Hardware Reference
In-Depth Information
fies the MAC on a message, he is assured that the sender has the same MAC key as him-
self. In OTR, because Alice and Bob have the same MAC key that is applied to individual
messages, either one of them can create messages to imitate the other. Therefore, neither
of them can prove that they, nor their communicating partner, definitively produced a
message. This provides the repudiation feature in OTR.
The OTR designers incorporate one additional unorthodox feature for a cryptographic sys-
tem: forgeability. OTR is designed so that it is easy to change the ciphertext en route to
produce a meaningful output when the message is decrypted. This can be performed be-
cause the designers chose a malleable encryption scheme using a stream cipher; in OTR's
case, it uses AES-CTR with a 128-bit key length. In stream ciphers, the
meat
of the cipher
is generating a key stream, but the actual encryption is typically performed by applying
the exclusive-OR operation to the plaintext. Decryption is performed with the same
exclusive-OR function applied to the same keystream. An attacker, who can guess the
plaintext of the message, can modify the ciphertext to produce a different plaintext mes-
sage of the same length. Therefore, the messages can be forged.
Note
Exclusive-OR, or XOR, can be used for both encryption and decryption due to its logical
definition: the XOR of A and B is true if and only if either A or B is true. Digital mes-
sages are represented as binary streams. The plaintext of a message is XORed with a key
stream to produce a ciphertext, and when that ciphertext is XORed with the same key
stream, the plaintext is returned. For example, if the plaintext bit is 1 and the key stream
bit is 1, the ciphertext will return 0. When the ciphertext bit, 0, is applied to the keystream
1, the plaintext bit 1 is recovered. The Khan Academy has an interactive and visual series
on XOR in cryptography:
https://www.khanacademy.org/computing/computer-science/
Alice and Bob are still protected from a third party, who doesn't know the MAC key, be-
ing able to tamper with their immediate conversation. However, OTR includes yet another
twist. It publishes the MAC keys of the previous conversation once it has re-keyed to new
MAC keys. Publishing the MAC keys means that anyone who has passively monitored
the conversation can change the ciphertext, and thus, manipulate the plaintext of past mes-
sages. This adds another layer of deniability to the conversation, as any recorded conver-
sation could be easily manipulated and might seem legitimate. Alice and Bob only publish
old
MAC keys, the key currently in use is kept secret until the protocol requires them to
re-key.
