summaryrefslogtreecommitdiff
path: root/plugins/MirOTR/libotr/read/Protocol-v1.txt
blob: 27429bb76d123800d165c09962db9f9067e89b9c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
	       Off-The-Record Wire Protocol Documentation
	       ------------------------------------------

		    Nikita Borisov and Ian Goldberg
			  <otr@cypherpunks.ca>

Definitions
-----------

Data encodings:

    Bytes (BYTE):
      1 byte unsigned value
    Shorts (SHORT):
      2 byte unsigned value, big-endian
    Ints (INT):
      4 byte unsigned value, big-endian
    Multi-precision integers (MPI):
      4 byte unsigned len, big-endian
      len byte unsigned value, big-endian
      (MPIs must use the minimum-length encoding; i.e. no leading 0x00
      bytes.  This is important when calculating public key fingerprints.)
    Opaque variable-length data (DATA):
      4 byte unsigned len, big-endian
      len byte data
    DSA signature (DSASIG):
      (len is the length of the DSA public parameter q)
      len byte unsigned r, big-endian
      len byte unsigned s, big-endian
    Initial CTR-mode counter value (CTR):
      8 bytes data
    Message Authentication Code (MAC):
      20 bytes MAC data

Policies:

    Clients can set one of four OTR policies.  This can be done either
    on a per-correspondent basis, or globally, or both.  The policies
    are:

    NEVER:
	Never perform OTR with this correspondent.
    MANUAL:
	Only start OTR if one of you specifically requests it.
    OPPORTUNISTIC:
	Start OTR if there's any indication the correspondent supports it.
    ALWAYS:
	Only use OTR with this correspondent; it is an error to send an
	unencrypted message to him.

    The default setting should be OPPORTUNISTIC.

Whitespace Tag:

    There is an OTR_MESSAGE_TAG, which is a 24-byte string of whitespace
    that clients can optionally append to (or insert in) messages to
    unobtrusively indicate that they understand the OTR protocol.  The
    string is as follows (in C notation):

	\x20\x09\x20\x20\x09\x09\x09\x09
	\x20\x09\x20\x09\x20\x09\x20\x20
	\x20\x09\x20\x09\x20\x20\x09\x20

    [This is the bit pattern of the string "OTR" as expressed in spaces and
    tabs.]

Protocol
--------

An OTR client maintains a separate state with each of its
correspondents.  Initially, all correspondents start in the UNCONNECTED
state.

This is the state machine for the default (OPPORTUNISTIC) policy.  The
modifications for other policies are below.

In the UNCONNECTED state:

 - It may, at the user's instigation or otherwise (for example, if the
   correspondent's AIM Capability list indicates he supports OTR), send
   an OTR Query message, and remain in the UNCONNECTED state.

 - If it receives an OTR Query message, it replies with an OTR Key
   Exchange message, and moves to the SETUP state.

 - If it receives an OTR Key Exchange message, it:
   - verifies the information in the Key Exchange message
     - If the verification fails, send an OTR Error message, and remain
       in the UNCONNECTED state.
     - If the verification succeeds, reply with an OTR Key Exchange
       message with the Reply field set to 0x01 (_even if_ the received
       Key Exchange message itself had the Reply field set), inform the
       user that private communication has been established, and move to
       the CONNECTED state.

 - If it receives an OTR Data message, it replies with an OTR Error
   message, sends a Key Exchange message (with Reply set to 0x00), and
   moves to the SETUP state.

 - If it receives an OTR Error message, it should display the message to
   the user, send a Key Exchange message (with Reply set to 0x00), and
   move to the SETUP state.

 - If it receives an non-OTR message:
   - If the message contains the OTR_MESSAGE_TAG, it should reply with
     an OTR Key Exchange message, strip the OTR_MESSAGE_TAG from the
     message, display the message to the user, and move to the SETUP state.
   - Otherwise, it should display the message to the user, and remain in
     the UNCONNECTED state.

In the SETUP state:

 - The user, through a UI action, may elect to reset the connection
   to the UNCONNECTED state.

 - If it receives an OTR Query message, it replies with an OTR Key
   Exchange message, and remains in the SETUP state.

