Link should be updated to: https://bugs.otr.im/otrv4/otrv4 (it's the actual upstream, not a clone). I wish there was a write-up on what it improves over its old version.
OTR was great, until Signal/Axolotl/OMEMO came about that allowed for multiple endpoints. OTR you had to establish sessions and if messages were received out of order or an end closed the session, you'd have to handshake again. I used it with GTalk before Google staked it dead, then on AIM for a bit until Verizon (I think?) finally staked that dead. It worked pretty well unless I had multiple computers up with OTR support in the clients. In this situation I'd have clients fighting each other to handshake and invalidating their old sessions.
Don't get me wrong, OTR is great because you can run it over most anything that doesn't mangle the text being sent whether that's IRC or whatever your text protocol of the day is.
Textsecure, which later became Signal was originally based on a stripped-down version of this... but SMS sucks for sending longer messages and verifying delivery order so that was abandoned.
- Security level raised to 224 bits and based on Elliptic Curve Cryptography (ECC).
- Additional protection against transcript decryption in the case of ECC compromise.
- Support of conversations where one party is offline.
- Updated cryptographic primitives and protocols:
- Deniable authenticated key exchanges (DAKE) using "DAKE with Zero Knowledge" (DAKEZ) and "Extended Zero-knowledge Diffie-Hellman" (XZDH) [1]. DAKEZ corresponds to conversations when both parties are online (interactive) and XZDH to conversations when one of the parties is offline (non-interactive).
- Key management using the Double Ratchet Algorithm [2].
- Upgraded SHA-1 and SHA-2 to SHAKE-256.
- Switched from AES to ChaCha20 [3]. The RFC 7539 variant is used [16] .
- Support of an out-of-order network model.
- Support of different modes in which this specification can be implemented.
- Explicit instructions for producing forged transcripts using the same functions used to conduct honest conversations.
For people unfamiliar with the protocol: it's a instant messaging targeted crypto protocol originally thought up by some big names in crypto many moons ago (Ian Goldberg and Nikita Borisov). It offers deniable authentication (so doesn't leave behind strong evidence of participants) and forward secrecy. Used in many IM apps / protocols.
I've used the protocol before and every client I could find that used it was incredibly difficult to use. I used it briefly to communicate with a single friend and a lot of work was needed to ensure the integrity of the connection (side channel in-person initial communication). I don't think it's a useful protocol for anyone other than crypto-anarchists or similiar types of people. Definitely not a protocol for wide use.
OTR was great, until Signal/Axolotl/OMEMO came about that allowed for multiple endpoints. OTR you had to establish sessions and if messages were received out of order or an end closed the session, you'd have to handshake again. I used it with GTalk before Google staked it dead, then on AIM for a bit until Verizon (I think?) finally staked that dead. It worked pretty well unless I had multiple computers up with OTR support in the clients. In this situation I'd have clients fighting each other to handshake and invalidating their old sessions.
Don't get me wrong, OTR is great because you can run it over most anything that doesn't mangle the text being sent whether that's IRC or whatever your text protocol of the day is.
Textsecure, which later became Signal was originally based on a stripped-down version of this... but SMS sucks for sending longer messages and verifying delivery order so that was abandoned.