Off-the-record messaging

Off-the-Record Messaging ( OTR , German  unofficial, confidential, message transmission not intended for the public ) is a protocol for message encryption in instant messaging . It regulates the ongoing updating and management of short-lived session keys.

In contrast to the transmission of encrypted messages with OpenPGP (or in rare cases with an X.509 certificate), with off-the-record messaging it is no longer possible to determine later whether a certain key was used by a certain person (principle of credible deniability , English plausible deniability ). As a result, after the conversation has ended, nobody (not even either of the two communication partners) can prove that one of the communication partners made a certain statement.

This principle is implemented through the combined use of the symmetrical cryptographic process Advanced Encryption Standard (AES), the Diffie-Hellman key exchange and the cryptographic hash function SHA-1 . A program library and numerous instant messaging programs are available that can use the protocol either directly or via additional modules.

Objectives of the project

The following four cornerstones are defined in the statutes of the project:

Encryption (Encryption)

Nobody can read the news.

Authentication (authentication)

You can be sure that the recipient is who you think they are.

Repudiation (deniability)

Encrypted messages do not contain an electronic signature . So it is possible for someone to forge messages after a conversation so that they appear to have originated from you. During a conversation, however, the recipient can be certain that the received messages are authentic and unchanged.

Consequences ( Perfect Forward Secrecy )

If the (long-lived) private key falls into the hands of a third party, this has no effect on the compromise of previous conversations: the conversations cannot be decrypted subsequently.

Technical implementation

The following section simplifies the function of the OTR protocol in version 2.

overview

During their communication with each other, Alice and Bob choose private keys respectively . Two at a time, for example and , are used to create a shared secret using Diffie-Hellman key exchange . The keys and are calculated from this secret . ${\ displaystyle x_ {1}, x_ {2}, \ ldots}$${\ displaystyle y_ {1}, y_ {2}, \ ldots}$${\ displaystyle x_ {i}}$${\ displaystyle y_ {j}}$${\ displaystyle s}$${\ displaystyle s}$${\ displaystyle K _ {\ text {AES}}}$${\ displaystyle K _ {\ text {MAC}}}$

${\ displaystyle K _ {\ text {AES}}}$is used to encrypt every message using the Advanced Encryption Standard (AES) in counter mode . This turns the symmetrical block cipher AES into a stream cipher . Alice and Bob use digital signatures for initial authentication , so they can be sure who they are communicating with during the conversation. is used to authenticate a single message using the SHA-1 ( Secure Hash Algorithm 1) hash function , which is used as the Message Authentication Code (MAC). ${\ displaystyle K _ {\ text {MAC}}}$

For the Diffie-Hellman key exchange is a 1536-bit prime number and a primitive root modulo with needs. All exponentiations then take place modulo this prime number. ${\ displaystyle p}$ ${\ displaystyle g}$ ${\ displaystyle p}$${\ displaystyle 2 \ leq g \ leq p-2}$

1. Alice and Bob choose private key , respectively (min. 320 bit long), replace the corresponding public key , respectively , and obtained by the Diffie-Hellman method , a shared secret .${\ displaystyle x_ {1}}$${\ displaystyle y_ {1}}$ ${\ displaystyle g ^ {x_ {1}}}$${\ displaystyle g ^ {y_ {1}}}$${\ displaystyle s = \ left (g ^ {x_ {1}} \ right) ^ {y_ {1}} = \ left (g ^ {y_ {1}} \ right) ^ {x_ {1}} = g ^ {x_ {1} \ cdot y_ {1}}}$
2. Via a secure channel can be created now, each communication subscriber authenticates itself using a digital signature to the other about that. Currently, OTR only supports the Digital Signature Algorithm .${\ displaystyle s}$

1. Alice selects the last Diffie-Hellman key she received from Bob . Bob's key is considered received if he used it for a message that Alice received or was previously exchanged using AKE (see section above), which obviously can only be in the case .${\ displaystyle x_ {i}}$${\ displaystyle g ^ {x_ {i}}}$${\ displaystyle g ^ {x_ {i}}}$${\ displaystyle i = 1}$
2. If Alice's newest Diffie-Hellman key, she randomly generates a new key of at least 320 bits in length.${\ displaystyle x_ {i}}$${\ displaystyle x_ {i + 1}}$
3. Be the last Diffie-Hellman key received from Bob. The key is deemed to have been received if Bob added it to the last message (see below) or if it was exchanged using the AKE.${\ displaystyle g ^ {y_ {j}}}$
4. The common Diffie-Hellman secret can now be calculated (modulo ) as .${\ displaystyle p}$${\ displaystyle s: = \ left (g ^ {y_ {j}} \ right) ^ {x_ {i}}}$
5. Calculate the AES key , where the first 128 bits of the SHA-1 hash value denotes. was previously brought into a certain data format and expanded by one byte .${\ displaystyle K _ {\ text {AES}}: = H (s)}$${\ displaystyle H (s)}$${\ displaystyle s}$${\ displaystyle s}$
6. Compute the MAC key as the 160-bit SHA-1 hash value of .${\ displaystyle K _ {\ text {MAC}}}$${\ displaystyle K _ {\ text {AES}}}$
7. For the counter mode that will be used later, a counter is required that is selected so that the triple never occurs twice during the entire message exchange with Bob.${\ displaystyle c}$ ${\ displaystyle (i, j, c)}$
8. The message is now encrypted in counter mode using the AES algorithm. The key used for this is the meter you just selected . The message encrypted in this way is called .${\ displaystyle M}$${\ displaystyle K _ {\ text {AES}}}$${\ displaystyle c}$${\ displaystyle N}$
9. The encrypted message , , and some cryptographically unimportant parts such as the version number of the protocol to be combined and which Authentication of the message code using the key computed. Here denotes the Keyed-Hash Message Authentication Code (HMAC) using the hash function SHA-1 and the key .${\ displaystyle N}$${\ displaystyle i, j, c}$${\ displaystyle g ^ {x_ {i + 1}}}$${\ displaystyle T}$${\ displaystyle MAC_ {K _ {\ text {MAC}}} (T)}$${\ displaystyle K _ {\ text {MAC}}}$${\ displaystyle MAC_ {K _ {\ text {MAC}}}}$${\ displaystyle K _ {\ text {MAC}}}$
10. ${\ displaystyle T, MAC_ {K _ {\ text {MAC}}} (T)}$ and all unused MAC keys are sent to Bob over an insecure channel.

