OTR Team Strikes Again with Dagstuhl Privacy Preserving Presence Protocol P (DP5)

You will hear about DP5 more and more over the coming years. Off The Record (OTR), an encryption protocol suite specifically crafted to protect chat conversations, is one of the tools cited in the recent Chaos Communication Congress talk by Jacob Applebaum and Laura Poitras as being ‘safe’ in the face of NSA attention.

The safety offered by OTR is purely for the point to point conversation between two people if someone in the middle should manage to record it. OTR offers no protection for metadata that might leak during the setup of the chat or for what a cooperative service provider might make available to a government inquiry. As an example of how bad that could get, popular chat clients like Pidgin and Adium permit one to use OTR for Facebook chat.

Recognizing this metadata hazard, current OTR team leader Ian Goldberg, past contributor Nikita Borisov, and newcomer George Danezis have created a solution.

Also read: How You Can Still Avoid and Thwart the NSA

Dagstuhl Privacy Preserving Presence Protocol P (DP5)

otr dp5DP5, short for Dagstuhl Privacy Preserving Presence Protocol P, was introduced in a twelve page technical paper (pdf). Dagstuhl is a computer science research center funded by the German federal government and some of the German states, but there is no publicly available information about the center’s involvement. The center offers Seminars and Perspective Workshops; presumably such an event played a seminal role in the creation of the protocol.

The paper itself is a very dense read, full of the mathematics of cryptography, and it is very reminiscent of the Dark Internet Mail Environment, another effort to replace a commonly used encryption package which is also led by the original author, Phil Zimmerman.

What Is Presence?

The specific problem that DP5 addresses is presence, which encompasses your coming and going on a chat platform, as well as your list of contacts. This is prized information, for a wide variety of reasons that include:

  • Your arriving and leaving define when you are awake, or at least when you are online.
  • Your address book or buddy list shows who your contacts are; a pile of related address books permit analysts to identify ‘high centrality nodes’ – those who are in a position to organize activities.
  • Even if the message is encrypted, who talked and when can be correlated with activities that are known, permitting inference about the role of those involved in a private chat.

If you need any more motivation to start protecting yourself from this, consider the famous quote from former NSA head General Michael Hayden:

“We kill people based on metadata.”

How DP5 Works

Much like the compartmentalized, encrypted emails of the Dark Internet Mail Environment, presence messages are available on a ‘need to know’ basis. You choose who can see you, which are contacts who have your keys, and not even the server you are using knows the particulars. As is common in such schemes, hashes of information are used, rather than the actual information itself. Those who have the correct keys can connect a given hash to a specific contact while everyone else is left blind.

DP5 expands upon the concept of an ‘epoch’, a time period for which the hashes associated with usernames are consistent. A long epoch lasts a day, short epochs of ten minutes provide for frequent re-keying of conversations. There is no way to compare the current epoch to the one immediately prior and determine anything about who is or is not present. Even a compromised server is of little use given the way DP5 handles keys.

DP5 isn’t just a theory; one section of the paper describes a large scale simulation.

“To evaluate the performance of DP5, we ran 960 simultaneous clients accessing the DP5 infrastructure. The clients were running on an 80-core Xeon 2.4 GHz server with 1 TB of RAM. For each of the short-term and long-term protocols, we used one server for registration and three servers supporting PIR (8 servers total). Each server was running on a 16-core Xeon 2.0 GHz machine with 256 GB of RAM. The machines were interconnected using 1 Gbps Ethernet.”

The performance analysis is complex and nuanced, but this portion of the conclusion should cheer open source enthusiasts.

“A user population of 1000 can easily be supported even with volunteer resources.”

Unresolved Faults

The paper is as honest about gaps as it is about features and hazards the protocol will eliminate. One of the big ones is how users would find each other and exchange keys in the first place, the same problem that currently bedevils PGP. “ Identity Aggregators such as keybase.io are the obvious answer. Keybase is the most forward looking, and the only thing they support that is even vaguely chat-like is Twitter, which is not at all suitable. If they do choose to add chat support they will start with XMPP, the Jabber protocol, and it seems unlikely they would do anything with IRC, as identities there are too malleable.

Malleable or multiple identities get a nod in the paper as well. Those who are used to playing on the dirty end of the field already keep multiple Jabber accounts, compartmentalizing conversation groups and vary activity time to thwart surveillance. Watch for tools that start automating this sort of thing, but they’re not here just yet.

DP5 is a very well conceived effort by the guys who have already dealt with the NSA fits in their earlier efforts. The sooner we see working clients that supports DP5 the safer we will all be.

Images from Shutterstock.