Off-the-record messaging
Encyclopedia
Off-the-Record Messaging, commonly referred to as OTR, is a cryptographic protocol
that provides strong encryption for instant messaging
conversations. OTR uses a combination of the AES
symmetric-key algorithm
, the Diffie–Hellman key exchange, and the SHA-1 hash function. In addition to authentication
and encryption
, OTR provides perfect forward secrecy
and malleable encryption
.
The primary motivation behind the protocol was providing deniability for the conversation participants while keeping conversations confidential, like a private conversation in real life, or off the record in journalism sourcing
. This is in contrast with other cryptography tools that produce output which can be later used as a verifiable record of the communication event and the identities of the participants. In most cases, people using such cryptography software are not aware of this and might be better served by OTR tools instead. The initial introductory paper was named "Off-the-Record Communication, or, Why Not To Use PGP
".
The OTR protocol was designed by cryptographers Ian Goldberg
and Nikita Borisov
. They provide a client library
to facilitate support for instant messaging client developers who want to implement the protocol and a special OTR-proxy for AIM, ICQ, and .Mac clients which support proxies. A Pidgin
and Kopete
plugin exists that allows OTR to be used over any IM protocol supported by Pidgin or Kopete, offering an auto-detection
feature that starts the OTR session with the buddies that have it enabled, without interfering with regular, unencrypted conversations.
, GnuPG
, and X.509
(S/MIME
) — OTR also offers some less common features:
protocol. This feature makes it possible for users to verify the identity of the remote party and avoid a man in the middle attack without the inconvenience of manually comparing public key fingerprint
s through an outside channel.
s, but these may be implemented in the future. Support for encrypted audio or video is not planned.
, XMPP
, MSN
, YIM/YMSG
etc.).
, and HTTP.
Some .Mac, ICQ, and AIM clients that support proxies, but do not support OTR natively:
text messaging using a protocol based on OTR (with ECC
keys instead of Diffie-Helman keys, to save space).
"Gibberbot" (formerly OtRChat), a free and open source Android application (still in early development) produced by The Guardian Project, provides OTR protocol compatible over XMPP chat.
"ChatSecure", (formerly "Off the Record") a free open-source iPhone application (in early development) providing OTR encryption over the AIM and XMPP protocols.
Cryptographic protocol
A security protocol is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods.A protocol describes how the algorithms should be used...
that provides strong encryption for instant messaging
Instant messaging
Instant Messaging is a form of real-time direct text-based chatting communication in push mode between two or more people using personal computers or other devices, along with shared clients. The user's text is conveyed over a network, such as the Internet...
conversations. OTR uses a combination of the AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
symmetric-key algorithm
Symmetric-key algorithm
Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both encryption of plaintext and decryption of ciphertext. The encryption key is trivially related to the decryption key, in that they may be identical or there is...
, the Diffie–Hellman key exchange, and the SHA-1 hash function. In addition to authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
and encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
, OTR provides perfect forward secrecy
Perfect forward secrecy
In an authenticated key-agreement protocol that uses public key cryptography, perfect forward secrecy is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future.Forward...
and malleable encryption
Deniable encryption
In cryptography and steganography, deniable encryption is encryption that allows its users to convincingly deny that the data is encrypted, or that they are able to decrypt it. Such convincing denials may or may not be genuine. For example, although suspicions might exist that the data is...
.
The primary motivation behind the protocol was providing deniability for the conversation participants while keeping conversations confidential, like a private conversation in real life, or off the record in journalism sourcing
Journalism sourcing
In journalism, a source is a person, publication, or other record or document that gives timely information. Outside journalism, sources are sometimes known as "news sources"...
. This is in contrast with other cryptography tools that produce output which can be later used as a verifiable record of the communication event and the identities of the participants. In most cases, people using such cryptography software are not aware of this and might be better served by OTR tools instead. The initial introductory paper was named "Off-the-Record Communication, or, Why Not To Use PGP
Pretty Good Privacy
Pretty Good Privacy is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security...
".
