-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Write specification for interaction with prekey server #77
Comments
To be taken into account:
This issue should also check how it is written on the otrv4 protocol and on ADR009 |
We added first version of the diagram. When creating it, some questions came to ours minds:
|
@deniscostadsc you use a DAKEZ with the server, not any DAKE. And you don't use this DAKEZ as defined in the otrv4 protocol (which has user profiles, instance tags, etc) but as defined in Nik's paper. It was probably wrong to call those messages 'Auth-I', etc. |
From discussion with Nik, ;): The prekey server will need some OTRv4-specific prekey server software, so this software can easily generate ephemeral keys for each connection. In the case of the other params needed for DAKEZ:
You can check this paper for examples of interactions with a prekey server, although this does not include a DAKE. Some ideas can also come from 'Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)' (found here), regarding about how to generate the ephemeral keys. Authentication is needed as if not malicious users can perform denial-of-service attacks. But this authentication should not be normal "signing" of the prekey messages, as it will break the deniability of the whole protocol. To preserve it, a DAKE must be used. |
I added the DAKEZ part to the diagram I'd like someone to review it. I'm not sure if the prekey should be described on on OTRv4 spec. Or we should descibe this also here. |
How do I discover which server should I reach to get your key? You are not online and we don't know each other in person?
This answer how ephemeral keys are generated, but I have another question. It's not clear for me how this communication is going to happen in the application layer. Is this going to change depending on the implementation? It's going to be a REST API?
Nik's paper uses I for the participant who starts the DAKEZ and R for the Responder. It seems you mean something different. For example if Bob would like to share secret with the server before put his key their Bob is "I" and server is "R".
I think part of of my question about transport layer is going to be answer. But I'll keep it above. |
Why are you not online when you ask the server for something? When you ask to publish a prekey message, you are "online" with the server, so you can ask anything to it. When you retrieve a message, you are "online" with the server, so you can retrieve a prekey message from it. The server is known by the client you are using.
Yes. Ideally, we shouldn't be as precise as to define that on the spec, but check how TLS manages it. Or the Signal prekey server. I don't know if its going to be a REST API, but that seems something too precise to include on the spec.
On DAKEZ, XZDH, Spawn, etc, there are some parameters which are called "I" and "R" which are not the same as I and R. "I" and "R" are the identifiers for I and R. In the case of the otrv4 spec, this is the user profiles. In the case of the DAKEZ with the prekey server, it can be the what was stated. The "I" and "R" I stated will probably depend on who starts the DAKEZ: if it is the server, then the server is I and has what I stated as "R" as "I"; if the participant starts it, then the participant is I and has what I stated as "I" as "I".
Check how they define it. |
My question was really miswritten. Here it goes again: Bob uses CoyIM as OTRv4 client How Alice knows which server to reach, if the information is described on a client she doesn't use? |
In general, the way a prekey server is discovered will need to be defined in a protocol specific way. For example, I think we need to make it so that an XMPP server will make it possible to say what prekey server to use for that xmpp server. The other alternative, which might be better, is that an xmpp-user has an attribute that can be fetched, that contains the prekey server to use for that user. For example, it might possible to use XMPP pubsub to set a persistent value on a node, associated with a JID, so what you do when wanting to contact a person would be to lookup the "otr_prekey_server" node on the JID you're looking for. But in general, this is going to be different for different networks. |
Also, about naming of messages and participants - it might help reduce confusion if we can rename both the packet names, and the I/R thing |
Yeah, it was only to explain how it is in Nik's paper. But on the spec it should be different (maybe: Alice - Server - Bob). And the identifiers for each one, should state what they are, rather than "I" or "R".
The OTRv4 should only state when you need to interact with the server, basically. The otrv4-prekey-server spec, on contrary, will give the details. When needed, the otrv4 spec can maybe put a link to the prekey-server spec. |
Perfect! |
Yeah I agree. @olabini, @claucece and me already have this discussion and we agreed to leave like that while we have no decision on how this identification ("i" and "R") should be on OTRv4. This confusion prone is already mapped. 👍 |
OTR is suppose to be agnostic to communication protocol. I think this is a tight coupled to XMPP solution that goes against the agnostic feature. |
Yeah, @deniscostadsc - you are completely right. However, the prekey server is the one thing that really can NOT be agnostic. That's one of the reasons why we have it as a separate specification. I have also been thinking about the possibility of making specific specs for each integration - ie "prekey XMPP integration", "prekey Skype integration" etc. |
It makes sense! So I'm going to work with XMPP in mind. |
One thing I realized reading this paper is that Signal users publishes many prekeys (usually 100). This helps to mitigate the problem of all offline communication using the same prekey. If this prekey leaks all offline communication are compromised. Probably we should do something similar. |
Another point about Signal protocol is that they use HTTP-REST API, what increases the complexity of the prekey server. You need at least a HTTP server serving this API. With the mind set of "less code as possible" that could be a problem, Although I like the idea of REST API, because is a common pattern these days. Of course this complexity brought by REST isn't a big problem because this server suppose to holds only public information. |
Do we need a authentication with Alice when she tries to retrieve the prekey message? |
The difference between an Identity message and a Prekey message is that the latter specifically needs a shared prekey and a siganture of it (which is the same, right now, as the signature of the user profile). As discussed with @olabini on the IRC chat, the format (structure) of the prekey message now is going to change because the prekey message will have an user profile and a "prekey-profile" (or whatever its name). An identity message will only have an user profile.
A user profile has an expiration date. There is only one profile during that time until it expires (or there can be two when the first is closed to get expired). Shared prekeys expire with the user profile, long term public keys do not. The prekey message is generated as this:
There should always be valid prekey messages on the prekey server, meaning, prekey messages that do not contain an expired user profile. Nevertheless, this can be on storage:
etc. An user requesting for prekey messages check for the expiration of the user profile in them. If it is expired, the prekey message is invalid.
A shared prekey has an expiration date (it expires when the user profile expires). Therefore, it can be used for multiple prekey messages (until it expires).
The ephemeral keys are not derived from the shared prekey. The private part of it is generated randomly and then the public part is generated by multiplying the private part by the generator. You need a shared prekey because: XZDH (without a shared prekey and a signature) can be vulnerable to an attack where an active adversary modifies the first flow from I to use an adversarially controlled ephemeral key, captures You mitigate this attack by using a signed shared prekey (signed by long-term secret keys) that is reusable and has an expiration date. |
No. Anyone can request prekey messages from the prekey server, because anyone can produce a non-interactive-auth message from it. |
It might be useful to have some kind of deniable authentication anyway, just to make it possible to do rate limiting - but I'm not sure that's a good idea. |
After our discussions we have diccided to change a bit the overview of prekey spec. issue: otrv4/otrv4#77
We evaluate the decisions and justify choices in this ADR. See #77
issue: otrv4/otrv4#77
It was empty issue: otrv4/otrv4#77
also change OTR fingerpint example issue: otrv4/otrv4#77
issue: otrv4/otrv4#77
issue: otrv4/otrv4#77
This still needs some internal revision, but it is done for now. |
This is the specification we refer to in section "Publishing prekey messages" and "Receiving prekey messages" in OTRv4.
The spec should include how many prekeys may be returned.
The text was updated successfully, but these errors were encountered: