Off-the-Record Communication, or, Why Not To Use PGP Nikita Borisov Ian Goldberg Eric Brewer UC Berkeley Zero-Knowledge Systems UC Berkeley [email protected] [email protected] [email protected] February 2, 2002 Abstract net came growing concern over the security of the data flowing across it. Your online communications could be observed by any number of third parties on Quite commonly on the Internet, cryptography is their way to their destinations. Even data residing used to protect private, personal communications. on your own PC could be vulnerable if you were un- However, most commonly, systems such as PGP are lucky enough to open the wrong email attachment. used, which use long-lived encryption keys (subject to compromise) for confidentiality, and digital sig- The protections developed were twofold: use fire- natures (which provide strong, and in some juris- walls and host security to lock down the endpoints, dictions, legal, proof of authorship) for authenticity. and use cryptography to protect the information in transit. Popular cryptographic systems, such as We claim that most social communications online SSL [7], PGP [21, 4], and S/MIME [2], were devel- should have just the opposite of the above two oped and used to protect diverse forms of data. properties; namely, they should have perfect for- ward secrecy and repudiability. In this work, we This approach was well-suited to electronic com- present a protocol for secure online communica- merce: SSL could protect your credit card number tion called “off-the-record messaging” which has from would-be thieves; PGP or S/MIME could be properties better-suited for casual conversation than used to sign electronic contracts. But what about do systems like PGP or S/MIME. We also present online communication which is not electronic com- an implementation of off-the-record messaging as a merce? The popularity of online social communi- plugin to the GAIM instant messaging client. cation mechanisms such as email, chat and instant messaging is obvious, but when people want to pro- tect such communication, they generally turn to the tools they’ve already got; usually, PGP. 1 Introduction In this paper, we argue that PGP is not the right mechanism for conducting a secure conversation, Originally a medium for the transfer of technical and we develop a system more suitable for protect- information, data, and research, the Internet has ing social interactions. In section 2 we motivate the grown rapidly over the last decade to become the problem. Section 3 gives an overview of relevant basis for a wide variety of forms of communication, cryptographic primitives, and section 4 contains an ranging from electronic commerce, to the sharing exposition of our off-the-record messaging proto- of music and video, to social conversation. col. In section 5 we describe our implementation of this protocol in a common instant messaging sys- Along with the growing population of the Inter- tem. Finally, we review some related work in sec- 2.1 What went wrong? tion 6 and in section 7 we conclude. You could say that Bob losing control of his private key was the problem. But we’d really prefer to be 2 Motivation able to handle such failures gracefully, and not sim- ply give away the farm. There were two main problems: When Alice and Bob are talking in person, it is easy to keep their conversation private. Alice can make sure no one is around, and, with the exception of The compromise of Bob’s secrets allowed Eve a hidden tape recorder, she can be reasonably sure to read not only future messages protected that no one else will hear the conversation. Fur- with that key, but past messages as well. ther, the only evidence anyone can obtain of the conversation is Bob’s word about what happened. When Alice wanted to prove to Bob that she Such private, off-the-record conversations are com- was the author of the message, she used a dig- mon and useful in both social and business contexts. ital signature, which also proves it to Eve, and There is even a recognized need to have similar pri- any other third party.1 vate conversations by telephone — it is illegal to tap or record a phone conversation without the parties’ consent or a court order. When we think about private messages in the con- text of social conversation, we really want a system What happens when Alice and Bob want to have with different properties: we want only Bob to be such a private conversation online? Today, being able to read the message, and Bob should be as- somewhat crypto-savvy, they would use PGP. Alice sured that Alice was the author; however, no one encrypts her messages to Bob’s public encryption else should be able to do either. Further, after Alice key, and signs them with her own private signature and Bob have exchanged their message, it should key. That way, only Bob can read the messages, and be impossible for anyone (including Alice and Bob Bob is assured that Alice is the one who sent them. themselves) to subsequently read or verify the au- thenticity of the encrypted message, even if they Unbeknownst to Alice and Bob, however, the kept a copy of it. It is clear that PGP does not pro- eavesdropper Eve is listening (good thing they used vide these desirable properties. crypto!) and storing all of the encrypted messages, which she can’t read. This paper introduces a protocol for private so- cial communication which we call “off-the-record Some time later, Eve manages to obtain Bob’s pri- messaging”. The notion of an off-the-record con- vate key, for example though a black bag job [9], versation well-captures the semantics one intu- Magic Lantern [18], or a subpoena. Eve now can itively wants from private communication: only the read all of Bob’s past email that she’s collected over two parties involved are privy to the contents of the the years. In addition, Eve has evidence in the form conversation; after the conversation is over, no one of a cryptographic digital signature that Alice was (not even the parties involved) can produce a tran- the one who sent the messages. script; and although the participants are assured of each other’s identities, neither they nor anyone else This doesn’t sound like a private conversation at all! can prove this information to a third party. Using After the fact, a cryptographically verifiable tran- 1Note that if Alice had not signed the message, then third script of Alice and Bob’s conversation has been re- parties would not have proof of Alice’s authorship of the mes- covered. sage, but then neither would Bob. this protocol, Alice and Bob can enjoy the same pri- present, or future — encrypted with that key would vacy in their online conversations that they do when no longer be secure. they speak in person. We circumvent this problem by using short-lived encryption keys that are generated as needed, and discarded after use. These keys also have the prop- 3 Cryptographic Primitives erty that it is impossible to rederive them from any long-term key material. In this section, we outline the cryptographic prim- A setup such as this provides a property known as itives we will use to achieve our goal of off-the- perfect forward secrecy [10]: once Alice and Bob record communication. both discard any given short-lived key, there is no longer any amount of information that can be col- lected through any means to recover the key, and Perfect forward secrecy will be used to en- thus decrypt messages encrypted with that key.2 sure our past messages will not be recoverable retroactively. Not only will Eve be unable to reconstruct the key, but neither will Alice or Bob themselves be able Digital signatures will be used so that Bob to read those past messages. This strong property knows with whom he’s communicating. ensures the confidentiality behaviour desired in off- Message authentication codes will be used to the-record communication. prove Alice’s authorship of a message to Bob, while at the same time preventing such a proof To provide perfect forward secrecy, we use the to third parties. well-known Diffie-Hellman key agreement proto- col [8].3 Diffie-Hellman allows two parties com- Malleable encryption will be used to provide municating over a public channel to agree on a for forgeability of transcripts, repudiation of shared secret, without revealing it to an eavesdrop- contents, and plausible deniability. per. Briefly, the key agreement starts with some ¢ public parameters — a prime ¡ and a generator ¦ of a subgroup of £¥¤ of large prime order. Alice 3.1 Perfect forward secrecy and Bob pick two numbers (the private keys), §©¨ ¢ ¢ and § respectively, and they transmit and (the public keys) over a public channel. Alice can The most obvious feature we need from our off-the- then compute the shared secret ¢ ¢ ; record messaging system is confidentiality: only Bob can compute the same secret as ¢ . This Alice and Bob should be able to read the mes- now-shared secret is used to create the short-lived sages that make up their online conversation. Since encryption key. However, it is presumed to be in- we assume everything transmitted over the Internet tractable for Eve to compute the secret, since §©¨ is public information, we need to use encryption. and §© are unknown to her. Now our problem is reduced to ensuring that the de- cryption keys for the messages never fall into hands other than Alice’s and Bob’s.