OTR interception

[chan] general
May 17 14:27 [raw]

Thank you. OTR is an overlay protocol; it doesn't run stand-alone, it needs a base layer to send and receive messages. One can run OTR on top of any base protocol that can pass ASCII text both ways: IRC, XMPP, Facebook chat, Twitter, SMS, Skype text chat, even Bitmessage. The leaked document shows an interception of an unspecified base layer (possibly XMPP as it is the most common). If the two targets didn't use OTR, their messages would have been captured in clear as the NSA had full access to the base layer (probably root on the chat server); there was nothing to protect those messages from compromise. However, because the targets did use OTR, the NSA only managed to capture a handshake and a bunch of encrypted messages that they could not decrypt. That was a success for OTR, not a failure. In my next message I will show an OTR conversation that I intercepted myself, without blacked-out text and with full explanations. Stay tuned.

[chan] general
May 17 14:34 [raw]

thanks. lets keep fucking thewm nsa troll right in their butholes

[chan] general
May 17 14:59 [raw]

Below is an intercept of an OTR conversation carried over a hostile network by my friends Alice and Bob. Lines prefixed with "WIRE" are captured by the hostile agents from the base layer, lines prefixed with "#" are my comments; most of the text is copied verbatim from the protocol specification, available here: https://otr.cypherpunks.ca/ The capture ends with a nice small crypto-puzzle: an encrypted OTR message that anyone can try to decrypt. Here we go: WIRE: alice->bob ?OTRv2? # Alice requests an OTR conversation using version 2 of the protocol WIRE: bob->alice ?OTR:AAICAAAAxPzH9MytTG6JTZRZ359DIpBlGuQUuomTQwNbvb6ix3XriQsZVPRPYr4fCJW6sSa18jq6f87fYgc8o3nft1IStmSeVFwh+MzoxDO2kYCuSE/9b8acCskc4XQJ9TZUuQ4K5AcWClxBOZK9aV5Xxg2Ka+APHbZm+9oewiFFUuiv0lZCselOBPnOM8DwpoSv5MZB59/jQRNWtEq5w9soja6GFoSruXVo5c9eghfjED/VqFtuLgeqq7Ii0PRHNiSHVqWM5WGQNRIAAAAghK2CLUMeZ4fkN3loaAshwvjcb2fKXFhnZYXUUw1wkNA=. # Bob responds with a D-H Commit Message. This is the first message of the AKE. Bob sends it to Alice to commit to a choice of D-H encryption key (but the key itself is not yet revealed). This allows the secure