Off-the-record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations. OTR uses a combination of AES symmetric-key algorithm with 128 bits key length, the Diffie–Hellman key exchange with 1536 bits group size, and the SHA-1 hash function. In addition to authentication and encryption, OTR provides forward secrecy and malleable encryption.
The primary motivation behind the protocol was providing deniable authentication for the conversation participants while keeping conversations confidential, like a private conversation in real life, or off the record in journalism sourcing. This is in contrast with cryptography tools that produce output which can be later used as a verifiable record of the communication event and the identities of the participants. The initial introductory paper was named "Off-the-Record Communication, or, Why Not To Use PGP".[1]
The OTR protocol was designed by cryptographers Ian Goldberg and Nikita Borisov and released on 26 October 2004.[2] They provide a client library to facilitate support for instant messaging client developers who want to implement the protocol. A Pidgin and Kopete plugin exists that allows OTR to be used over any IM protocol supported by Pidgin or Kopete, offering an auto-detection feature that starts the OTR session with the buddies that have it enabled, without interfering with regular, unencrypted conversations. Version 4 of the protocol[3] has been in development since 2017[4] by a team led by Sofía Celi, and reviewed by Nik Unger and Ian Goldberg. This version aims to provide online and offline deniability, to update the cryptographic primitives, and to support out-of-order delivery and asynchronous communication.
History
editOTR was presented in 2004 by Nikita Borisov, Ian Avrum Goldberg, and Eric A. Brewer as an improvement over the OpenPGP and the S/MIME system at the "Workshop on Privacy in the Electronic Society" (WPES).[1] The first version 0.8.0 of the reference implementation was published on 21 November 2004. In 2005 an analysis was presented by Mario Di Raimondo, Rosario Gennaro, and Hugo Krawczyk that called attention to several vulnerabilities and proposed appropriate fixes, most notably including a flaw in the key exchange.[5] As a result, version 2 of the OTR protocol was published in 2005 which implements a variation of the proposed modification that additionally hides the public keys. Moreover, the possibility to fragment OTR messages was introduced in order to deal with chat systems that have a limited message size, and a simpler method of verification against man-in-the-middle attacks was implemented.[6]
In 2007 Olivier Goffart published mod_otr
[7] for ejabberd, making it possible to perform man-in-the-middle attacks on OTR users who don't check key fingerprints. OTR developers countered this attack by introducing a socialist millionaire protocol implementation in libotr. Instead of comparing key checksums, knowledge of an arbitrary shared secret can be utilised for which relatively low entropy can be tolerated.[8]
Version 3 of the protocol was published in 2012. As a measure against the repeated reestablishment of a session in case of several competing chat clients being signed on to the same user address at the same time, more precise identification labels for sending and receiving client instances were introduced in version 3. Moreover, an additional key is negotiated which can be used for another data channel.[9]
Several solutions have been proposed for supporting conversations with multiple participants. A method proposed in 2007 by Jiang Bian, Remzi Seker, and Umit Topaloglu uses the system of one participant as a "virtual server".[10] The method called "Multi-party Off-the-Record Messaging" (mpOTR) which was published in 2009 works without a central management host and was introduced in Cryptocat by Ian Goldberg et al.[11]
In 2013, the Signal Protocol was introduced, which is based on OTR Messaging and the Silent Circle Instant Messaging Protocol (SCIMP). It brought about support for asynchronous communication ("offline messages") as its major new feature, as well as better resilience with distorted order of messages and simpler support for conversations with multiple participants.[12] OMEMO, introduced in an Android XMPP client called Conversations in 2015, integrates the Double Ratchet Algorithm used in Signal into the instant messaging protocol XMPP ("Jabber") and also enables encryption of file transfers. In the autumn of 2015 it was submitted to the XMPP Standards Foundation for standardisation.[13][14]
Currently, version 4 of the protocol has been designed. It was presented by Sofía Celi and Ola Bini on PETS2018.[15]
Implementation
editIn addition to providing encryption and authentication — features also provided by typical public-key cryptography suites, such as PGP, GnuPG, and X.509 (S/MIME) — OTR also offers some less common features:
- Forward secrecy
- Messages are only encrypted with temporary per-message AES keys, negotiated using the Diffie–Hellman key exchange protocol. The compromise of any long-lived cryptographic keys does not compromise any previous conversations, even if an attacker is in possession of ciphertexts.
