of encryption called "the socialist millionaire's protocol". One person asks a question with a secret answer - a shared secret. The other person provides what they think is the answer to that question. If the two people provide the same answer then they know they are talking to each other. The cool trick is that if the two people *don't* provide the same answer they can't tell what each other's answer was, just that the answers did not match. You don't ruin the secret by attempting to confirm it. The protocol resists brute force attempts because you get *one* try to get the answer right. If the other person (or the man in the middle) supplies the wrong answer then the authentication fails. ("The Millionaire's Protocol" allows two millionaires to determine who has more money without revealing the exact amounts of their fortures. "The Socialist Millionaire's Protocol" allows two millionaires to see if they have the same amount of money without knowing who is richer.)
Also, it turns out that OTR is a little *more* secure than I thought. I figured that since some of my OTR keys are stored on my employer's servers they could decrypt any conversations they've logged. This is not actually true because OTR generates a new D-H key pair for *every* new conversation. The "OTR key" is not used to encrypt, it's just used to prove the validity of the key you're offering. OTR doesn't save these keys, which means nobody (including you and I) can decrypt the conversation after it's over.
None of this is particularly secret or new, it's just stuff that I didn't realize.