 - If it receives an OTR Key Exchange message, it:
   - verifies the information in the Key Exchange message
     - If the verification fails, send an OTR Error message, display a
       notice of the error to the user, and remain in the SETUP state.
     - If the verification succeeds:
       - If the received Key Exchange message did not have the Reply field
         set to 0x01, reply with an OTR Key Exchange (with the Reply field
         set to 0x01).
       - In any event,  inform the user that private communication has
	 been established, and move to the CONNECTED state.

 - If it receives an OTR Data message, it replies with an OTR Error
   message, sends a Key Exchange message (with Reply set to 0x00), and
   remains in the SETUP state.

 - If it receives an OTR Error message, it should display the message to
   the user, send a Key Exchange message (with Reply set to 0x00), and
   remain in the SETUP state.

 - If it receives an non-OTR message:
   - If the message contains the OTR_MESSAGE_TAG, it should reply with
     an OTR Key Exchange message, and strip the OTR_MESSAGE_TAG from the
     message, display the message to the user, and remain to the SETUP state.
   - Otherwise, it should display the message to the user, and remain
     in the SETUP state.

In the CONNECTED state:

 - The user, through a UI action, may elect to reset the connection
   to the UNCONNECTED state.

 - If it receives an OTR Query message, it replies with an OTR Key
   Exchange message, and remains in the CONNECTED state.

 - If it receives an OTR Key Exchange message, it:
   - verifies the information in the Key Exchange message
     - If the verification fails, send an OTR Error message, display a
       notice of the error to the user, and remain in the CONNECTED
       state.
     - If the verification succeeds:
       - If the received Key Exchange message did not have the Reply field
         set to 0x01, reply with an OTR Key Exchange (with the Reply field
         set to 0x01).
       - In any event, remain in the CONNECTED state.

 - If it receives an OTR Data message, it:
   - verifies the information in the Data message
     - If the verification fails, send an OTR Error message, display a
       notice of the error to the user, and remain in the CONNECTED
       state.
     - If the verification succeeds, display the (decrypted) message to
       the user, and remain in the CONNECTED state.

 - If it receives an OTR Error message, it should display the message to
   the user, and remain in the CONNECTED state.

 - If it receives an non-OTR message, it should reply with an OTR Error
   message, and remain in the CONNECTED state.

Other policies:

    The above decribes what to do in the default (OPPORTUNISTIC) policy.

    If the policy is NEVER: behave as if OTR is not enabled at all.
    Pass all received messages to the user, and send all of the user's
    messages out untouched.

    If the policy is MANUAL: never send the OTR_MESSAGE_TAG in messages,
    and never respond to one you receive.  Don't send a Key Exchange
    Message (or change state) in response to receiving a Data or Error
    Message in the UNCONNECTED or SETUP states.

    If the policy is ALWAYS: never send an unencrypted message.  Either
    report an error to the user, or else hold on to the message, send an
    OTR Query Message instead, and once you enter the CONNECTED state,
    send the original message.  Warn the user if you receive an
    unencrypted message.

Protocol messages
-----------------

There are four types of messages in the OTR protocol:
 - OTR Query
 - OTR Key Exchange
 - OTR Data
 - OTR Error

OTR Query
---------

This message is sent to inquire if the correspondent supports the OTR
protocol.

Format:

Any message containing the string "?OTR?" is considered an OTR Query.

Since this message will be visible to the correspondent in the event
that he does not support the OTR protocol, it may also contain
human-readable information after this initial string.

Example:

?OTR?\nYour client does not support the OTR Private Messaging
Protocol.\nSee https://otr.cypherpunks.ca/ for more information.

OTR Key Exchange
----------------

This message is sent to inform the correspondent of your public
signature key, and your current DH encryption key.

Format:

The message must contain the five bytes "?OTR:".  After that is the
base-64 encoding of the following, followed by the byte ".":

  - Protocol version (SHORT)
    - The version number of this protocol is 0x0001.
  - Message type (BYTE)
    - OTR Key Exchange has message type 0x0a.
  - Reply (BYTE)
    - 0x01 if this Key Exchange message is being sent in reply to a Key
      Exchange message that was just received.  0x00 otherwise.
  - DSA p (MPI)
  - DSA q (MPI)
  - DSA g (MPI)
  - DSA e (MPI)
    - The DSA public key (p,q,g,e).
      [The parameter 'e' is usually called 'y', but that name's taken by
      the DH public key, below.]
  - Sender keyid (INT)
    - The keyid for this initial key.  Must be greater than 0.
  - DH y (MPI)
    - The initial DH public encryption key.  The DH group is the one
      defined in RFC 3526 with 1536-bit modulus (hex, big-endian):
	    FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
	    29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
	    EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
	    E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
	    EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
	    C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
	    83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
	    670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF
      and generator 2.
  - Signature (DSASIG)
    - A signature with the private DSA key corresponding to (p,q,g,e).
      Take a SHA-1 hash of everything from the protocol version to the
      end of the value of y, and sign that value.

