>OTR uses a combination of AES symmetric-key algorithm with 128 bits key length, the Diffie–Hellman key exchange with 1536 bits group size, and the SHA-1 hash function.
None of those sizes are considered secure these days. AES-128 is the strongest of the bunch, though much more vulnerable to multi-channel attack[0] than AES-256 (and OTR would be a definite place to use that if you have a number of people). It's at the lowest end of suggested symmetric key in the approved NIST document[1] right now. Diffie-Hellman key exchange with 1536 bits is considered to be within nation-state reach, providing only 89 bits of actual security[2]. SHA-1 has been considered insecure since 2005[3], with chosen-prefix attacks now considered practical; if, somehow, the bitcoin network was retargeted to SHA-1 chosen-prefix attacks it would be capable of generating 32 such per second.
0. What use would a break of a random OTR user's AES-128 be if it took millions of dollars, years and a significant chunk of all the memory that exists? And only a single session key's worth.
1. Does that not mean that NIST considers AES-128 secure?
2. Who exactly thinks that 1536 bit DH is breakable by nation states? The closest I have heard is 1024 bit DH. Note that we are talking messaging here where a break gets you one users messages.
3. Exactly what sort of attack would be possible against OTR using a practical SHA-1 collision?
>OTR uses a combination of AES symmetric-key algorithm with 128 bits key length, the Diffie–Hellman key exchange with 1536 bits group size, and the SHA-1 hash function.
What specifically is wrong with any of that?