- Deniable authentication
- Messages in a conversation do not have digital signatures, and after a conversation is complete, anyone is able to forge a message to appear to have come from one of the participants in the conversation, assuring that it is impossible to prove that a specific message came from a specific person. Within the conversation the recipient can be sure that a message is coming from the person they have identified.
Authentication
editAs of OTR 3.1, the protocol supports mutual authentication of users using a shared secret through the socialist millionaire protocol. This feature makes it possible for users to verify the identity of the remote party and avoid a man-in-the-middle attack without the inconvenience of manually comparing public key fingerprints through an outside channel.
Limitations
editDue to limitations of the protocol, OTR does not support multi-user group chat as of 2009[update][16] but it may be implemented in the future. As of version 3[9] of the protocol specification, an extra symmetric key is derived during authenticated key exchanges that can be used for secure communication (e.g., encrypted file transfers) over a different channel. Support for encrypted audio or video is not planned. (SRTP with ZRTP exists for that purpose.) A project to produce a protocol for multi-party off-the-record messaging (mpOTR) has been organized by Cryptocat, eQualitie, and other contributors including Ian Goldberg.[11][17]
Since OTR protocol v3 (libotr 4.0.0) the plugin supports multiple OTR conversations with the same buddy who is logged in at multiple locations.[18]
Client support
editDeveloper(s) | OTR Development Team |
---|---|
Stable release | 4.1.1
/ 9 March 2016 |
Written in | C |
Operating system | Cross-platform |
Type | Software Library |
License | LGPL v2.1+[19] |
Website | otr |
Native (supported by project developers)
editThese clients support Off-the-Record Messaging out of the box (incomplete list).
- Adium (OS X)
- Blink SIP client (OS X)
- BitlBee (cross-platform), since 3.0 (optional at compile-time)[20]
- CenterIM (Unix-like), since 4.22.2
- ChatSecure (iOS)
- Zom Mobile Messenger (Android)
- climm (Unix-like), since (mICQ) 0.5.4
- Jitsi (cross-platform)
- Kopete (Unix-like)[21][22]
- Profanity, since 0.4.1
- Psi (cross-platform)[23]
- Psi+ (cross-platform)[23][24]
- Mozilla Thunderbird, since 68
- monocles chat, XMPP client supports OTR since 2022
- Tkabber (cross-platform), since version 1.1[25]
- irssi, since 1.2.0[26]
Via third-party plug-in
editThe following clients require a plug-in to use Off-the-Record Messaging.
- HexChat, with a third-party plugin[27]
- Miranda NG (Microsoft Windows), with a third-party plugin[28]
- Pidgin (cross-platform), with a plugin available from the OTR homepage[29]
- WeeChat, with a third-party plugin[30]
- HexChat, for *nix versions, with a third-party plugin[31]
Confusion with Google Talk "off the record"
editAlthough Gmail's Google Talk uses the term "off the record", the feature has no connection to the Off-the-Record Messaging protocol described in this article, its chats are not encrypted in the way described above—and could be logged internally by Google even if not accessible by end-users.[32][33]
See also
editReferences
edit- ^ a b Nikita Borisov, Ian Goldberg, Eric Brewer (28 October 2004). "Off-the-Record Communication, or, Why Not To Use PGP" (PDF). Workshop on Privacy in the Electronic Society. Retrieved 6 March 2014.
{{cite conference}}
: CS1 maint: multiple names: authors list (link) - ^ Ian Goldberg (26 October 2014). [OTR-users] Happy 10th anniversary!. Retrieved 27 April 2015.
- ^ Sofía Celi, Ola Bini (15 February 2019). "Off-the-Record Messaging Protocol version 4". GitHub.
- ^ "Add disclaimer · otrv4/otrv4@0c0847e". GitHub. Retrieved 20 September 2023.
- ^ Mario Di Raimondo; Rosario Gennaro; Hugo Krawczyk (2005). "Secure off-the-record messaging" (PDF). Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society. Association for Computing Machinery: 81–89.
- ^ "Off-the-Record Messaging Protocol version 2".
- ^ "mod_otr".
