Making your IM secure--and deniable
Staff Writer, CNET News.com
SAN FRANCISCO--When you hit the Send button on an instant message, do you really know who is on the other end?
Two researchers at the University of California at Berkeley have created an add-on to instant messaging that they claim will enable the participants to identify each other and have a secure conversation without leaving any proof that the chat occurred.
The result, dubbed off-the-record (OTR) messaging by security researchers Ian Goldberg and Nikita Borisov, is a plug-in for the Gaim instant-messaging client that enables encrypted messages sans leaving a key--a sequence of characters--that could be used to verify that the conversation happened. That attribute, known in cryptography as perfect forward security, also prevents snoopers from reading any copies of the conversation.
"If tomorrow, my computer is broken into and the encryption key is stolen, the attacker can't read future messages," said Goldberg, a graduate of Berkeley.
In order for a secure and deniable IM conversation to occur, both parties need to have the off-the-record program installed on Gaim or use America Online's Instant Messenger with a server set up to be a proxy with software also developed by Goldberg and Borisov, the researchers said.
When a previously unregistered user wants to have an OTC conversation, a dialog box will appear with a digital key, identifying the sender. If the user accepts the credentials of the person contacting him, the key will be stored on his computer so that in the future, the sender is considered to be trusted. After that, the two participants can chat securely; the conversation is encoded so that others cannot intercept and read it.
Goldberg and Borisov presented their program at the annual CodeCon gathering of developers Saturday. People worried about instant-messaging security can download the software from the duo's site.
Goldberg said current messaging is insecure and criticized other solutions for leaving around logs and encryption keys that could be used as proof that a conversation happened. He said OTR messaging would give the participants the security without leaving any more trace of the conversation than today's instant-messaging clients--a worry for the privacy-centric security community.
"I would like to see this on by default," Goldberg said. "When you chat today, the messages are going through the clear, and there is no proof of who you are talking to."
While both the OTR messaging plug-ins and today's instant-messaging clients enable either participant to record logs of a conversation, those logs mean little after the conversation, Goldberg argued. The logs could be edited to add content.
That's why the two researchers avoided using digital signatures, Goldberg said. That technology for encrypting messages would have also acted as a digital signature and left a signed record of the conversation.
Track this story's companies and topics
|Instant messaging||Create alert|
|Authentication and encryption||Create alert|
Triple threat: IM viruses get big jump on 2005
February 14, 2005
Putting a plug in insider leaks
January 24, 2005
Consortium forms IM threat center
December 7, 2004
From News.com Extra
- IM Worm Packs One-Two Punch from silicon.com
- BlowSearch to Offer Encrypted IM from PCWorld
- Latest MSN Messenger Worm Can Hijack System Info from eWeek
Related white papers
- Groove Virtual Office for Consultants 7 Minute Webcast Series: Small Steps to Big Gains for Your Practice (Webcast)Groove Networks
- Managing and Securing IM in the Enterprise: Why It Should Be a Top Priority Akonix
- The Unofficial Guide to IM for Executives Akonix
- What Every Company Should Know About Sarbanes-Oxley and Instant Messaging Akonix
- Taking Instant Messaging and Email to New Heights With Dedicated Mobile Devices Datacomm Research
Microsoft's CEO points to his company's security advantages October 22, 2004
Wireless interoperability in focus at Sun Labs August 5, 2004
TalkBackPost a comment
Click on a comment to explore replies (1 total replies - 1 NEW )
|would we still know? Nathar Leichoz -- 02/14/05|