Off-the-record communication, or, why not to use PGP

Quite often on the Internet, cryptography is used to protect private, personal communications. However, most commonly, systems such as PGP are used, which use long-lived encryption keys (subject to compromise) for confidentiality, and digital signatures (which provide strong, and in some jurisdictions, legal, proof of authorship) for authenticity. In this paper, we argue that most social communications online should have just the opposite of the above two properties; namely, they should have <i>perfect forward secrecy</i> and <i>repudiability</i>. We present a protocol for secure online communication, called "off-the-record messaging", which has properties better-suited for casual conversation than do systems like PGP or S/MIME. We also present an implementation of off-the-record messaging as a plugin to the Linux GAIM instant messaging client. Finally, we discuss how to achieve similar privacy for high-latency communications such as email.

[1]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[2]  Morris J. Dworkin,et al.  SP 800-38A 2001 edition. Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[3]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[4]  Blake Ramsdell,et al.  S/MIME Version 3 Message Specification , 1999, RFC.

[5]  Hilarie K. Orman,et al.  The OAKLEY Key Determination Protocol , 1997, RFC.

[6]  Ran Canetti,et al.  Efficient authentication and signing of multicast streams over lossy channels , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[7]  William Stallings,et al.  THE ADVANCED ENCRYPTION STANDARD , 2002, Cryptologia.

[8]  Ben Laurie,et al.  Forward Secrecy Extensions for OpenPGP , 2001 .

[9]  Tatu Ylonen,et al.  SSH: secure login connections over the internet , 1996 .

[10]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[11]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[12]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[13]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[14]  Jon Callas,et al.  OpenPGP Message Format , 1998, RFC.

[15]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[16]  Bonnie A. Nardi,et al.  Interaction and outeraction: instant messaging in action , 2000, CSCW '00.

[17]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[18]  William M. Daley,et al.  Digital Signature Standard (DSS) , 2000 .

[19]  Markus Jakobsson,et al.  How to Forget a Secret , 1999, STACS.

[20]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[21]  Philip R. Zimmermann,et al.  The official PGP user's guide , 1996 .