- ^ Chris Alexander; Ian Avrum Goldberg (February 2007). "Improved user authentication in off-the-record messaging". Proceedings of the 2007 ACM workshop on Privacy in electronic society (PDF). New York: Association for Computing Machinery. pp. 41–47. doi:10.1145/1314333.1314340. ISBN 9781595938831. S2CID 17052562.
- ^ a b "Off-the-Record Messaging Protocol version 3".
- ^ Jiang Bian; Remzi Seker; Umit Topaloglu (2007). Off-the-Record Instant Messaging for Group Conversation. IEEE International Conference on Information Reuse and Integration. IEEE. doi:10.1109/IRI.2007.4296601.
- ^ a b Ian Avrum Goldberg; Berkant Ustaoğlu; Matthew D. Van Gundy; Hao Chen (2009). "Multi-party off-the-record messaging". Proceedings of the 16th ACM conference on Computer and communications security (PDF). Association for Computing Machinery. pp. 358–368. doi:10.1145/1653662.1653705. hdl:11147/4772. ISBN 9781605588940. S2CID 6143588.
{{cite book}}
: CS1 maint: date and year (link) - ^ Nik Unger; Sergej Dechand; Joseph Bonneau; Sascha Fahl; Henning Perl; Ian Avrum Goldberg; Matthew Smith (2015). "SoK: Secure Messaging" (PDF). Proceedings of the 2015 IEEE Symposium on Security and Privacy. IEEE Computer Society's Technical Committee on Security and Privacy: 232–249.
- ^ Straub, Andreas (25 October 2015). "OMEMO Encryption". XMPP Standards Foundation website. Archived from the original on 29 January 2016. Retrieved 16 January 2016.
- ^ Gultsch, Daniel (2 September 2015). "OMEMO Encrypted Jingle File Transfer". XMPP Standards Foundation website. Retrieved 16 January 2016.
- ^ Sofía Celi, Ola Bini (21 July 2018). No evidence of communication: Off-the-Record Protocol version 4 (PDF). Retrieved 29 November 2018.
- ^ Ian Goldberg (27 May 2009). "multi-party OTR communications? (and other OTR details)". OTR-users mailing list.
- ^ Nadim Kobeissi (1 February 2014). "mpOTR Project Plan". Cryptocat wiki on GitHub.
- ^ Ian Goldberg (4 September 2012). "pidgin-otr and libotr 4.0.0 released!". OTR-announce mailing list.
- ^ "Off-the-Record Messaging".
- ^ "BitlBee Wiki". Wiki.bitlbee.org. 25 January 2014. Retrieved 15 May 2014.
- ^ "kopete-otr in KDE for 4.1". Archived from the original on 28 March 2008.
- ^ "kopete-otr review request".
- ^ a b "OTR Plugin". Github.com. Retrieved 6 September 2017.
- ^ "Psi+ snapshots". Github.com. Retrieved 6 September 2017.
- ^ "Tkabber OTR Plugin". Archived from the original on 11 March 2014.
- ^ "Irssi Changelog - 1.2.0".
- ^ "Off the record plugin for HexChat". GitHub. 2 December 2021.
- ^ "Miranda OTR Plugin".
- ^ "OTR plugin for Pidgin".
- ^ "OTR plugin for WeeChat". GitHub. January 2019.
- ^ "TingPing/hexchat-otr". GitHub. Retrieved 14 March 2017.
- ^ "Chatting off the record - Talk Help".
- ^ "Google Talk - Privacy Policy".
Further reading
edit- Joseph Bonneau; Andrew Morrison (21 March 2006). "Finite-State Security Analysis of OTR Version 2" (PDF). Retrieved 5 September 2013.
{{cite journal}}
: Cite journal requires|journal=
(help) - Mario Di Raimondo; Rosario Gennaro & Hugo Krawczyk (2005). "Secure Off-the-Record Messaging" (PDF). Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society. Association for Computing Machinery. Retrieved 27 August 2013.
{{cite journal}}
: Cite journal requires|journal=
(help)
External links
edit- Official website
- Protocol specification
- Off-the-Record Messaging: Useful Security and Privacy for IM Archived 30 December 2013 at the Wayback Machine, talk by Ian Goldberg at the University of Waterloo (video)
- 'Off-the-Record' Instant Messaging Tutorial (encryption, authentication, deniability, ..) on YouTube