session id to be much shorter than in OTR version 1, while still preventing a man-in-the-middle attack on it. WIRE: alice->bob ?OTR:AAIKAAAAwAnblXcALGE5xY5hoDaweWfSNLDO7kAYEMnOuGTkiArIuS0HqaN2a2xx+Ba5goGx1lwxLtOAkcSC8Eepn7oyAafsYTNiRD1M0sCVWQUoucOF3Y0rlSBHLVlmSkkQxZ6V7HZzk1gRQnzxIaDIYM38l2zn2SFbtDuFXEHojcpW/r2ugBLQex8RhefCC8otT+mWbg7mUuxheVqoPx+c6bV3Tmt4A6D4lFS6PadQDcr/0j2UK2y3z30FqVV0F1sQduqzyA==. # D-H Key Message. This is the second message of the AKE. Alice sends it to Bob, and it simply consists of Alice's D-H encryption key. WIRE: bob->alice ?OTR:AAIRAAAAECt+YeyMkiI09YVolBbUoLsAAAHSvVhBo3D42r+32EkgKT/HskAFN5FHijVte4nJRWFRNeuERF0aEmUBy3CtPgol4Hj44ZjuIRrxBKVA65chZoZdSFaQGvLmLT0TfcLJBV5JZL67MelUwgVlhaWu9PqYz7e2XvSDt0NKDjvGcv9qTScx4mRaBHHf6YsVhHzH5pzvNdsVZ1JUn6uPqWLNIUziyraQg9++1lhlyfatgkC4B7g83khWiWBHnmqsK5bj3E6MY3VokDaa/oyBIiioUG0036v4K2EZRoZHuCGhGq5PFWJFzyVzAuxF7gd4rlBwpaJQ7em739mkCej2aQvq2hUiO/q2tmdH2geAYRinoQTZN99RGt7z0lNK4OkksH3cMPSCK6G8RGbhhRwmSvTLjBgiKGkCtonWoH1afvvNlE+CXGiYsKYJycXlaS1z2S5zwSByrDPcqeRSAPsCoT6xdDmfVQ8fHqTVXZ0kSl6Oi9NQpcjJz1ZD6TBuueLIv8QBiCNysaZL9xWiQBmnN2m2ZvWpcF8eRkwsZ6w7MUnpfTt5VfZHkFGswAhUURO1TLKvjnhPqo+BZpCuZXF9mNjdUK32ioHKkLQ0PhaYavVYb7b72MhVghXW/8v5iiAKTGgsTO2z3QKQ5fpS46UFF2ay2B3emi25ke7hmXWO. # Reveal Signature Message. This is the third message of the AKE. Bob sends it to Alice, revealing his D-H encryption key (and thus opening an encrypted channel), and also authenticating himself (and the parameters of the channel, preventing a man-in-the-middle attack on the channel itself) to Alice. WIRE: alice->bob ?OTR:AAISAAAB0klsSKhL3XYprYX2v5FTak3qbVzaUGcyBGkeNip54McgfOGHqCzWTSV/ypZsaH9rPuw4wR0Vn8u9wYfa7HXBPXzCDMXtWPnLAmifKzR9PprAmuhjAYmv07NSXI53OEfQ7ob8Y4j8a6FmC35lvaDkjOmGW7Xk/fwj0lNChlc8Wvb4RPpeHuquQ54V5LPxTvGhkKvFAd0NfWCpT46x6No0DPk6LhU2LaHxT2uEDZdlAXYB4Ou6w4SRye46htHQQD4tvHcAIoajNvS0grZpnL1rZC7NOYoQCqHzI1RfQ/iU0Qg9ynGZI6HPH52UJMKaS1EzPiSSep+Ui8UxpHZzcT5C5zeljiiNjQxpULoe16C/dwKxvGg0uK6cu0dpItViGg50Hcf5VPlYBA1Bv7ivRt+oFWJPhFPR161DtXrEIm6aWaEzTzdeFD7C199SQ1FCf/Hp2RAsegD8rtdBl0C7vptcMSp/TRSvJpSXQ0kxcDJpGg30y3+MFVdq/PIeDdjWA6q9R0VfnKKtC1aqYtwRrmL1y1eZG4ri/UtU++YTac8exHyBtR87ys9PofIcSUK+kr8PxSFt8mK9yVf9xIJxrlumh20fnqKGwA84zTLQEvjIBjpFiHwmDSoBHrge9WIcsqVw+ItdN3ucSw==. # Signature Message. This