1. Bob has already received it either through an old message from Alice or via AKE. Thus it may be the same Diffie-Hellman shared secret by calculating, with and in denote indexes contained.${\ displaystyle g ^ {x_ {i}}}$${\ displaystyle s: = \ left (g ^ {x_ {i}} \ right) ^ {y_ {j}} = g ^ {x_ {i} \ cdot y_ {j}} = \ left (g ^ {y_ {j}} \ right) ^ {x_ {i}}}$${\ displaystyle i}$${\ displaystyle j}$${\ displaystyle T}$
2. Just like Alice and, he can calculate.${\ displaystyle K _ {\ text {AES}}}$${\ displaystyle K _ {\ text {MAC}}}$
3. With the help of , he calculates and compares the value received with that transmitted by Alice. This checks the authenticity of the message and protects it against middleman attacks.${\ displaystyle K _ {\ text {MAC}}}$${\ displaystyle MAC_ {K _ {\ text {MAC}}} (T)}$
4. With the help of and , which is contained in the message sent by Alice , he decrypts the message with the AES algorithm in counter mode and receives it back. This works because AES is symmetrical, meaning that it uses the same key for encryption and decryption .${\ displaystyle K _ {\ text {AES}}}$${\ displaystyle c}$${\ displaystyle T}$${\ displaystyle N}$${\ displaystyle M}$${\ displaystyle (K _ {\ text {AES}}, c)}$

Encryption (Encryption)

The AES cryptosystem used has been subjected to detailed cryptanalytic tests and is practically computationally reliable.

Authentication (authentication)

Using AKE and digital signatures, Bob can be sure (even at a later point in time) that Alice has chosen the public key . Since the next message and thus also the next key is signed with the help of this key , Bob can be sure of the identity of the person he is speaking to in all subsequent messages.${\ displaystyle g ^ {x_ {1}}}$${\ displaystyle g ^ {x_ {2}}}$

Repudiation (deniability)

Alice only uses her digital signature at the beginning of the conversation. All subsequent messages are signed with the MAC keys . Since the shared secret is required to generate the MAC key , Bob can be sure that Alice has signed the message. However, he cannot prove this to anyone else, as he could have signed the message as well. In addition, by publishing MAC keys that are no longer used, nobody can check the authenticity of the messages, as anyone could have signed them. Only Bob can be sure that Alice sent the message, since only both of them know the corresponding MAC key at the time of receipt. However, by using a digital signature at the beginning of the conversation, nobody can deny that a conversation has taken place.${\ displaystyle K _ {\ text {MAC}}}$${\ displaystyle s}$

Consequences ( Perfect Forward Secrecy )

If Alice loses her long-lived private key, none of the short-lived private keys can be derived from it, since these were never published and deleted shortly after they were used. Since only these short-lived private keys were used to encrypt and sign the messages, the conversation was not compromised despite the loss of the long-lived private key.${\ displaystyle x_ {1}, x_ {2}, \ ldots}$

The two developers, Ian Goldberg and Nikita Borisov, provide a program library called libotr as a reference implementation of the protocol . It is also published in source code as free software and licensed under the terms of the GNU Lesser General Public License (LGPL). A toolkit for forging messages is provided with the library. The developers also provide a plugin for pidgin . The latter are both subject to the terms of the GNU General Public License (GPL).

Several systems have been proposed to support multiple callers. A procedure proposed by Jiang Bian, Remzi Seker and Umit Topaloglu in 2007 used a participant's system as a “virtual server”. The “Multi-party Off-the-Record Messaging” (mpOTR) procedure published in 2009 managed without a central organizational instance and was developed by Ian Goldberg et al. Introduced in Cryptocat . In 2013, TextSecure introduced the Axolotl protocol based on OTR messaging and the Silent Circle Instant Messaging Protocol (SCIMP). As a central additional feature, it brought support for asynchronous communication (“offline messages”), as well as better resilience in the event of a disrupted message sequence and simpler support for several call participants. The OMEMO introduced in Conversations in 2015 integrates Axolotl into the instant messaging protocol XMPP (“Jabber”) and now also enables file transfers to be secured. It was submitted to the XMPP Standards Foundation for standardization in autumn 2015 .