  The DSA key given in this message has a "Fingerprint", which is the
  SHA-1 hash of the portion of the message from the beginning of the "p"
  field (including the MPI length) to the end of the "e" field.  This
  fingerprint should be displayed to the recipient so that he may verify
  the sender's key.

OTR Data
--------

This message is used to transmit a private message to the correspondent.
It is also used to reveal old MAC keys.

The plaintext message (either before encryption, or after decryption)
consists of a human-readable message, optionally followed by:
   - a single NUL (a BYTE with value 0x00)
   AND
   - zero or more TLV (type/length/value) records (with no padding
     between them)

Each TLV record is of the form:
   - Type (SHORT)
     - The type of this record.  Records with unrecognized types should
       be ignored.
   - Length (SHORT)
     - The length of the following field
   - Value (len BYTEs)  [where len is the value of the Length field]
     - Any pertinent data for the record type.

Some TLV examples:

    \x00\x01\x00\x00
       A TLV of type 1, containing no data

    \x00\x00\x00\x05\x68\x65\x6c\x6c\x6f
       A TLV of type 0, containing the value "hello"

The currently defined TLV record types are:

    Type 0: Padding
    	The value may be an arbitrary amount of data, which should be
	ignored.  This type can be used to disguise the length of the
	plaintext message.

    Type 1: Disconnected
	If the user requests to close the private connection, you may
	send a message (possibly with empty human-readable part)
	containing a record with this TLV type just before you discard
	the session keys.  If you receive a TLV record of this type,
	you may inform the user that his correspondent has closed his
	end of the private connection, and the user should do the same.

Format:

The message must contain the five bytes "?OTR:".  After that is the
base-64 encoding of the following, followed by the byte ".":

  - Protocol version (SHORT)
    - The version number of this protocol is 0x0001.
  - Message type (BYTE)
    - OTR Data has message type 0x03.
  - Sender keyid (INT)
    - Must be strictly greater than 0, and increment by 1 with each key
      change
  - Recipient keyid (INT)
    - Must therefore be strictly greater than 0, as the receiver has no
      key with id 0
    - The sender and recipient keyids are those used to encrypt and MAC
      this message.
  - DH y (MPI)
    - The *next* [i.e. sender_keyid+1] public key for the sender
  - Top half of counter init (CTR)
    - This should monotonically increase (as a big-endian value) for
      each message sent with the same (sender keyid, recipient keyid)
      pair , and must not be all 0x00.
  - Encrypted message (DATA)
    - Using the appropriate encryption key (see below) derived from the
      sender's and recipient's DH public keys (with the keyids given in
      this message), perform AES128 counter-mode (CTR) encryption of the
      message.  The initial counter is a 16-byte value whose first 8
      bytes are the above "top half of counter init" value, and whose
      last 8 bytes are all 0x00.  Note that counter mode does not change
      the length of the message, so no message padding needs to be done.
      If you *want* to do message padding (to disguise the length of
      your message), pad with NULs (bytes of 0x00).  Upon receiving
      and successfully decrypting an OTR Data Message, the decrypted
      payload should be truncated just before the first NUL (if any).
  - SHA1-HMAC, using the appropriate MAC key (see below) of everything
    from the Protocol version to the end of the encrypted message (MAC)
  - Old MAC keys to be revealed (DATA)
    - See "Revealing MAC Keys", below.

OTR Error
---------

This message is sent when a problem has occurred in the protocol.

Format:

Any message containing "?OTR Error:" is an OTR Error message.  The
following part of the message should contain human-readable details of
the error.

Key Management
--------------

For each correspondent, keep track of:
 - My two most recent DH public/private key pairs
   - our_dh[our_keyid] (most recent) and our_dh[our_keyid-1] (previous)
 - His two most recent DH public keys
   - their_y[their_keyid] (most recent) and their_y[their_keyid-1] (previous)

When starting a private conversation with a correspondent, generate
two DH key pairs for yourself, and set our_keyid = 2.  Note that all DH
key pairs should have a private part that is at least 320 bits long.

