mpOTR: Errata

The following is a list of errata for our CCS 2009 paper on Multi-party Off-the-Record Messaging. It will be updated as we become aware of mistakes.

1. Ability of a malicious participant to violate non-repudiation between conversation participants by exchanging different verification keys with distinct subsets of participants.

   I misspoke during my talk at CCS, claiming that there was a typo in our Attest() algorithm (Algorithm 3). The participants' identities and ephemeral verification keys are not included in the digest of unauthenticated session state on line 1 of the Attest() algorithm. If consensus is not established on the association between participants and the ephemeral verification keys they exchange with other participants, the following attack is possible.

   A malicious participant (Mallory) could exchange different verification keys with each other participant. E.g. Alice associates PK1 with Mallory while Bob associates PK2 with Mallory. Mallory can now violate non-repudiation within the conversation by sending unique messages to Alice and Bob. When Alice and Bob discover that their view of the conversation has diverged, we require that the proofs of authorship that Alice (resp. Bob) has accepted under verification key PK1 (PK2) be transferable to Bob (Alice). However, if Alice presents a message from Mallory which she has verified under PK1, Bob will attempt to verify it under the key he has associated with Mallory, PK2. The verification will fail and Bob will not learn that Mallory has been dishonest.

   I had forgotten that we moved the responsibility for establishing consensus on the association between participants and ephemeral verification keys from the Attest() algorithm into the Deniable Signature Key Exchange. The section on "Multi-party signature key exchange" on the page following the Attest() algorithm describes how each participant takes a hash over the association table and sends it to all other participants to avoid this scenario.

   Thus, I was wrong when I said the paper was wrong. I'm sorry for the confusion.

2. Typos in Algorithm 4 lines 2-5 (page 7).

   In Algorithm 4 our notation is inconsistent. To denote a symmetric authenticated encryption scheme, we use SymMacEnc() on line 2, but SymEnc() and SymDec() on lines 3-5. SymEnc() and SymDec() should be replaced by SymMacEnc() and SymMacDec() respectively, to indicate that they are authenticating primitives.

   Thanks to Christoph A.

3. Reference [7] title is incorrect.

   The correct reference is:

   C. Boyd, W. Mao and K.G. Paterson. Deniable authenticated key establishment for Internet protocols. In B. Christianson, B. Crispo, J.A. Malcolm, M. Roe (eds.), Security Protocols, 11th International Workshop, Revised Selected Papers. Lecture Notes in Computer Science Vol. 3364, pp. 255-271, Springer, 2005.

   Thanks to Christoph A.