IM encryption with pidgin and OTR plugin

In this entry I will discuss secure IM. For this discussion I will talk about pidgin and how to add some secure encryption. This will allow you to talk with another person and be reasonably sure that you are will not be snooped. As all security and encryption, there may be as yet unknown bugs or ways to access the data, some may be from a side channel. Depending on your operating system you will need pidgin, you will also need a plugin called OTR. The OTR plugin does most of the work in securing the encryption between you and the other IM client. I will also talk about a few other plugin that may be kind of nice to have enabled.

First off you need download and install pidgin for your system. To do that go to http://www.pidgin.im/ and select the version for your system. There also is a sections along the top called Plugins, select that and you will get a list of plugin options. Find the “Security and Privacy” section and select “Off-the-Record Messaging”. Down load the plugin for your system, and install them both, pidgin first of course.

What is OTR? Off-the-record, its a cryptographic protocol that provides encryption for instance messaging conversations. This allows deniability and confidential message exchange. It uses multi-key exchange hash functions, that is it uses a mix of mathematical keys to encrypt the messages between each of the recipients on the IM exchange.

Now lets get started setting up the secure connections. First thing you need to do after you set up your IM account in pidgin is to set up the “Off-the-record” plugin private key. To do this go to the Plugins sections and select “Off-the-record Messaging” then select “Configure Plugin”. There is a new dialog box that will open, from here click on the “Generate” button to generate a private key fingerprint. It should after a bit of time generate a 40 letter/number key combination, it may take a bit of time depending on the speed of your machine. On this page also there are some other options you may want to set. I would recommend setting “Enable private messaging”, “Don’t log OTR conversations” and “Automatically initiate private messaging”. You can also set “Require private messaging” if you know the other person is using OTR as well, if you set this and they do not it will not connect (in future versions that will change to allow non default encrypted connection). There are other plugins you may want to play with so go for it.

To start a conversations, select the person you want to IM, there is a button in the lower right sections that will default to “Not private”. Click on the button and select “Start Private Conversation”. It will change to one of four options, “Not Private”, “Private”, “Unverified” and ”Finished”. Not private is just that, all exchanges are in clear text. Private means you and the person you are connection have been authenticated and not an impostor. Your exchanges are now encrypted and visible only to the other person not a third party that may be sniffing the traffic. This is not to say it is a guarantee because the technology may be found to break the keys, but for now they should be safe. Unverified means you are getting an encrypted feed but the key can not be fully verified, there may be someone acting as the other person. The last is Finished, this means the other person has change the setting to “Not private”, this prevents the other person from accidentally sending a message they think is encrypted.

Now you have a secure connection between you and the other person. The questions you still need to ask yourself is, “is the rest of the machine secure?” More on that later.