When you send an OTR Key Exchange message:
    Send the public part of our_dh[our_keyid-1], with the keyid field,
    of course, set to (our_keyid-1).

When you receive an OTR Key Exchange message:
    If the specified keyid equals either their_keyid or their_keyid-1,
    and the DH pubkey contained in the Key Exchange message matches the
    one we've stored for that keyid, that's great.  Otherwise, forget
    all values of their_y[], and of their_keyid, and set their_keyid to
    the keyid value given in the Key Exchange message, and
    their_y[their_keyid] to the DH pubkey value given in the Key
    Exchange message.  their_y[their_keyid-1] should be set to NULL.

    In any event, if the Reply field of the Key Exchange message was set
    to 0x00, send a Key Exchange message with the Reply field set to
    0x01.

When you send an OTR Data message:
    Set the sender keyid to (our_keyid-1), and the recipient keyid to
    (their_keyid).  Set the DH pubkey in the Data message to the public
    part of our_dh[our_keyid].  Use our_dh[our_keyid-1] and
    their_y[their_keyid] to calculate session keys, as outlined below.
    Use the "sending AES key" to encrypt the message, and the "sending
    MAC key" to calculate its MAC.

When you receive an OTR Data message:
    Use the keyids in the message to select which of your DH key pairs
    and which of his DH pubkeys to use to verify the MAC.  If the keyids
    do not represent either the most recent key or the previous key (for
    either the sender or receiver), reject the message.  Also reject the
    message if the sender keyid is their_keyid-1, but
    their_y[their_keyid-1] is NULL.

    Otherwise, calculate the session keys as outlined below.  Use the
    "receiving MAC key" to verify the MAC on the message.  If it does not
    verify, reject the message.

    Check that the counter in the Data message is strictly larger than the
    last counter we saw using this pair of keys.  If not, reject the
    message.

    If the MAC verifies, decrypt the message using the "receiving AES key".

    Finally, check if keys need rotation:
     - If the "recipient keyid" in the Data message equals our_keyid, then
       he's seen the public part of our most recent DH key pair, so we
       securely forget our_dh[our_keyid-1], increment our_keyid, and set
       our_dh[our_keyid] to a new DH key pair which we generate.
     - If the "sender keyid" in the Data message equals their_keyid,
       increment their_keyid, and set their_y[their_keyid] to the new DH
       pubkey specified in the Data message.

    If the message you get after decryption is of zero length, this is a
    "heartbeat" packet.  Don't display it to the user.  (But it's still
    useful to effect key rotations.)

Calculating session keys:
    Given one of our DH key pairs, and one of his DH pubkeys, we
    calculate a DH secure id, two AES keys, and two MAC keys as follows:

    Let (our_x, our_y) be the private and public parts of our DH
    key pair.  Let their_y be his DH pubkey.

    First, calculate the shared secret:
      secret = their_y ^ our_x mod DH_MODULUS
    (^ denotes exponentiation, and DH_MODULUS is the 1536-bit DH modulus
    from RFC 3526, as specified above).

    Write the value of secret as a minimum-length MPI, as specific above
    (4-byte big-endian len, len-byte big-endian value).  Let this
    (4+len)-byte value be "secbytes".

    Next, determine if we are the "low" end or the "high" end of this
    key exchange.  If our_y > their_y, then we are the "high" end.
    Otherwise, we are the "low" end.  Note that who is the "low" end and
    who is the "high" end can change every time a new DH pubkey is
    exchanged.

    Calculate the DH secure id as the SHA-1 hash of the (5+len)-byte value
    composed of the byte 0x00, followed by the (4+len) bytes of
    secbytes.
    
    When a new private connection is established, the "secure session
    id" for the connection is set to be the DH secure id calculated in
    this way.
    
    The secure session id should be displayed as two 10-byte
    (big-endian) values, in C "%20x" format.  If we are the "low" end of
    the key exchange, display the first 10 bytes in bold, and the second
    10 bytes in non-bold.  If we are the "high" end of the key exchange,
    display the first 10 bytes in non-bold, and the second 10 bytes in
    bold.  This session id can be used by the parties to verify (say,
    over the telephone, assuming the parties recognize each others'
    voices) that there is no man-in-the-middle by having each side read
    his bold part to the other.

