Off-The-Record
Off-The-Record Messaging is the oldest method of encrypting a chat over XMPP, introduced in 2004. OTR’s popularity is still strong in spite of its age and lack of recent development. To avoid possible man in the middle attacks in which an outsider impersonates one of the parties in the chat, the protocol includes a method to “validate” or “authenticate” who you are chatting with. This validation is based on sharing a secret word. OTR Messaging is still an effective method of securing privacy through encryption.

It is easy to enable OTR messaging in the Psi-Plus XMPP client.

Max begins a chat session with Joy using
Coy-IM chat client. Max clicks the button
"Secure Chat".

Max's action notifies Joy's Psi-Plus chat client that she needs to generate a private key. She clicks "Yes" to generate a new key.

Psi-Plus notifies Joy that the key has been generated.
At this point, if Max and Joy continue chatting, their communication is encrypted. A simple message of “How are you?” will look like this on the server:
<message to='curmudgeon-max@e2e.ee'
from='curmudgeon-joy@e2e.ee/DESKTOP-GIFB8N1'
type='chat'><subject/><body>?OTR:AAMSQDu57ljslpkAAAHS1NRTaZxUvefDCnn8jIJm8ZlPSDWyUut/qK
hKC/Q3sHrvUVOPITo3HdUlie0DVP7as7iK96U1acztsqYGk1V0PjZXh9lW
pQ6v6i9ZLtcFrz2yHwYARkAlxldxsfeIRMP82ZW83asFBXvnp8bYHa8u0h
qaepCCdLIeJPl1v5iPBpdOhwrYBDxc5bWblXDXQ/N/N6YT80xQpS78Ojyz
pBuQH/1EMew45FofivLiPSY2sBlGM13TBNkuUFddbuMhcpCqnUEuVWq4IA
USKZ361NPvXc0eoArT9vlwri0AWoWexWRqMwO2fGcUAZGoHC0HUk5q0/KX
vufFQgBx+XeiXzpMp89cd0igcihMLBSbiT+YjUYO+BHCfVP89fCJfJQcGO
tRP9b4Z9XW8N1Eh/kay2VbUMJpNY4QLUSwtGx1+0YxxkaxCD3T8+R/TU/u
v4i/46ubpYvi++DB08+xunDYWPLqnV3nJ2rxMX5uaspqZun8DoCImOd55D
ZqVo9YBGByQ6zHX68Qe+f8hxFGjVx35lAaEYqEmoietLJAqEB33KLYx5SA
29q/wOMTfKTGa9CtHA3KpG/XQb8qMV5xFJNh2pxifnAMsTFkR0rafvjl+i
XRcpODzMMzNs3PVuxJAO/2Qid8wRjcljcG.</body></message>

Max decides to take the extra step to validate that he is really chatting with Joy. He clicks the button
"Validate Channel".

Max is given a one-time PIN that he must send to Joy using some other method of communication. So, Max calls Joy by phone and tells her that the secret pin is 941187.

The Psi-Plus client asks for the correct PIN, which Joy inputs. What Coy-IM calls "to validate" Psi-Plus calls "to authenticate".

Joy's software confirms that she has been authenticated and recommends that she also authenticates that she is chatting with Max.

Joy decides to authenticate the communication.

Joy's Psi-Plus XMPP client supports three ways of authenticating. She can ask a question that she believes Max knows the answer to, she can ask Max to input a pre-determined word that only he knows, or she can verify the fingerprints of their keys and ask that Max does the same.

Max and Joy have previously shared a secret word. Joy asks Max for that word.

Max inputs the secret word.

Joy receives confirmation.
In this example, we see that Psi-Plus XMPP client offers more options to validate the person you are chatting with. Coy-IM provides a PIN number that is reasonable, but must be communicated by another communication channel at that moment. Previously decided PINs or passwords will not work with Coy-IM.
Topics covered on this page:
- Off-The-Record Messaging
- XEP-0364: Current Off-the-Record Messaging Usage