OTR interception

[chan] general
May 17 14:27 [raw]

Thank you. OTR is an overlay protocol; it doesn't run stand-alone, it needs a base layer to send and receive messages. One can run OTR on top of any base protocol that can pass ASCII text both ways: IRC, XMPP, Facebook chat, Twitter, SMS, Skype text chat, even Bitmessage. The leaked document shows an interception of an unspecified base layer (possibly XMPP as it is the most common). If the two targets didn't use OTR, their messages would have been captured in clear as the NSA had full access to the base layer (probably root on the chat server); there was nothing to protect those messages from compromise. However, because the targets did use OTR, the NSA only managed to capture a handshake and a bunch of encrypted messages that they could not decrypt. That was a success for OTR, not a failure. In my next message I will show an OTR conversation that I intercepted myself, without blacked-out text and with full explanations. Stay tuned.

[chan] general
May 17 14:34 [raw]

thanks. lets keep fucking thewm nsa troll right in their butholes

[chan] general
May 17 14:59 [raw]

Below is an intercept of an OTR conversation carried over a hostile network by my friends Alice and Bob. Lines prefixed with "WIRE" are captured by the hostile agents from the base layer, lines prefixed with "#" are my comments; most of the text is copied verbatim from the protocol specification, available here: https://otr.cypherpunks.ca/ The capture ends with a nice small crypto-puzzle: an encrypted OTR message that anyone can try to decrypt. Here we go: WIRE: alice->bob ?OTRv2? # Alice requests an OTR conversation using version 2 of the protocol WIRE: bob->alice ?OTR:AAICAAAAxPzH9MytTG6JTZRZ359DIpBlGuQUuomTQwNbvb6ix3XriQsZVPRPYr4fCJW6sSa18jq6f87fYgc8o3nft1IStmSeVFwh+MzoxDO2kYCuSE/9b8acCskc4XQJ9TZUuQ4K5AcWClxBOZK9aV5Xxg2Ka+APHbZm+9oewiFFUuiv0lZCselOBPnOM8DwpoSv5MZB59/jQRNWtEq5w9soja6GFoSruXVo5c9eghfjED/VqFtuLgeqq7Ii0PRHNiSHVqWM5WGQNRIAAAAghK2CLUMeZ4fkN3loaAshwvjcb2fKXFhnZYXUUw1wkNA=. # Bob responds with a D-H Commit Message. This is the first message of the AKE. Bob sends it to Alice to commit to a choice of D-H encryption key (but the key itself is not yet revealed). This allows the secure session id to be much shorter than in OTR version 1, while still preventing a man-in-the-middle attack on it. WIRE: alice->bob ?OTR:AAIKAAAAwAnblXcALGE5xY5hoDaweWfSNLDO7kAYEMnOuGTkiArIuS0HqaN2a2xx+Ba5goGx1lwxLtOAkcSC8Eepn7oyAafsYTNiRD1M0sCVWQUoucOF3Y0rlSBHLVlmSkkQxZ6V7HZzk1gRQnzxIaDIYM38l2zn2SFbtDuFXEHojcpW/r2ugBLQex8RhefCC8otT+mWbg7mUuxheVqoPx+c6bV3Tmt4A6D4lFS6PadQDcr/0j2UK2y3z30FqVV0F1sQduqzyA==. # D-H Key Message. This is the second message of the AKE. Alice sends it to Bob, and it simply consists of Alice's D-H encryption key. WIRE: bob->alice ?OTR:AAIRAAAAECt+YeyMkiI09YVolBbUoLsAAAHSvVhBo3D42r+32EkgKT/HskAFN5FHijVte4nJRWFRNeuERF0aEmUBy3CtPgol4Hj44ZjuIRrxBKVA65chZoZdSFaQGvLmLT0TfcLJBV5JZL67MelUwgVlhaWu9PqYz7e2XvSDt0NKDjvGcv9qTScx4mRaBHHf6YsVhHzH5pzvNdsVZ1JUn6uPqWLNIUziyraQg9++1lhlyfatgkC4B7g83khWiWBHnmqsK5bj3E6MY3VokDaa/oyBIiioUG0036v4K2EZRoZHuCGhGq5PFWJFzyVzAuxF7gd4rlBwpaJQ7em739mkCej2aQvq2hUiO/q2tmdH2geAYRinoQTZN99RGt7z0lNK4OkksH3cMPSCK6G8RGbhhRwmSvTLjBgiKGkCtonWoH1afvvNlE+CXGiYsKYJycXlaS1z2S5zwSByrDPcqeRSAPsCoT6xdDmfVQ8fHqTVXZ0kSl6Oi9NQpcjJz1ZD6TBuueLIv8QBiCNysaZL9xWiQBmnN2m2ZvWpcF8eRkwsZ6w7MUnpfTt5VfZHkFGswAhUURO1TLKvjnhPqo+BZpCuZXF9mNjdUK32ioHKkLQ0PhaYavVYb7b72MhVghXW/8v5iiAKTGgsTO2z3QKQ5fpS46UFF2ay2B3emi25ke7hmXWO. # Reveal