    To be clear, if the user requests to see the secure session id in
    the middle of the conversation, the value displayed should be the
    one calculated at the time the private connection was established
    (the last Key Exchange Message that caused a rekeying), _not_ the DH
    secure id calculated from DH keys in more recent Data Messages.

    Now set the values of "sendbyte" and "recvbyte" according to whether
    we are the "low" or the "high" end of the key exchange:
     - If we are the "high" end, set "sendbyte" to 0x01 and "recvbyte"
       to 0x02.
     - If we are the "low" end, set "sendbyte" to 0x02 and "recvbyte"
       to 0x01.

    Calculate the "sending AES key" to be the first 16 bytes of the
    SHA-1 hash of the (5+len)-byte value composed of the byte
    (sendbyte), followed by the (4+len) bytes of secbytes.

    Calculate the "sending MAC key" to be all 20 bytes of the SHA-1 hash
    of the 16-byte sending AES key.

    Calculate the "receiving AES key" to be the first 16 bytes of the
    SHA-1 hash of the (5+len)-byte value composed of the byte
    (recvbyte), followed by the (4+len) bytes of secbytes.

    Calculate the "receiving MAC key" to be all 20 bytes of the SHA-1 hash
    of the 16-byte receiving AES key.

Revealing MAC keys
------------------

Whenever you are about to forget either one of your old DH key pairs, or
one of your correspondent's old DH pubkeys, take all of the MAC keys
that were generated by that key (note that there are up to four: the
sending and receiving MAC keys produced by the pairings of that key with
each of two of the other side's keys; but note that you only need to
take MAC keys that were actually used to either create a MAC on a
message, or verify a MAC on a message), and put them (as a set of
concatenated 20-byte values) into the "Old MAC keys to be revealed"
section of the next Data message you send.  We do this to allow the
forgeability of OTR transcripts: once the MAC keys are revealed, anyone
can modify an OTR message and still have it appear valid.  But since we
don't reveal the MAC keys until their corresponding pubkeys are being
discarded, there is no danger of us accepting a message as valid which
uses a MAC key which has already been revealed.

Fragments
---------

[Remember when reading this section that the network model assumes
in-order delivery, but that some messages may not get delivered at all
(for example, if the user disconnects).  And, of course, there's the
possibility of an active attacker, who is allowed to perform a Denial of
Service attack, but not to learn contents of messages.]

Transmitting Fragments:

    If you have information about the maximum size of message you are
    able to send (the different IM networks have different limits), you
    can fragment an OTR message as follows:

    - Start with the OTR message as you would normally transmit it.  For
      example, an OTR Data Message would start with "?OTR:AAED" and end
      with ".".
    - Break it up into sufficiently small pieces.  Let the number of
      pieces be (n), and the pieces be piece[1],piece[2],...,piece[n].
    - Transmit (n) messages with the following (printf-like) structure
      (as k runs from 1 to n inclusive):

	  "?OTR,%hu,%hu,%s," , k , n , piece[k]

    - Note that k and n are unsigned short ints (2 bytes), and each has
      a maximum value of 65535.  Also, each piece[k] must be non-empty.

Receiving Fragments:

    If you receive a message containing "?OTR," (note that you'll need
    to check for this _before_ checking for any of the other "?OTR:"
    markers):

    - Parse it as the printf statement above into k, n, and piece.
    - Let (K,N) be your currently stored fragment number, and F be your
      currently stored fragment.  [If you have no currently stored
      fragment, then K = N = 0 and F = "".]

    - If k == 0 or n == 0 or k > n, discard this (illegal) fragment.

    - If k == 1:
      - Forget any stored fragment you may have
      - Store (piece) as F.
      - Store (k,n) as (K,N).

    - If n == N and k == K+1:
      - Append (piece) to F.
      - Store (k,n) as (K,N).

    - Otherwise:
      - Forget any stored fragment you may have
      - Store "" as F.
      - Store (0,0) as (K,N).

    After this, if N > 0 and K == N, treat F as the received message.

    If you receive an unfragmented message, forget any stored fragment
    you may have, store "" as F and store (0,0) as (K,N).