The Socialist Millionaires' Protocol (SMP) enables the comparison of the fingerprints of the public keys , which otherwise takes place out of band , to be replaced by a shared secret .

1. ↑ ^{a b} Off-the-Record Messaging Protocol version 2 (English)
2. ↑ Joseph Bonneau, Andrew Morrison: Finite-State Security Analysis of OTR Version 2. (PDF (105 kB)) Stanford University, accessed on July 13, 2011 (English).  
3. ↑ ChatSecure website
4. ↑ IM + on Google Play
5. ↑ github.com
6. ↑ mcabber Changelog, see "mcabber (0.9.4)" (English)
7. ↑ Phonix Viewer , OSS
8. ↑ qutIM 0.3.1 changelog on Facebook
9. ↑ Rocket.Chat Channel Actions , English
10. ↑ SecuXabber in the Google Play Store (English)
11. ↑ Spark changelog
12. ↑ Xabber in the Google Play Store , English
13. ↑ Gajim OTR , English
14. ↑ Irssi OTR , English
15. ↑ Miranda OTR Plugin ( Memento from March 1, 2012 in the Internet Archive ), English
16. ↑ MirOTR, Miranda NG Wiki
17. ↑ thunderbird.net
18. ↑ Thunderbird: OTR - MozillaWiki. May 22, 2019, accessed July 20, 2019 . 
19. ↑ Pidgin OTR Plugin , English
20. ↑ Psi-Patch and OTR-Plugin on tfh-berlin.de ( Memento from March 26th 2009 in the Internet Archive ), English
21. ↑ Website of the Psi development version Psi + , English
22. ↑ Plugin collection for Vacuum IM
23. ↑ weechat-otr , English
24. ↑ Xchat OTR ( Memento of the original from February 27, 2016 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. , English  @1@ 2Template: Webachiv / IABot / xchat.org
25. ↑ Nikita Borisov, Ian Avrum Goldberg, Eric A. Brewer: Off-the-record communication, or, why not to use PGP . In: Association for Computing Machinery (Ed.): WPES '04: Proceedings of the 2004 ACM workshop on Privacy in the electronic society . ACM Press, New York October 2004, pp. 77-84 ( cypherpunks.ca [PDF]). 
26. ^ Mario Di Raimondo, Rosario Gennaro, Hugo Krawczyk: Secure off-the-record messaging . In: Association for Computing Machinery (Ed.): Proceedings of the 2005 ACM workshop on Privacy in the electronic society . 2005, p. 81-89 ( unict.it [PDF]). 
27. ^ Jiang Bian, Remzi Seker, Umit Topaloglu: Off-the-Record Instant Messaging for Group Conversation . In: IEEE (Ed.): IEEE International Conference on Information Reuse and Integration . 2007 ( online (PDF)). Off-the-Record Instant Messaging for Group Conversation ( Memento of the original from January 4, 2016 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice.   @1@ 2Template: Webachiv / IABot / gotr.googlecode.com
28. ↑ Chris Alexander, Ian Avrum Goldberg: Improved User Authentication in Off-The-Record Messaging . In: Association for Computing Machinery (Ed.): Proceedings of the 2007 ACM workshop on Privacy in electronic society . New York October 2007, p. 41-47 , doi : 10.1145 / 1314333.1314340 ( cypherpunks.ca [PDF]). 
29. ↑ otr.cypherpunks.ca
30. ↑ Ian Avrum Goldberg, Berkant Ustaoğlu, Matthew D. Van Gundy, Hao Chen: Multi-party off-the-record messaging . In: Association for Computing Machinery (Ed.): Proceedings of the 16th ACM Computer and Communications Security Conference . 2009, p. 358-368 , doi : 10.1145 / 1653662.1653705 ( cypherpunks.ca [PDF]). 
31. ↑ Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Avrum Goldberg, Matthew Smith: SoK: Secure Messaging . In: IEEE Computer Society's Technical Committee on Security and Privacy (Ed.): Proceedings of the 2015 IEEE Symposium on Security and Privacy . 2015, p. 232-249 ( ieee-security.org [PDF]). 
32. ^ Andreas Straub: OMEMO Encryption. (No longer available online.) In: XMPP Standards Foundation website. October 25, 2015, archived from the original on January 29, 2016 ; accessed on January 4, 2016 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice.  @1@ 2Template: Webachiv / IABot / xmpp.org 
33. ↑ Daniel Gultsch: OMEMO Encrypted Jingle File Transfer. In: XMPP Standards Foundation website. September 2, 2015, accessed January 4, 2016 .  
34. ↑ heide.de / ... - iCloud keychain : vulnerability enabled third party access to passwords. August 4, 2017. Retrieved August 5, 2017.