is the final message of the AKE. Alice sends it to Bob, authenticating herself and the channel parameters to him. WIRE: alice->bob ?OTR:AAIDAAAAAAEAAAABAAAAwHmmhp8eSPiFCluVSR8QD1r/Ja47yygqEm2PK640q5bFw1XsOSncSstM/eHnp8QjYBqxc+iu9lnF+v6rKwoec294ak/lfKD/PRkmO7m0tosGvnr9tPmvARvkuotnKeiYpJqJMGLu4lfLyyNgrQaYsG/nAKgPuMCf5NXXOJITvEq6SiCmAS9XH0XCgGHLF8l3sM8ROzEtGZ8KfLnF+3oB+PE9xMwbZbknzkCbYyavYhP/vT0eGukt7UHseDoAhk4u0AAAAAAAAAABAAAAcB0Lga/d+d1o/G4O+jvy93ccOyFB+xuolWQjne1VxoluiaTqLy1DKr/G3og0c3wzGDAB3O2XAXjFSusKbs05YsEbXRlhEgMWAeNNt5cOA1biD9PSNXzdeeDjK+dFbWVhXYVa2OAGPGz03++02EdvkWNkdxjRW2A+RW81qFGEPOmnBsumTQAAAAA=. # Encrypted Data Message. The NSA can't decrypt it, but Alice tells me that the message was "Oeieaainir e eana ta en hjputfovdett, deo l tce n ugoit xwg l t dehapo xazvakcz zi dtl, d." WIRE: bob->alice ?OTR:AAIDAAAAAAEAAAACAAAAwPymSJ4vBvWZvgfPsJcNK+dBPQX7T23VPSq2zGK6zxEzJopF0X616M1fJuIRY3OlEZqhEzu03mmfxSaXofGlCs7V41cmiTL8SAg7XtVR+BVqMxElrLKqErDEO+L5c9RlPC1DoK8UiYJxkMDengBXyI+DXsIslAw85JwUsh16TB0RkvKBNDglI+hN/XKcN1urCjIORONBoUXhCWjRckimQFbXrIbd+plBbTRjeewJWJwWoln0ukbr6sDVtYIjlWyfpQAAAAAAAAABAAAAcUl2oQz+oecXOUE0jbSLYYj4142Te9uIUV4TgeXM7eZcc7rdrjYRHF85zM16fn2GAt4fdJb4ul+HgMMbaPJQrf0p6vov1LOdo3GdwYJCM5oWbEdORtnR+g3siIIepaKk1LfoDKP57FVZ4ZfSw4QfEjLV+LUQejw6OoWUMDWcxXJWI/Dj9BIAAAAA. # Encrypted Data Message. The NSA shouldn't decrypt this either, but if they can, please let us know in the comments. Once again, in summary: alice->bob ?OTRv2? # Request OTR # 4-way handshake (AKE) follows bob->alice ?OTR:AAICAAAAxPzH9MytTG6JTZRZ... # DHCommit alice->bob ?OTR:AAIKAAAAwAnblXcALGE5xY5h... # DHKey bob->alice ?OTR:AAIRAAAAECt+YeyMkiI09YVo... # RevealSig alice->bob ?OTR:AAISAAAB0klsSKhL3XYprYX2... # Signature # Good times start here alice->bob ?OTR:AAIDAAAAAAEAAAABAAAAwHmm... # EncryptedData [No decrypt available] bob->alice ?OTR:AAIDAAAAAAEAAAACAAAAwPym... # EncryptedData [No decrypt available] Super executive summary: the 4th letter tells you packet type: C = Commit, K = Key, R = Reveal, S = Signature, D = Data . Almost too easy. Thanks for reading so far, I hope we've learned something new today. Now let's apply this new knowledge to the leaked PDF, found here: http://www.spiegel.de/media/media-35552.pdf Have fun!