Signature Message. This is the third message of the AKE. Bob sends it to Alice, revealing his D-H encryption key (and thus opening an encrypted channel), and also authenticating himself (and the parameters of the channel, preventing a man-in-the-middle attack on the channel itself) to Alice. WIRE: alice->bob ?OTR:AAISAAAB0klsSKhL3XYprYX2v5FTak3qbVzaUGcyBGkeNip54McgfOGHqCzWTSV/ypZsaH9rPuw4wR0Vn8u9wYfa7HXBPXzCDMXtWPnLAmifKzR9PprAmuhjAYmv07NSXI53OEfQ7ob8Y4j8a6FmC35lvaDkjOmGW7Xk/fwj0lNChlc8Wvb4RPpeHuquQ54V5LPxTvGhkKvFAd0NfWCpT46x6No0DPk6LhU2LaHxT2uEDZdlAXYB4Ou6w4SRye46htHQQD4tvHcAIoajNvS0grZpnL1rZC7NOYoQCqHzI1RfQ/iU0Qg9ynGZI6HPH52UJMKaS1EzPiSSep+Ui8UxpHZzcT5C5zeljiiNjQxpULoe16C/dwKxvGg0uK6cu0dpItViGg50Hcf5VPlYBA1Bv7ivRt+oFWJPhFPR161DtXrEIm6aWaEzTzdeFD7C199SQ1FCf/Hp2RAsegD8rtdBl0C7vptcMSp/TRSvJpSXQ0kxcDJpGg30y3+MFVdq/PIeDdjWA6q9R0VfnKKtC1aqYtwRrmL1y1eZG4ri/UtU++YTac8exHyBtR87ys9PofIcSUK+kr8PxSFt8mK9yVf9xIJxrlumh20fnqKGwA84zTLQEvjIBjpFiHwmDSoBHrge9WIcsqVw+ItdN3ucSw==. # Signature Message. This is the final message of the AKE. Alice sends it to Bob, authenticating herself and the channel parameters to him. WIRE: alice->bob ?OTR:AAIDAAAAAAEAAAABAAAAwHmmhp8eSPiFCluVSR8QD1r/Ja47yygqEm2PK640q5bFw1XsOSncSstM/eHnp8QjYBqxc+iu9lnF+v6rKwoec294ak/lfKD/PRkmO7m0tosGvnr9tPmvARvkuotnKeiYpJqJMGLu4lfLyyNgrQaYsG/nAKgPuMCf5NXXOJITvEq6SiCmAS9XH0XCgGHLF8l3sM8ROzEtGZ8KfLnF+3oB+PE9xMwbZbknzkCbYyavYhP/vT0eGukt7UHseDoAhk4u0AAAAAAAAAABAAAAcB0Lga/d+d1o/G4O+jvy93ccOyFB+xuolWQjne1VxoluiaTqLy1DKr/G3og0c3wzGDAB3O2XAXjFSusKbs05YsEbXRlhEgMWAeNNt5cOA1biD9PSNXzdeeDjK+dFbWVhXYVa2OAGPGz03++02EdvkWNkdxjRW2A+RW81qFGEPOmnBsumTQAAAAA=. # Encrypted Data Message. The NSA can't decrypt it, but Alice tells me that the message was "Oeieaainir e eana ta en hjputfovdett, deo l tce n ugoit xwg l t dehapo xazvakcz zi dtl, d." WIRE: bob->alice ?OTR:AAIDAAAAAAEAAAACAAAAwPymSJ4vBvWZvgfPsJcNK+dBPQX7T23VPSq2zGK6zxEzJopF0X616M1fJuIRY3OlEZqhEzu03mmfxSaXofGlCs7V41cmiTL8SAg7XtVR+BVqMxElrLKqErDEO+L5c9RlPC1DoK8UiYJxkMDengBXyI+DXsIslAw85JwUsh16TB0RkvKBNDglI+hN/XKcN1urCjIORONBoUXhCWjRckimQFbXrIbd+plBbTRjeewJWJwWoln0ukbr6sDVtYIjlWyfpQAAAAAAAAABAAAAcUl2oQz+oecXOUE0jbSLYYj4142Te9uIUV4TgeXM7eZcc7rdrjYRHF85zM16fn2GAt4fdJb4ul+HgMMbaPJQrf0p6vov1LOdo3GdwYJCM5oWbEdORtnR+g3siIIepaKk1LfoDKP57FVZ4ZfSw4QfEjLV+LUQejw6OoWUMDWcxXJWI/Dj9BIAAAAA. # Encrypted Data Message. The NSA shouldn't decrypt this either, but if they can, please let us know in the comments. Once again, in summary: alice->bob ?OTRv2? # Request OTR # 4-way handshake (AKE) follows bob->alice ?OTR:AAICAAAAxPzH9MytTG6JTZRZ... # DHCommit alice->bob ?OTR:AAIKAAAAwAnblXcALGE5xY5h... # DHKey bob->alice ?OTR:AAIRAAAAECt+YeyMkiI09YVo... # RevealSig alice->bob ?OTR:AAISAAAB0klsSKhL3XYprYX2... # Signature # Good times start here alice->bob ?OTR:AAIDAAAAAAEAAAABAAAAwHmm... # EncryptedData [No decrypt available] bob->alice ?OTR:AAIDAAAAAAEAAAACAAAAwPym... # EncryptedData [No decrypt available] Super executive summary: the 4th letter tells you packet type: C = Commit, K = Key, R = Reveal, S = Signature, D = Data . Almost too easy. Thanks for reading so far, I hope we've learned something new today. Now let's apply this new knowledge to the leaked PDF, found here: http://www.spiegel.de/media/media-35552.pdf Have fun!

