mpOTR progress report - HOPE X in New York 2014

Attendees: - trevp - infinity0 - DrWhax - dgoulet - vmon

This is a progress report on the ongoing mpOTR effort after a meeting at the HOPE X conference in New York.

First of all, the name of the protocol has not been yet decided thus we'll use mpOTR in this report so everyone understand what we are talking about.

This initiative was launched by CryptoCat and in early 2014 with the help of OTF for the funding. You can find an overview of the project here mpOTR. Quite of work has been put into this new protocol and a second draft of the mpOTR protocol should be release to the public soon.

Now a quick summary of what we discussed. It is divided into roughly two parts, the key agreement to establish the session, and mechanisms to ensure transcript consistency during the session. The key agreement can itself be thought as a combination of a forward-secure confidentiality key agreement, and a deniable authentication key agreement.

Unlike OTR which is a bidirectionnal data exchange, a cryptographic agreement between all parties need to be established before having a group chat secure channel. There are multiple methods to achieve that, such has having each participant broadcasting her/his key ("sender keys") or using a common key for the whole chat session ("group key"). It's also important to consider the transport protocols that support group chat such as IRC and XMPP; these all have different semantics for reachability, presence, delivery and so on. In order for mpOTR to be transport agnostic, we need to assume as little as possible about the transport, and/or think about how to adapt the semantics we choose for mpOTR, into the semantics of each transport.

mpOTR will most likely introduce new properties on top of the secure channel that make sure the transcript between all participants is ordered and consistent. This is to prevent an insider attacker that decides to send different information to different people in the group chat - this would be as disastrous as a non-secure communication channel. I won't go into any more details but I encourage you all to read infinity0 notes.

So back to the HOPE X meeting. The discussion was aimed at trying to get to an agreement between attendees mostly on two aspects, which key agreement scheme to use and the transcript consistency property. I'll describe what they are briefly here but will not go into deep technical details since no decision have been made.

As mentionned before, there are multiple key agreement scheme that can be used but there is still a debate on which one to use in mpOTR, sender keys or a common group key. Each of these have advantages and disadvantages, but details are being worked out to decide which one the next draft will follow.

For the transcript consistency, the discussion was mostly about the performance overhead of the scheme described here, and whether simpler schemes achieve security guarantees that are strong enough. Again, I'm not going to go into more details since I feel that this would need its own blog post/paper and the goal here is to show what's being worked on right now for mpOTR.

As I said, the second draft will be release soon (hopefully with an official name) which you, the public, should bring a HUGE amount of scrutiny to it and we can finally move to an implementation! :)