[cryptography] OTR and deniability

Steven Bellovin smb at cs.columbia.edu
Thu Jul 14 14:59:29 EDT 2011

The two Ian G's have it correct: while OTR provides (some level of) lack of evidence within the system, it says nothing about external evidence like netflow records, which machine the logs were taken from, etc.  To pick one bad example -- bad because I don't know if it fits the facts of this case -- if one party to a purported conversation turned over a log file, and forensic examination of the second party's computer showed the same log, I suspect that most people would believe that those two parties had that conversation.  Of course, the authenticity of the log files could be challenged -- did the first party hack into the second party's computer and plant the log file?  had someone else hacked into it and used it to talk with the first party? -- but that's also outside the crypto protocol.

Put another way, the goal in a trial is not a mathematical proof, it's proof to a certain standard of evidence, based on many different pieces of data.  Life isn't a cryptographic protocol.

		--Steve Bellovin, https://www.cs.columbia.edu/~smb

More information about the cryptography mailing list