[chan] general
May 17 15:27 [raw]

hey NSA troll, where are u now ??

[chan3] general
May 17 15:50 [raw]

I am not NSA troll, dude. I just received your message on general chan. So why are you calling me specifically a troll? {Sorry, I couldn't resist}

[chan3] general
May 17 15:50 [raw]

Let's apply basic understanding of English language to page 20 of this NSA document from 2012: http://www.spiegel.de/media/media-35535.pdf Now please tell, are you really REALLY sure that NSA can't decrypt OTR at all?

[chan] general
May 17 15:58 [raw]

u fucken troll ask the wrong question. the question is: why would nsa put in a false statement like "OTR is not deciphereable" into that secret document ? answer that , u fucken idiot.

[chan3] general
May 17 16:10 [raw]

There is no such statement in leaked documents, sorry. Of course you can have any religion you need to feel better.

[chan3] general
May 17 16:10 [raw]

OTR, AES128 and SHA1. Yeah, sounds legit.

[chan] leaks
May 17 16:19 [raw]

u fucken NSA troll have fucking well understood. now fuck off.

[chan] privacy
May 17 16:25 [raw]

I concur. of course exploiting those avenues may prove too much work or unattainable even for fucking NSA

[chan] general
May 17 20:20 [raw]

I am an uneducated fuck, so I'm going to ask a question. Is OTR uncrackable period, or is it a matter of CPU cycles being thrown at it? Can one of those server farms that they (we?) own break a message in 1 minute, 1 day, or 1 decade?

[chan] leaks
May 17 20:34 [raw]

those nsa fucks will always throw their own excrements and some Chinese made semiconductors at their task and might actutally win small salients here or there BUT THE WORLD PEOPLE can NEVER be defeated , so nobody will give a shit , you see ...

[chan] general
May 17 22:17 [raw]

I should have known I wouldn't get a simple answer.