[chan] general
May 17 15:27 [raw]

hey NSA troll, where are u now ??

[chan3] general
May 17 15:50 [raw]

I am not NSA troll, dude. I just received your message on general chan. So why are you calling me specifically a troll? {Sorry, I couldn't resist}

[chan3] general
May 17 15:50 [raw]

Let's apply basic understanding of English language to page 20 of this NSA document from 2012: http://www.spiegel.de/media/media-35535.pdf Now please tell, are you really REALLY sure that NSA can't decrypt OTR at all?

[chan] general
May 17 15:58 [raw]

u fucken troll ask the wrong question. the question is: why would nsa put in a false statement like "OTR is not deciphereable" into that secret document ? answer that , u fucken idiot.

[chan3] general
May 17 16:10 [raw]

There is no such statement in leaked documents, sorry. Of course you can have any religion you need to feel better.

[chan3] general
May 17 16:10 [raw]

OTR, AES128 and SHA1. Yeah, sounds legit.

[chan] leaks
May 17 16:19 [raw]

u fucken NSA troll have fucking well understood. now fuck off.

[chan] privacy
May 17 16:25 [raw]

I concur. of course exploiting those avenues may prove too much work or unattainable even for fucking NSA

[chan] general
May 17 20:20 [raw]

I am an uneducated fuck, so I'm going to ask a question. Is OTR uncrackable period, or is it a matter of CPU cycles being thrown at it? Can one of those server farms that they (we?) own break a message in 1 minute, 1 day, or 1 decade?

[chan] leaks
May 17 20:34 [raw]

those nsa fucks will always throw their own excrements and some Chinese made semiconductors at their task and might actutally win small salients here or there BUT THE WORLD PEOPLE can NEVER be defeated , so nobody will give a shit , you see ...

[chan] general
May 17 22:17 [raw]

I should have known I wouldn't get a simple answer.

[chan] general
May 18 04:09 [raw]

There's no such thing as "uncrackable, period". Cryptography is information disclosure timeshift. No available amount of CPU cycles can realistically "break OTR" in the sense of defeating the cryptographic elements (DH group 5 and AES-128-CTR). In an ideal implementation, this means an acceptable level of uncrackable for most secrecy requirements (tens to hundreds of years). However, most implementations are less than ideal and subject to external weaknesses. For example, the keys can be stolen from your computer's memory by a virus/trojan, or the decrypted messages can be taken from your hard disk. Or the other guy can trade the plaintext chat logs to your adversary. None of these are OTR weaknesses, though. The "vault doors on a tent" metaphor is very apt. Put it this way, if used correctly, OTR can add an extra few hundreds of years to the safety of your conversations. This is enough to save a life, or many.

[chan] general
May 18 05:57 [raw]

> Put it this way, if used correctly, OTR can add an extra few hundreds of years to the safety of your conversations. This is enough to save a life, or many. If we used better encryption algorithms with much larger keys and key obfuscation tricks we could add millenia to the security model. Why not, for like a 10% performance hit?

[chan] general
May 18 05:59 [raw]

If large enough keys were used, with large enough fields or primes (depending on the algorithm) CPU cycles would have nothing to do with cracking a message. Then you would be up against available memory. CPUs could be a billion times faster yet with large enough fields brute force could be thwarted by memory requirements in the yottabytes range potentially for all ages to come.

[chan] general
May 18 07:47 [raw]

Coming soon in OTRv4, but don't wait for it. Get started with OTRv3 now (even OTRv2, there's nothing wrong with it) and you can upgrade later. https://github.com/otrv4/otrv4/blob/master/otrv4.md

[chan3] general
May 18 11:00 [raw]

"OTR can add an extra few hundreds of years" Ten, fifteen years at most for civilian cryptography.

[chan3] general
May 18 11:09 [raw]

My educated guess is that breaking OTR messages is possible in day scale. Using SHA-1 for generating keys and MAC is a really bad idea.

[chan] general
May 18 11:33 [raw]

well, we asked for the fucking troll to return, did we not

[chan] general
May 18 12:13 [raw]

This is simply not true (source or gtfo), but assuming that it was, how is the ability to put an extra 15 years between yourself and your attackers with a click of a button a bad thing?

[chan3] general
May 18 12:33 [raw]

This depends on value of data. I will be alive in fiteen years, so my family. In junta/regime country decrypted "revolutionary" message means death sentence. This is why everybody should prefer security measured in thousands of years, not decades.

[chan] general
May 18 12:59 [raw]

I said an *extra* 15 years. It's a layered approach. You gain some years from Tor, some from TLS, some from OPSEC and so on. You stack imperfect building blocks to achieve a grand total that's high enough for you. Also note that the 15 years would be a nightmare case scenario, assuming a black swan breakthrough in cryptanalysis, in which case we'll all have bigger things to worry about. I did not accept it as a valid estimate of the OTR protocol strength and have challenged it, to no avail.

