Many Instant Messenger clients can secure conversation by tunneling messages over transport layer security (TLS) to provide encryption, including XMPP (or Jabber), IRC, and the OSCAR protocol used by AIM. There is nothing wrong with TLS, but a considerably secure solution for IM is a protocol called Off-the-Record (OTR).
What is Off-the-Record?
Image credit: Bigstockphoto
Off-the-Record is a cryptographic protocol that provides strong encryption for instant messaging conversations. In addition to authentication and encryption, OTR provides the ability for conversation participants to deny the conversation, while keeping conversations confidential, like a private conversation in real life. This is the primary motivation behind the protocol which was designed by cryptographers Ian Goldberg and Nikita Borisov.
OTR provides better security than TLS and other connection-oriented protocols by setting up a new public/private key pair for each message communicated over the channel. This is in contrast with other cryptography tools, such as PGP, that require the users to already have a public/private key pair to be retrieved and verified in an outside channel. Such output can be later used as a verifiable record of the communication event and the identities of the participants. In most cases, people using such cryptography software are not aware of this.
With the OTR protocol, when both participants in a conversation agree to start an OTR session, the clients set up an encrypted channel with Diffie-Hellman key exchange, then perform a mutual authentication routine inside that channel to verify each other's identity. After the setup, a new key exchange is performed on every message sent, based on incrementing the previously acknowledged key. The participants can independently verify each other's identity using the "Socialist Millionaires' Protocol" (SMP) which allows mutual verification without exchanging private data.
The multiple key exchanges provide "perfect forward secrecy" which means that compromising one key does not let an attacker decrypt your previous conversations. This is one of OTR's big advantages over TLS-like encryption alone. The other advantage is "deniable encryption"
Deniable encryption allows an encrypted message to be decrypted to different sensible plaintexts, depending on the key used. This allows the users to convincingly deny that the data that is encrypted is the one that the user is accused of sending. Such convincing denials may or may not be genuine, but the point is that the alleged decrypted message cannot ever be proven to be authentic.
Note: Do not confuse Off-the-Record protocol with ‘off the record’ function found in Gtalk/Gmail. Off the record in Gtalk simply turns off chat logging so that messages exchanged are not archived. It has nothing to do with secured communication.
How to use Off-the-Record?
Off-the-Record Messaging is supported out of the box in a small number of IM clients.
- climm (Unix-like)
- MCabber (Unix-like)
- CenterIM (Unix-like)
- Phoenix Viewer (Cross-platform)
- Vacuum IM (Cross-platform)
- Jitsi (Cross-platform)
- BitlBee (Cross-platform)
- Spark (cross-platform)
- Gibberbot, an XMPP client for Android
Using plug-ins, OTR can be implemented in the following IM clients.
- Miranda IM
- irssi, xchat, and weechat
For this article I’ll be using Pidgin, because Pidgin has the best implementation of the OTR protocol. Pidgin also offers an auto-detection feature that starts the OTR session with the buddies that have it enabled, without interfering with regular, unencrypted conversations.
Download OTR plug-in for Pidgin from this website. Plug-ins for other IM clients are available from the same site.
After it’s installed, login to your chat account on Pidgin and then from Tools menu click on Plugins. Scroll down the plugin list and select Off-the-Record Messaging and click Configure Plugin.
You’ll now need to generate a key. You might also prefer to not log OTR conversations for added privacy.
From your list of buddies, select a contact and initiate a chat conversation like you normally would. From the private chat window, click on the OTR menu and choose ‘Start private conversation’. After a brief exchange of authentication keys secure chat will be enabled.
You can choose to authenticate a buddy (from the OTR menu) by different means such as Question and Answer or a Shared secret.
The private conversation can be ended or refreshed at any point by either parties.
The video below demonstrates Off-the-Record messaging between two different IM clients.