Example:

    Here is an OTR Key Exchange Message we would like to transmit over a
    network with an unreasonably small maximum message size:

	?OTR:AAEKAQAAAICGmmRMlmuq4gY7Ro0GiYAJKWwVZyITNyifFP9VRIVgyxxGxwV
	bFjoGMhO9XE0xFisuO6M27DPkX7hCtIXZM2glDszmTklQO5hJPu0g/RgDZ84q0ee
	Q5AvexW3Hmp/VHUPTpZfJPep/Ctiqn0oE2y/2yRPyYQjpZCL440sM5i7B1wAAABT
	zzL9WbuaxOK8rfrtaw4Lx/iLxeQAAAIAWaGpchsVOV1D6xK5cS5QNANelTvyVHre
	XPSRjU0NFKIHrNDiFwa8lXcIBH/E8MHoQDzw+J2AuU6MuICPT8GMJYBcSZq0OM7x
	gmfNlt1viUXxJXbYRpD82ki7QsMA1I7aQo/OqMryKlW5W8UqEjVcCsTOjEyQphLY
	ENG6St9+ivgAAAIBgUjzleG1+VYCXZszTj+x5gNNidVVNKI+MG5elHMcsg2Guef3
	DBYEsor6YGeqJLAfhk28Tg7tktMQwGN5GXR1ZNkwkoFIOyVRq3lfabfHtsTp+Hkx
	5e8OrhTZ1G+ScDeqYbbTtUj631LhXUoyp+7pllVtpyLgqk5z9JYu6Kw0ZkQAAAAE
	AAADASZH/uq17EVRo6dBZIL12x9JLx4gpEjgovfNLoORa6E+sMMuG7Z+zfLQVodX
	H5shi/dvPzwbVrA/Iw72XHSYtld8lK/FLtjsI5mzancvRAEs1ZDBoBJRLW1X54eF
	HpN/peDi6fBbdXyGahWYyF9MCJxDFCRqAHvEMZbfdyEtkXbFUZM2lJM2SJJG9zGZ
	LCvd2/gF/VOgMlvdus+8TFW0k7cBhAgm/rb+EUeovkWXy2BiVpInXKCCH+M6EVpU
	YNG7BPtH44ABwUw6Y5n5sSb6dtout34NGz+dspXMajffkZxFOAcabRwKIpw==.

    We could fragment this message into (for example) three pieces:

	?OTR,1,3,?OTR:AAEKAQAAAICGmmRMlmuq4gY7Ro0GiYAJKWwVZyITNyifFP9VRI
	VgyxxGxwVbFjoGMhO9XE0xFisuO6M27DPkX7hCtIXZM2glDszmTklQO5hJPu0g/R
	gDZ84q0eeQ5AvexW3Hmp/VHUPTpZfJPep/Ctiqn0oE2y/2yRPyYQjpZCL440sM5i
	7B1wAAABTzzL9WbuaxOK8rfrtaw4Lx/iLxeQAAAIAWaGpchsVOV1D6xK5cS5QNAN
	elTvyVHreXPSRjU0NFKIHrNDiFwa8lXcIBH/E8MHoQDzw+J2AuU6MuICPT8GMJYB
	cSZq0OM7xgmfNlt1viUXxJXbYRpD82ki7QsMA1I7aQo/OqMryKlW5W8UqEjVcCsT
	OjEyQphLY,

	?OTR,2,3,ENG6St9+ivgAAAIBgUjzleG1+VYCXZszTj+x5gNNidVVNKI+MG5elHM
	csg2Guef3DBYEsor6YGeqJLAfhk28Tg7tktMQwGN5GXR1ZNkwkoFIOyVRq3lfabf
	HtsTp+Hkx5e8OrhTZ1G+ScDeqYbbTtUj631LhXUoyp+7pllVtpyLgqk5z9JYu6Kw
	0ZkQAAAAEAAADASZH/uq17EVRo6dBZIL12x9JLx4gpEjgovfNLoORa6E+sMMuG7Z
	+zfLQVodXH5shi/dvPzwbVrA/Iw72XHSYtld8lK/FLtjsI5mzancvRAEs1ZDBoBJ
	RLW1X54eFHpN/peDi6fBbdXyGahWYyF9MCJxDFCRqAHvEMZbfdyEtkXbFUZM2lJM
	2SJJG9zGZ,

	?OTR,3,3,LCvd2/gF/VOgMlvdus+8TFW0k7cBhAgm/rb+EUeovkWXy2BiVpInXKC
	CH+M6EVpUYNG7BPtH44ABwUw6Y5n5sSb6dtout34NGz+dspXMajffkZxFOAcabRw
	KIpw==.,