[chan] general
May 18 19:54 [raw]

sha1 is broken, broken totally borked google devs released a whitepaper a few years back on how they broke it this is why CIA-run Tor project continues to use SHA-1 for .onion address keys

[chan] general
May 18 20:09 [raw]

they will have reasons, troll.

[chan] general
May 18 20:33 [raw]

troll? what part of "sha1 is broken" is trolling?

[chan3] general
May 18 20:52 [raw]

Yes, we all love "some secret reasons" of developers of globally used anonymisation software.

[chan3] privacy
May 19 11:56 [raw]

Yes, in platonic ideal word all broken ciphers are unbreakable, because this platonic worlds knows nothing about implementation errors, backdoored CPUs, infected firmware, side channel attacks and limitless incompetence of programmers.

[chan] general

Subject Last Count
PyBitmessage Security Scan on Branch v0.6 May 27 17:50 12
D8A689624C09810FE5F8AF1494941AFA May 27 16:28 1
02EB46592CDFD5A3A7BCF15705571284 May 27 12:22 1
Where do r/DarknetMarkets refugees meet now? May 27 11:21 5
How to use chan alt.anonymous.messages May 27 08:21 2
15D8274A988DFFA82075457D286C7DF7 May 26 20:15 1
CE55033EA7B27BC6B8923DD03D129012 May 26 17:13 1
ćdż’íëÔĚżĆ aÖYÖš+ŘM9™COçŔáş»7†n§ôtúŤď¦8fw¶Ľ±řę ˜–> May 26 15:30 1
Little White Panties May 26 12:35 6
Tor is released: a new stable series! May 26 12:35 3
Draw your own conclusions May 26 12:31 8
Ubuntu Satanic Edition May 26 12:31 3
Fake Hackers!!! May 26 12:31 2
Test May 26 12:31 1
Why We should not Troll or Insult Others May 26 12:31 48
(no subject) May 26 09:21 7
Genealogy of the Roman faction of Russia May 26 07:12 2
3682D6870B7B27EF3ACD8CFD212C9EB9 May 26 07:07 1
The Banksters May 26 07:04 3
NSA Project Stellar Wind - Nine States of Civilization May 26 07:04 4
NSA boss Maureen Baginski reportedly said “9/11 was a gift to the NSA" (video) May 26 03:20 1
UK Column News - 25th May 2018 May 25 17:40 10
Collaborative Story May 25 17:21 1
minimum difficulty for chans May 25 16:58 2
51562DEEC40B3E3809D2B82C727D310F May 25 16:41 1
FĐĹ[jBŚWWęçď‚:PzšşžŇjá-°%#ˇŤh©J—Ű˜ÎKÉg–ľ˝I‰ŘŻÉ@˙1[ ć벩`ąľł®Šjťâˇ*~šeŮ $8ţĎe¤Š<+T\vée=x~¶‰öŠŘ!îGs-(löDXL9J msîvô<Hj,Kř’? May 25 12:45 1
test111 May 25 11:48 10
BM-2cWkFSxB4cyeNVr99tgJdkMA2nfivbXLiH May 25 11:36 3
YOU WANNA HIRE A LEGIT HACKER?????????? May 25 11:36 3
Troll Army Recruitment May 24 18:50 3
Snowden May 24 18:48 14
UK Column News - 24th May 2018 May 24 17:45 3
641DD4F96F08976097DC6F89FC23472F May 24 16:51 1
Adeline Teolis - May 24 15:25 1
Coded messages May 24 15:10 8
Test DML May 24 01:39 1
First time I saw live boobs May 24 00:24 1
ROTFL https://twitter.com/AngeloJohnGage/status/998647339551219713 May 23 16:24 2
Julia Kristeva - collaboration with the Communist Regime in Bulgaria May 23 16:21 5
spectre May 23 16:18 6
A Poem Is Nothing May 23 15:05 1
