by April 12, 2005 0 comments

Any secret conversation involves two main components-one, a two-way authenticity and the other, right of denial. Before discussing further let’s try to understand what the above-mentioned statement actually means. 

Consider a scenario when a murderer confesses his crime in front of a priest. In normal conditions, only the priest is supposed to know about the confession and if any one else, say, the cops want to know about the same, then the only option is to take the words of the priest. But of course in that case, the murderer has the right to deny that he never said anything to the priest (right of denial) about the crime. While at the same time, the priest knows very well that the murderer had confessed to him (a simple, two way volatile authenticity). 

This scenario points towards the fact that the main property of a secret casual conversation should be a volatile authentication that doesn’t leave any trace or record behind. So, to provide this kind of an environment to the IMs, OTR (Off-The-Record) protocol has been developed.

Benefits of OTR 
In general, when we do some kind of encryption, we use a standard private and public key concept and digital signature. But in this case if someone gets hold of your machine or your private keys then he can decrypt all your old messages and if you don’t change the key pairs then the future messages can also be decrypted.

Direct Hit!
Applies to: IM users
Configure OTR software to have an encrypted chat over Yahoo, MSN or several other IM clients. 

And because of digital signatures these messages can be proven as yours, and you won’t even be able to deny. 

But in case of IMs, which are supposed to be a casual chatting media, the right of denial is also important alongwith confidentiality. And that’s what OTR does. It generates some short living key pairs, encrypts them with some comparatively longer living keys and piggybacks them on the message itself. At the same time it removes the older keys completely from the memory. It follows this process for nearly each and every message. This makes the message truly volatile and secure at the same time. So if someone gets hold of your key pairs, he can’t do anything because the key pairs are changed with each and every message. 

The other benefit of OTR is that it is free and works with any IM, which you can run on GAIM. So from now on you don’t need to install a Jabber server on your network for encrypted chatting. All your Yahoo, MSN, ICQ, gadu-gadu, etc messages can be encrypted with just a click. As GAIM for Windows is available, you can use OTR on Windows also.

Installation and usage
All you need for using OTR on a Linux Machine is XWindow installed and running a GAIM client. GAIM is available with all standard Linux versions such as PCQLinux, Fedora and Debian so you don’t have to hunt for it. Now download libotr-2.0.1-1.rpm and gaim-otr-2.0.1-1.i386.rpm from
‘ and install them by running the following commands. 

#rpm -ivh libotr-2.0.1-1.rpm
#rpm -ivh gaim-otr-2.0.1-1.i386.rpm

While installing, mind the sequence or you will end up with dependency problems. Now that the installation is done, your OTR is ready to work. 

After installing OTR, click on the ‘OTR-Not Private’ button to start an encrypted session with the other party 

Start your GAIM and go to Tools>Preferences and select the Plug-ins Link at the left-hand side of the window. Now scroll to the option, which says ‘Off-the-Record Messaging’ and select the check box and close the window. Now whenever you open a chat window, you will see a new button at the bottom right of the window that says ‘OTR: Not private’. Clicking this will start the OTR protocol and if the other person with whom you are chatting also has OTR installed, a new private session will start and the button will change to ‘OTR: private’.

For testing the performance of the software we tested it with a sniffer called ettercap that can capture IM conversations. We found that the data stream traveling between both secure clients using yahoo over GAIM (secured with OTR) was completely scrambled and unreadable by the sniffer. We captured the traffic when both clients were authenticating each other (when one presses the ‘OTR: Not private’ button) with the hope to capture the key pairs while it transfers them to the other machine. Fortunately, we found that the keys were also encrypted in the process and the sniffer was not able to read them!

Anindya Roy

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.