Off-The-Record

Off-the-record Encryption for XMPP Messaging.

Off-The-Record Messaging is the oldest method of encrypting a chat over XMPP, introduced in 2004. OTR’s popularity is still strong in spite of its age and lack of recent development. To avoid possible man in the middle attacks in which an outsider impersonates one of the parties in the chat, the protocol includes a method to “validate” or “authenticate” who you are chatting with. This validation is based on sharing a secret word. OTR Messaging is still an effective method of securing privacy through encryption.

It is easy to enable OTR messaging in the Psi-Plus XMPP client.

Max begins a chat session with Joy using
Coy-IM chat client. Max clicks the button
"Secure Chat".

Max's action notifies Joy's Psi-Plus chat client that she needs to generate a private key. She clicks "Yes" to generate a new key.

Psi-Plus notifies Joy that the key has been generated.

At this point, if Max and Joy continue chatting, their communication is encrypted. A simple message of “How are you?” will look like this on the server:

<message to='curmudgeon-max@e2e.ee' 
       from='curmudgeon-joy@e2e.ee/DESKTOP-GIFB8N1' 
       type='chat'><subject/><body>?OTR:AAMSQDu57ljslpkAAAHS1NRTaZxUvefDCnn8jIJm8ZlPSDWyUut/qK
                                    hKC/Q3sHrvUVOPITo3HdUlie0DVP7as7iK96U1acztsqYGk1V0PjZXh9lW
                                    pQ6v6i9ZLtcFrz2yHwYARkAlxldxsfeIRMP82ZW83asFBXvnp8bYHa8u0h
                                    qaepCCdLIeJPl1v5iPBpdOhwrYBDxc5bWblXDXQ/N/N6YT80xQpS78Ojyz
                                    pBuQH/1EMew45FofivLiPSY2sBlGM13TBNkuUFddbuMhcpCqnUEuVWq4IA
                                    USKZ361NPvXc0eoArT9vlwri0AWoWexWRqMwO2fGcUAZGoHC0HUk5q0/KX
                                    vufFQgBx+XeiXzpMp89cd0igcihMLBSbiT+YjUYO+BHCfVP89fCJfJQcGO
                                    tRP9b4Z9XW8N1Eh/kay2VbUMJpNY4QLUSwtGx1+0YxxkaxCD3T8+R/TU/u
                                    v4i/46ubpYvi++DB08+xunDYWPLqnV3nJ2rxMX5uaspqZun8DoCImOd55D
                                    ZqVo9YBGByQ6zHX68Qe+f8hxFGjVx35lAaEYqEmoietLJAqEB33KLYx5SA
                                    29q/wOMTfKTGa9CtHA3KpG/XQb8qMV5xFJNh2pxifnAMsTFkR0rafvjl+i
                                    XRcpODzMMzNs3PVuxJAO/2Qid8wRjcljcG.</body></message>

Max decides to take the extra step to validate that he is really chatting with Joy. He clicks the button
"Validate Channel".

Max is given a one-time PIN that he must send to Joy using some other method of communication. So, Max calls Joy by phone and tells her that the secret pin is 941187.

The Psi-Plus client asks for the correct PIN, which Joy inputs. What Coy-IM calls "to validate" Psi-Plus calls "to authenticate".

Joy's software confirms that she has been authenticated and recommends that she also authenticates that she is chatting with Max.

Joy decides to authenticate the communication.

Joy's Psi-Plus XMPP client supports three ways of authenticating. She can ask a question that she believes Max knows the answer to, she can ask Max to input a pre-determined word that only he knows, or she can verify the fingerprints of their keys and ask that Max does the same.

Max and Joy have previously shared a secret word. Joy asks Max for that word.

Max inputs the secret word.

Joy receives confirmation.

In this example, we see that Psi-Plus XMPP client offers more options to validate the person you are chatting with. Coy-IM provides a PIN number that is reasonable, but must be communicated by another communication channel at that moment. Previously decided PINs or passwords will not work with Coy-IM.


Topics covered on this page:

Last modified June 17, 2020