MWAHAHAHAHAHA May 23 13:49 2
Active measures (Russian May 23 08:16 2
UK Column News - 22nd May 2018 May 23 08:09 2
I'm sorry May 23 04:27 11
C7B3BFC3DCAB8022488D1E6431E17B09 May 22 18:36 1
EC01895F1B97B6082F96EE99ADDC843C May 22 18:36 1
UK Column News - 21st May 2018 May 22 09:19 2
Forever-proof Encryption? Unlimited Compression? May 22 07:31 2
Introducing DreamLab May 22 07:00 7
Linux ebooks (unsorted) May 22 06:27 10
Join [chan] alt.anonymous.messages ! May 22 06:02 23
VMPC and VMPC-R source code May 21 19:36 1
324C5D3C4C991E69B7E643A5ADBEFEAF May 21 14:58 1
Share May 21 11:35 1
break this too May 21 10:04 2
break this May 21 10:03 2
NSA doesn't joke, folks May 21 09:49 37
NSA - the big, mean bogie man May 21 09:24 4
quam me impii nudus conportabis May 21 09:14 2
disperdam similis invitat incenso in abscondito sociis May 21 09:12 2
yyy May 21 09:00 1
CFD823A85B2F83276EBD0A0E35466B27 May 20 19:06 1
68ED4104F3436B0060E3E85CD2622892 May 20 16:13 1
Vol. 53 No.5, November 1954 Research Paper 2547 May 20 08:47 1
How to create a "send only" bitmessage address May 20 06:34 1
62F9B07E32321937744CA454CA0A7881 May 20 00:45 1
C1D0B36D1E8F4FDAC64408A76150CC50 May 19 21:52 1
/join #bitmessage on eris.us.ircnet.net :6667 May 19 21:45 1
B35B71FB7BA16303E33B9A63B27F22C7 May 19 17:16 1
💚 Better Than Abortion on Demand: Grilled Fetus on De Man 💚 May 19 16:58 2
qqqq May 19 12:12 4
OTR interception May 19 11:56 29
antivirus could be the ultimate cyberespionage spying tool May 19 07:28 2
NATO-Russia: Setting the Record Straight May 19 07:21 3
Dan Carlin's Hardcore History Podcast May 19 02:45 2
https://www.blackhat.com/docs/us-16/materials/us-16-Ermishkin-Viral-Video-Exploiting-Ssrf-In-Video-Converters.pdf May 19 01:06 4
Grand Master May 19 00:06 1
06d7e73f9e8d66df93cce053475d70da0201b0d3f3cee088cdf879bf May 18 21:36 1
FA8D62DC6E3669C4E6EC8FFA487CDC2C May 18 20:53 1
A Brief Introduction to Holocaust Revisionism May 18 20:13 4
anytime May 18 19:43 3
D9114DA87E23C13616FCCA05ECB24F33 May 18 19:28 1
3EBD07196301F6C66F24DC57B6217B2C May 18 14:09 1
UK Column News - 17th May 2018 May 18 11:33 5
May 18 10:18 2
200 years Karl Marx May 18 10:18 15
2018 : Der junge Karl Marx -- youtube.com/watch?v=AbM76KUm4IM -- 2 hours "Le Jeune Karl Marx" May 18 10:18 2
EFAIL?! OTR safe ? May 17 14:30 4
EFAIL?! May 17 13:54 6
bitmessage tor hidden service May 17 11:10 3
Re: NSA doesn't joke, folks May 17 10:24 7
Poland finds other body parts in coffin of president killed in 2010 crash May 17 08:20 4
New Evidence Shows Russia Played a Role in Plane Crash That Killed Poland’s Top Brass May 17 08:12 2
36B3BE21C26DB681F5449ECB764715FD May 17 07:31 1
May 17 07:00 1
Good evening, fellow Pascalians, looking for help. May 16 21:12 4
[chan] gaslighter <BM-2cWGB2RsRNwLVm8CRoskUKdMgiD1eEy4o8> May 16 20:58 1
Curious May 16 19:33 2