The OTR protocol was designed by cryptographers Ian Goldberg
Ian Goldberg
Ian Avrum Goldberg is a cryptographer and cypherpunk. He is best known for breaking Netscape's implementation of SSL , and for his role as Chief Scientist of Radialpoint , a Canadian software company...
and Nikita Borisov
Nikita Borisov
Nikita Borisov is a cryptographer and computer security researcher, currently an assistant professor at the University of Illinois at Urbana-Champaign...
. They provide a client library
Library (computer science)
In computer science, a library is a collection of resources used to develop software. These may include pre-written code and subroutines, classes, values or type specifications....
to facilitate support for instant messaging client developers who want to implement the protocol and a special OTR-proxy for AIM, ICQ, and .Mac clients which support proxies. A Pidgin
Pidgin (software)
Pidgin is an open-source multi-platform instant messaging client, based on a library named libpurple. Libpurple has support for many commonly used instant messaging protocols, allowing the user to log into various services from one application.The number of Pidgin users was estimated to be over 3...
and Kopete
Kopete
Kopete is a multi-protocol, free software instant messaging client. Although it can run in numerous environments, it was designed for and integrates with the KDE desktop environment...
plugin exists that allows OTR to be used over any IM protocol supported by Pidgin or Kopete, offering an auto-detection
Opportunistic encryption
Opportunistic Encryption refers to any system that, when connecting to another system, attempts to encrypt the communications channel otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two systems.Opportunistic encryption can be used to...
feature that starts the OTR session with the buddies that have it enabled, without interfering with regular, unencrypted conversations.
Implementation
In addition to providing encryption and authentication — features also provided by typical public-key cryptography suites, such as PGPPretty Good Privacy
Pretty Good Privacy is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security...
, GnuPG
GNU Privacy Guard
GNU Privacy Guard is a GPL Licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP...
, and X.509
X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
(S/MIME
S/MIME
S/MIME is a standard for public key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFCs. S/MIME was originally developed by RSA Data Security Inc...
) — OTR also offers some less common features:
- Perfect forward secrecyPerfect forward secrecyIn an authenticated key-agreement protocol that uses public key cryptography, perfect forward secrecy is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future.Forward...
: Messages are only encrypted with temporary per-message AESAdvanced Encryption StandardAdvanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
keys, negotiated using the Diffie-Hellman key exchangeDiffie-Hellman key exchangeDiffie–Hellman key exchange Synonyms of Diffie–Hellman key exchange include:*Diffie–Hellman key agreement*Diffie–Hellman key establishment*Diffie–Hellman key negotiation...
protocol. The compromise of any long-lived cryptographic keys does not compromise any previous conversations, even if an attacker is in possession of ciphertextCiphertextIn cryptography, ciphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher...
s. - Deniable authenticationDeniable authenticationIn cryptography, deniable authentication refers to authentication between a set of participants where the participants themselves can be confident in the authenticity of the messages, but it cannot be proved to a third party after the event....
: Messages in a conversation do not have digital signatureDigital signatureA digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
s, and after a conversation is complete, anyone is able to forge a message to appear to have come from one of the participants in the conversation, assuring that it is impossible to prove that a specific message came from a specific person. Within the conversation the recipient can be sure that a message is coming from the person they have identified.
Authentication
As of OTR 3.1 the protocol supports mutual authentication of users using a shared secret through the socialist millionaireSocialist millionaire
The Socialist Millionaire Problem is one in which two millionaires want to determine if their wealth is equal, without disclosing any information about their riches to each other...
protocol. This feature makes it possible for users to verify the identity of the remote party and avoid a man in the middle attack without the inconvenience of manually comparing public key fingerprint
Public key fingerprint
In public-key cryptography, a public key fingerprint is a short sequence of bytes used to authenticate or look up a longer public key. Fingerprints are created by applying a cryptographic hash function to a public key...
s through an outside channel.
Limitations
Due to limitations of the protocol, OTR does not support multi-user group chat as of 2009 or encrypted file transferFile transfer
File transfer is a generic term for the act of transmitting files over a computer network or the Internet. There are numerous ways and protocols to transfer files over a network. Computers which provide a file transfer service are often called file servers. Depending on the client's perspective the...
s, but these may be implemented in the future. Support for encrypted audio or video is not planned.
