Hardware Reference

In-Depth Information

fies the MAC on a message, he is assured that the sender has the same MAC key as him-

self. In OTR, because Alice and Bob have the same MAC key that is applied to individual

messages, either one of them can create messages to imitate the other. Therefore, neither

of them can prove that they, nor their communicating partner, definitively produced a

message. This provides the repudiation feature in OTR.

The OTR designers incorporate one additional unorthodox feature for a cryptographic sys-

tem: forgeability. OTR is designed so that it is easy to change the ciphertext en route to

produce a meaningful output when the message is decrypted. This can be performed be-

cause the designers chose a malleable encryption scheme using a stream cipher; in OTR's

case, it uses AES-CTR with a 128-bit key length. In stream ciphers, the
meat
of the cipher

is generating a key stream, but the actual encryption is typically performed by applying

the exclusive-OR operation to the plaintext. Decryption is performed with the same

exclusive-OR function applied to the same keystream. An attacker, who can guess the

plaintext of the message, can modify the ciphertext to produce a different plaintext mes-

sage of the same length. Therefore, the messages can be forged.

Note

Exclusive-OR, or XOR, can be used for both encryption and decryption due to its logical

definition: the XOR of A and B is true if and only if either A or B is true. Digital mes-

sages are represented as binary streams. The plaintext of a message is XORed with a key

stream to produce a ciphertext, and when that ciphertext is XORed with the same key

stream, the plaintext is returned. For example, if the plaintext bit is 1 and the key stream

bit is 1, the ciphertext will return 0. When the ciphertext bit, 0, is applied to the keystream

1, the plaintext bit 1 is recovered. The Khan Academy has an interactive and visual series

on XOR in cryptography:
https://www.khanacademy.org/computing/computer-science/

Alice and Bob are still protected from a third party, who doesn't know the MAC key, be-

ing able to tamper with their immediate conversation. However, OTR includes yet another

twist. It publishes the MAC keys of the previous conversation once it has re-keyed to new

MAC keys. Publishing the MAC keys means that anyone who has passively monitored

the conversation can change the ciphertext, and thus, manipulate the plaintext of past mes-

sages. This adds another layer of deniability to the conversation, as any recorded conver-

sation could be easily manipulated and might seem legitimate. Alice and Bob only publish

old
MAC keys, the key currently in use is kept secret until the protocol requires them to

re-key.