[chan] general
May 18 04:09 [raw]

There's no such thing as "uncrackable, period". Cryptography is information disclosure timeshift. No available amount of CPU cycles can realistically "break OTR" in the sense of defeating the cryptographic elements (DH group 5 and AES-128-CTR). In an ideal implementation, this means an acceptable level of uncrackable for most secrecy requirements (tens to hundreds of years). However, most implementations are less than ideal and subject to external weaknesses. For example, the keys can be stolen from your computer's memory by a virus/trojan, or the decrypted messages can be taken from your hard disk. Or the other guy can trade the plaintext chat logs to your adversary. None of these are OTR weaknesses, though. The "vault doors on a tent" metaphor is very apt. Put it this way, if used correctly, OTR can add an extra few hundreds of years to the safety of your conversations. This is enough to save a life, or many.

[chan] general
May 18 05:57 [raw]

> Put it this way, if used correctly, OTR can add an extra few hundreds of years to the safety of your conversations. This is enough to save a life, or many. If we used better encryption algorithms with much larger keys and key obfuscation tricks we could add millenia to the security model. Why not, for like a 10% performance hit?

[chan] general
May 18 05:59 [raw]

If large enough keys were used, with large enough fields or primes (depending on the algorithm) CPU cycles would have nothing to do with cracking a message. Then you would be up against available memory. CPUs could be a billion times faster yet with large enough fields brute force could be thwarted by memory requirements in the yottabytes range potentially for all ages to come.

[chan] general
May 18 07:47 [raw]

Coming soon in OTRv4, but don't wait for it. Get started with OTRv3 now (even OTRv2, there's nothing wrong with it) and you can upgrade later. https://github.com/otrv4/otrv4/blob/master/otrv4.md

[chan3] general
May 18 11:00 [raw]

"OTR can add an extra few hundreds of years" Ten, fifteen years at most for civilian cryptography.

[chan3] general
May 18 11:09 [raw]

My educated guess is that breaking OTR messages is possible in day scale. Using SHA-1 for generating keys and MAC is a really bad idea.

[chan] general
May 18 11:33 [raw]

well, we asked for the fucking troll to return, did we not

[chan] general
May 18 12:13 [raw]

This is simply not true (source or gtfo), but assuming that it was, how is the ability to put an extra 15 years between yourself and your attackers with a click of a button a bad thing?

[chan3] general
May 18 12:33 [raw]

This depends on value of data. I will be alive in fiteen years, so my family. In junta/regime country decrypted "revolutionary" message means death sentence. This is why everybody should prefer security measured in thousands of years, not decades.

[chan] general
May 18 12:59 [raw]

I said an *extra* 15 years. It's a layered approach. You gain some years from Tor, some from TLS, some from OPSEC and so on. You stack imperfect building blocks to achieve a grand total that's high enough for you. Also note that the 15 years would be a nightmare case scenario, assuming a black swan breakthrough in cryptanalysis, in which case we'll all have bigger things to worry about. I did not accept it as a valid estimate of the OTR protocol strength and have challenged it, to no avail.

[chan] general
May 18 19:54 [raw]

sha1 is broken, broken totally borked google devs released a whitepaper a few years back on how they broke it this is why CIA-run Tor project continues to use SHA-1 for .onion address keys

[chan] general
May 18 20:09 [raw]

they will have reasons, troll.

[chan] general
May 18 20:33 [raw]

troll? what part of "sha1 is broken" is trolling?

[chan3] general
May 18 20:52 [raw]

Yes, we all love "some secret reasons" of developers of globally used anonymisation software.

[chan3] privacy
May 19 11:56 [raw]

Yes, in platonic ideal word all broken ciphers are unbreakable, because this platonic worlds knows nothing about implementation errors, backdoored CPUs, infected firmware, side channel attacks and limitless incompetence of programmers.