Native
These clients support Off-the-Record Messaging out of the box.- AdiumAdiumAdium is a free and open source instant messaging client for Mac OS X that supports multiple IM networks, including Windows Live Messenger, Yahoo! Messenger, Google Talk, AIM, ICQ, and XMPP. It supports many protocols through the libraries libezv , MGTwitterEngine , and libpurple...
(Mac OS XMac OS XMac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
), but an older version. - climm (Unix-likeUnix-likeA Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
), since (mICQ) 0.5.4. - MCabberMCabberMCabber is a free software client for the instant messaging protocol XMPP with a text user interface based on ncurses. It runs on a range of platforms, including GNU/Linux, BSD, and Mac OS X. As free software it is freely available – including the source code – under the terms of the GNU General...
(Unix-likeUnix-likeA Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
), since 0.9.4 - CenterIM (Unix-likeUnix-likeA Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
), since 4.22.2 - Phoenix Viewer (successor of Emerald Viewer), a Second LifeSecond LifeSecond Life is an online virtual world developed by Linden Lab. It was launched on June 23, 2003. A number of free client programs, or Viewers, enable Second Life users, called Residents, to interact with each other through avatars...
client (Cross-platformCross-platformIn computing, cross-platform, or multi-platform, is an attribute conferred to computer software or computing methods and concepts that are implemented and inter-operate on multiple computer platforms...
) - Vacuum IM (Cross-platform)
- Jitsi (Cross-platform)
- BitlBeeBitlBeeBitlBee is a cross-platform IRC instant messaging gateway, licensed under the terms of the GNU General Public License.BitlBee communicates with the user via the IRC protocol, providing a gateway to popular chat networks such as AIM and ICQ via OSCAR, .NET Messenger Service, Yahoo! and XMPP and the...
(Cross-platform), since 3.0 (optional at compile-time) - SparkSpark (software)Spark is a free open source instant messaging client for the XMPP XML-based protocol for queuing and exchanging audio and text messages and subscribed users lists over the Internet. It is written in Java. It can be used standalone or as an add-on or plugin to certain Web browsers. It appears...
(cross-platform) since 2.6.2
Via plug-in
The following clients require a plug-in to use Off-the-Record Messaging. Plugin support allows use of OTR with all of a client's implemented instant messaging protocols (e.g. OSCAROSCAR protocol
OSCAR or Open System for CommunicAtion in Realtime is AOL's flagship instant messaging and presence information protocol. Currently, OSCAR is in use for AOL's two main instant messaging systems: ICQ and AIM....
, XMPP
Extensible Messaging and Presence Protocol
Extensible Messaging and Presence Protocol is an open-standard communications protocol for message-oriented middleware based on XML . The protocol was originally named Jabber, and was developed by the Jabber open-source community in 1999 for near-real-time, extensible instant messaging , presence...
, MSN
.NET Messenger Service
The .NET Messenger Service is an instant messaging and presence system developed by Microsoft in 1999 for use with its MSN Messenger software and used today by its current instant messaging clients, Windows Live Messenger and Microsoft Messenger for Mac...
, YIM/YMSG
YMSG
The Yahoo! Messenger Protocol is the underlying network protocol used by the Yahoo! Messenger instant messaging client, for Yahoo!. Yahoo! Instant Messager supports many features beyond just messaging, including off-line messaging, file transfer, chat, conferencing, voice chat, webcams and...
etc.).
- PidginPidgin (software)Pidgin is an open-source multi-platform instant messaging client, based on a library named libpurple. Libpurple has support for many commonly used instant messaging protocols, allowing the user to log into various services from one application.The number of Pidgin users was estimated to be over 3...
(Cross-platformCross-platformIn computing, cross-platform, or multi-platform, is an attribute conferred to computer software or computing methods and concepts that are implemented and inter-operate on multiple computer platforms...
), with an plugin available from the OTR homepage - KopeteKopeteKopete is a multi-protocol, free software instant messaging client. Although it can run in numerous environments, it was designed for and integrates with the KDE desktop environment...
