What could be very convenient and extremely dangerous at the same time? A chat that's tapped. And what's the best way to counter this danger? By using OTR encryption for chat! Yes, today we're going to focus on how to protect instant messaging from any kind of surveillance.
OTR stands for "off the record". This is an cryptographic protocol that enables users to have private, secure chat sessions while still using familiar messaging tools.
But OTR is far more than a chat encryption tool. It provides four major benefits:
- End-to-end encryption — the message is encrypted at the sender's side and decrypted only at the receiver's side; nothing and no one in between can read the message
- Forward secrecy, also known as perfect forward secrecy — for protecting past chat sessions against future compromises of secret keys or passwords
- Mutual authentication — for making sure that the person you're chatting with really is that person and vice versa
- Deniable authentication — for making it impossible to prove to a third party that someone really sent a specific message
Moving on, we're going to dive deeper into each of these features so that OTR encryption for chat becomes as plain as plaintext to you.
OTR end-to-end encryption
First of all, make sure you don't confuse the OTR protocol with Google's Off The Record feature, which simply disables chat logging and doesn't provide any encryption or verification capabilities. (You can't help but think they did it on purpose, right?...)
Back to the real Off-the-Record Messaging now. It was created by cryptographers Ian Goldberg and Nikita Borisov and released in 2004. They came up with a client library to facilitate support for IM client developers who want to implement OTR.
The protocol uses a combination of AES (Advanced Encryption Standard) symmetric-key algorithm, the Diffie-Hellman key exchange, and the SHA-2 hash function.
All these complicated terms mean that no one — not your network provider, nor the government or even the chat service provider — can read the content of your messages without the right decryption key, no matter how much computing power they have. The entire communication is literally encrypted end-to-end.
Since OTR is based on a symmetric key approach, you must remember that the same private key is used to encrypt and decrypt a certain message. There are no public keys here, unlike PGP.
But how is this key shared between the communicating parties in the first place? This is what the Diffie-Hellman key exchange algorithm is for. In short, it establishes a shared secret between two people that can be used for secret communication for exchanging data over a public network.
Perfect forward secrecy
Speaking about keys, perhaps you're wondering what would happen if that single key for encryption and decryption gets compromised. Would the entire past (and future) communication be revealed?
Fortunately, the answer is no thanks namely to the forward secrecy in OTR. With this feature, users can be calm that even if a key or password gets compromised, it will not compromise past session keys. How come? Because with OTR generates a new key for every new chat session.
It all sounds pretty robust so far, right? But with all that secrecy, how can you be sure that the person you're connecting with is who they claim to be?
OTR has a solution for that, too. The primary way to really know who you're chatting with in OTR-enabled IM is using a shared secret. Other possible ways are question and answer or manual fingerprint verification.
As of OTR 3.1, the protocol supports mutual authentication of users using a shared secret through the socialist millionaire protocol (funny name, right). This feature makes it possible for correspondents to verify each other's identity remotely through the use of a shared secret. This doesn't only prevent man-in-the-middle attacks, it also removes the inconvenience of manually comparing fingerprints.
While communicating users can be sure in each other's identity, no one else could prove that any of them wrote any of the messages they exchanged. After all, this a off-the-record messaging, right? But how?
Due to the mutual authentication feature, OTR chat correspondents can be sure that the messages they see during a session are authentic and unmodified.
On the other hand, these messages don't bear any digital signatures that could link them to the source. This way, even if a third party somehow manages to obtain messages as ciphertext or plaintext, it couldn't prove that they were 100% sent by person A or B. Without digital signatures, no message can be attributed to either party, and it's also impossible to prove that any given message wasn't forged after the conversation was concluded.
OTR out of the box
If you're still reading, I can make a safe bet you'd like to finally try out a real OTR-enabled chat client.
Since OTR's source code is open, there are many implementations of it, including one that we developed — the Secure Chat.
Secure Chat is one of our thee flagship apps for end-to-end encrypted communication. We designed it around the OTR protocol over XMPP so that it offers end-to-end encryption out of the box. You get all the benefits of OTR wrapped by a user-friendly UI as soon as you install the app.
Currently, Secure Chat is available for Android and BlackBerry and is also included by default in Secure Phone, our flagship line of encrypted smartphones. It's compatible with many other OTR-protected IM apps.