[chan] general
BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r

Subject Last Count
CC8767E12F2423C78CFDA397720CF4A9 Aug 17 16:31 1
C07CEDA0F279A1CBEA8FDB8FD6907DFC Aug 17 16:13 1
0591487CDD96037B44FB93CC639B9456 Aug 16 19:24 1
double down -- UK Column News Aug 16 00:07 1
560C503734039BC1B748A353C4A2C94A Aug 15 15:42 1
54624370B2EAF49AC65BD7B575A20934 Aug 15 15:12 1
A641BC21CCDA3809665E8DB422C32607 Aug 15 15:12 1
UK Column News - 13th August 2018 Aug 15 07:44 2
UK Column News - 15th August 2018 Aug 15 07:44 1
UK Column News - 16th August 2018 Aug 15 07:44 1
08B3115B5AD1EBDC4A15FABEA12590C6 Aug 15 07:44 1
FEE42368E2751EA5A5697DBDD3462AD8 Aug 15 07:44 1
UK Column News - 14th August 2018 Aug 15 07:38 1
decrypted some of the crapflood spam Aug 14 14:46 1
https://www.justice.gov/file/1080281/download Aug 14 13:10 2
huowb Aug 13 21:27 1
sldy Aug 13 21:27 1
uvjrk Aug 13 21:27 1
owhdbgk Aug 13 21:27 1
bkqi Aug 13 21:27 1
yyq Aug 13 21:27 1
tbhas Aug 13 21:27 1
mzm Aug 13 21:27 1
eanxqgm Aug 13 21:27 1
cvjcu Aug 13 21:27 1
hdrtq Aug 13 21:27 1
wxe Aug 13 21:27 1
rxllbhh Aug 13 21:27 1
zdodp Aug 13 21:27 1
crcumoi Aug 13 21:27 1
ojkqa Aug 13 21:27 1
khscyti Aug 13 21:26 1
fllrcu Aug 13 21:26 1
dwejgo Aug 13 21:26 1
hhu Aug 13 21:26 1
jox Aug 13 21:26 1
reswg Aug 13 21:26 1
odzwdn Aug 13 21:26 1
ajdk Aug 13 21:26 1
rgp Aug 13 21:26 1
rzxjgre Aug 13 21:26 1
fsktumz Aug 13 21:26 1
qycybu Aug 13 21:26 1
sgthuek Aug 13 21:26 1
xgpuinq Aug 13 21:26 1
czwazg Aug 13 21:26 1
inyu Aug 13 21:26 1
fdpg Aug 13 21:26 1
uhkmxr Aug 13 21:26 1
fzo Aug 13 21:26 1
egqpdi Aug 13 21:26 1
zxpc Aug 13 21:26 1
vqnzzr Aug 13 21:26 1
pcqd Aug 13 21:26 1
nnb Aug 13 21:26 1
iiivwjs Aug 13 21:26 1
ertif Aug 13 21:26 1
ewyog Aug 13 21:26 1
phxa Aug 13 21:26 1
vhynjlh Aug 13 21:25 1
qrmz Aug 13 21:25 1
rdo Aug 13 21:25 1
qxyyle Aug 13 21:25 1
nsmo Aug 13 21:25 1
qsnewik Aug 13 21:25 1
aso Aug 13 21:25 1
ndjagg Aug 13 21:25 1
opci Aug 13 21:23 1
ckijqrm Aug 13 21:21 1
biwmvg Aug 13 21:20 1
fbj Aug 13 21:20 1
kleigta Aug 13 21:20 1
wofmd Aug 13 21:20 1
mlnmrm Aug 13 21:20 1
tkh Aug 13 21:20 1
ycikif Aug 13 21:20 1
chy Aug 13 21:20 1
hobrbm Aug 13 21:20 1
onnghr Aug 13 21:20 1
mzknth Aug 13 21:20 1
oxab Aug 13 21:20 1
fdxmjhy Aug 13 21:20 1
uxsltle Aug 13 21:20 1
jzdy Aug 13 21:20 1
taxzlpy Aug 13 21:20 1
ktgeab Aug 13 21:20 1
eganzh Aug 13 21:20 1
tbiij Aug 13 21:20 1
gsd Aug 13 21:20 1
shtt Aug 13 21:20 1
rzy Aug 13 21:20 1
mcpryvd Aug 13 21:20 1
nhitwh Aug 13 21:19 1
ikpwpka Aug 13 21:19 1
ncfrgul Aug 13 21:19 1
wzyh Aug 13 21:19 1
oouyniy Aug 13 21:19 1
vntexgy Aug 13 21:13 1
otovrni Aug 13 21:13 1
qprndcl Aug 13 21:13 1