(Unix-likeUnix-likeA Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
), either with a third-party plugin or, since the addition of Kopete-OTR on 12th of March 2008, with the version of Kopete shipped with KDE 4.1.0 and later releases. - Miranda IMMiranda IMMiranda IM is an open source multiprotocol instant messaging application, designed for Microsoft Windows. Miranda is free software distributed under GNU General Public License.- Architecture :...
(Microsoft WindowsMicrosoft WindowsMicrosoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
), with a third-party plugin - PsiPsi (instant messaging client)Psi is a GPL instant messaging client for the XMPP protocol which uses the Qt toolkit. It runs on Linux, Windows, Mac OS X and eComStation.Ready-to-install deb and RPM packages are available for many Linux distributions...
(Cross-platformCross-platformIn computing, cross-platform, or multi-platform, is an attribute conferred to computer software or computing methods and concepts that are implemented and inter-operate on multiple computer platforms...
), with a third-party plugin and buildSoftware buildIn the field of computer software, the term software build refers either to the process of converting source code files into standalone software artifact that can be run on a computer, or the result of doing so...
, in Psi+ native usable - Trillian (Microsoft WindowsMicrosoft WindowsMicrosoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
), with a third-party plugin - irssiIrssiIrssi is an IRC client program for Linux, Microsoft Windows, and Mac OS X. It was originally written by Timo Sirainen, and released under the terms of the GNU General Public License in January 1999.-Features:...
, with a third-party plugin
Proxy
For those clients which have no native OTR support, a GUI proxy is available. That means that the messages are sent to the proxy unencrypted and get encrypted while they "flow" through this locally installed and running application called a proxy. Currently, the proxy provided by the OTR-project supports only the OSCAR-protocol, thus it can be used for .Mac, ICQ, Sametime, and AIM. The OTR proxy is capable of SOCKS5, HTTPSHttps
Hypertext Transfer Protocol Secure is a combination of the Hypertext Transfer Protocol with SSL/TLS protocol to provide encrypted communication and secure identification of a network web server...
, and HTTP.
Some .Mac, ICQ, and AIM clients that support proxies, but do not support OTR natively:
- AOL Instant MessengerAOL Instant MessengerAOL Instant Messenger is an instant messaging and presence computer program which uses the proprietary OSCAR instant messaging protocol and the TOC protocol to allow registered users to communicate in real time. It was released by AOL in May 1997...
(Mac OS XMac OS XMac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
, Microsoft WindowsMicrosoft WindowsMicrosoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
) - iChatIChatiChat is an instant messaging software application developed by Apple Inc. exclusively for its Mac OS X operating system. It has audio, video and screen-sharing capabilities as well as text messaging...
(Mac OS XMac OS XMac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
) - ProteusProteus (instant messaging client)Proteus is an instant messaging client for Mac OS X that supports multiple protocols through the libpurple library. It is written using OS X's Cocoa API.-History:Proteus was originally developed by Justin Wood, then in 2004 Defaultware took over development...
(Mac OS XMac OS XMac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
)
Phone apps
"TextSecure", a free Android application released by Whisper Systems in 2010, provides secure SMSSMS
SMS is a form of text messaging communication on phones and mobile phones. The terms SMS or sms may also refer to:- Computer hardware :...
text messaging using a protocol based on OTR (with ECC
Elliptic curve cryptography
Elliptic curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S...
keys instead of Diffie-Helman keys, to save space).
"Gibberbot" (formerly OtRChat), a free and open source Android application (still in early development) produced by The Guardian Project, provides OTR protocol compatible over XMPP chat.
"ChatSecure", (formerly "Off the Record") a free open-source iPhone application (in early development) providing OTR encryption over the AIM and XMPP protocols.
External links
- OTR project site
- Protocol description
- Off-the-Record Messaging: Useful Security and Privacy for IM, talk by Ian GoldbergIan GoldbergIan Avrum Goldberg is a cryptographer and cypherpunk. He is best known for breaking Netscape's implementation of SSL , and for his role as Chief Scientist of Radialpoint , a Canadian software company...
at the University of Waterloo (video). - OTR installation Detailed installation instructions for various platforms.