Off-the-record Messaging (OTR) is acryptographic protocol that provides encryption forinstant messaging conversations. OTR uses a combination ofAESsymmetric-key algorithm with 128 bits key length, theDiffie–Hellman key exchange with 1536 bits group size, and theSHA-1 hash function. In addition toauthentication andencryption, OTR providesforward secrecy andmalleable encryption.
The primary motivation behind the protocol was providingdeniable authentication for the conversation participants while keeping conversations confidential, like a private conversation in real life, oroff the record injournalism sourcing. This is in contrast with cryptography tools that produce output which can be later used as a verifiable record of the communication event and the identities of the participants. The initial introductory paper was named "Off-the-Record Communication, or, Why Not To UsePGP".[1]
The OTR protocol was designed by cryptographersIan Goldberg andNikita Borisov and released on 26 October 2004.[2] They provide a clientlibrary to facilitate support for instant messaging client developers who want to implement the protocol. APidgin andKopete plugin exists that allows OTR to be used over any IM protocol supported by Pidgin or Kopete, offering anauto-detection feature that starts the OTR session with the buddies that have it enabled, without interfering with regular, unencrypted conversations. Version 4 of the protocol[3] has been in development since 2017[4] by a team led by Sofía Celi, and reviewed by Nik Unger and Ian Goldberg. This version aims to provide online and offline deniability, to update the cryptographic primitives, and to supportout-of-order delivery and asynchronous communication.
According to classifiedNSA documents published in theDer Spiegel article on 28 December 2014, theNSA intercepted a conversation between two users, but messages could not be decrypted by the NSA because the users were using the OTR protocol.[5]
OTR was presented in 2004 by Nikita Borisov,Ian Avrum Goldberg, andEric A. Brewer as an improvement over the OpenPGP and the S/MIME system at the "Workshop on Privacy in the Electronic Society" (WPES).[1] The first version 0.8.0 of the reference implementation was published on 21 November 2004. In 2005 an analysis was presented by Mario Di Raimondo, Rosario Gennaro, and Hugo Krawczyk that called attention to several vulnerabilities and proposed appropriate fixes, most notably including a flaw in the key exchange.[6] As a result, version 2 of the OTR protocol was published in 2005 which implements a variation of the proposed modification that additionally hides the public keys. Moreover, the possibility to fragment OTR messages was introduced in order to deal with chat systems that have a limited message size, and a simpler method of verification against man-in-the-middle attacks was implemented.[7]
In 2007Olivier Goffart publishedmod_otr[8] forejabberd, making it possible to performman-in-the-middle attacks on OTR users who don't check key fingerprints. OTR developers countered this attack by introducing asocialist millionaire protocol implementation in libotr. Instead of comparing key checksums, knowledge of an arbitrary shared secret can be utilised for which relatively lowentropy can be tolerated.[9]
Version 3 of the protocol was published in 2012. As a measure against the repeated reestablishment of a session in case of several competing chat clients being signed on to the same user address at the same time, more precise identification labels for sending and receiving client instances were introduced in version 3. Moreover, an additional key is negotiated which can be used for another data channel.[10]
Several solutions have been proposed for supporting conversations with multiple participants. A method proposed in 2007 by Jiang Bian, Remzi Seker, and Umit Topaloglu uses the system of one participant as a "virtual server".[11] The method called "Multi-party Off-the-Record Messaging" (mpOTR) which was published in 2009 works without a central management host and was introduced inCryptocat by Ian Goldberg et al.[12]
In 2013, theSignal Protocol was introduced, which is based on OTR Messaging and theSilent Circle Instant Messaging Protocol (SCIMP). It brought about support for asynchronous communication ("offline messages") as its major new feature, as well as better resilience with distorted order of messages and simpler support for conversations with multiple participants.[13]OMEMO, introduced in an Android XMPP client calledConversations in 2015, integrates theDouble Ratchet Algorithm used in Signal into the instant messaging protocolXMPP ("Jabber") and also enables encryption of file transfers. In the autumn of 2015 it was submitted to theXMPP Standards Foundation for standardisation.[14][15]
Currently, version 4 of the protocol has been designed. It was presented by Sofía Celi and Ola Bini on PETS2018.[16]
In addition to providing encryption and authentication — features also provided by typical public-key cryptography suites, such asPGP,GnuPG, andX.509 (S/MIME) — OTR also offers some less common features:
As of OTR 3.1, the protocol supports mutual authentication of users using a shared secret through thesocialist millionaire protocol. This feature makes it possible for users to verify the identity of the remote party and avoid aman-in-the-middle attack without the inconvenience of manually comparingpublic key fingerprints through an outside channel.[citation needed]
Due to limitations of the protocol, OTR does not support multi-user group chat as of 2009[update][17] but it may be implemented in the future. As of version 3[10] of the protocol specification, an extra symmetric key is derived during authenticated key exchanges that can be used for secure communication (e.g., encryptedfile transfers) over a different channel. Support for encrypted audio or video is not planned. (SRTP withZRTP exists for that purpose.) A project to produce a protocol for multi-party off-the-record messaging (mpOTR) has been organized byCryptocat,eQualitie, and other contributors including Ian Goldberg.[12][18]
Since OTR protocol v3 (libotr 4.0.0) the plugin supports multiple OTR conversations with the same buddy who is logged in at multiple locations.[19]
| libotr | |
|---|---|
| Developer | OTR Development Team |
| Stable release | 4.1.1 / 9 March 2016; 9 years ago (2016-03-09) |
| Written in | C |
| Operating system | Cross-platform |
| Type | Software Library |
| License | LGPL v2.1+[20] |
| Website | otr |
These clients support Off-the-Record Messaging out of the box (incomplete list).
The following clients require a plug-in to use Off-the-Record Messaging.
Although Gmail'sGoogle Talk uses the term "off the record", the feature has no connection to the Off-the-Record Messaging protocol described in this article, its chats are not encrypted in the way described above—and could be logged internally by Google even if not accessible by end-users.[33][34]
{{cite conference}}: CS1 maint: multiple names: authors list (link){{cite journal}}:Cite journal requires|journal= (help){{cite journal}}:Cite journal requires|journal= (help)| Email clients | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Secure communication |
| ||||||||||||||
| Disk encryption (Comparison) | |||||||||||||||
| Anonymity | |||||||||||||||
| File systems(List) | |||||||||||||||
| Security-focused operating system | |||||||||||||||
| Service providers | |||||||||||||||
| Educational | |||||||||||||||
| Anti–computer forensics | |||||||||||||||
| Related topics | |||||||||||||||
| General | |||
|---|---|---|---|
| Software packages | |||
| Community | |||
| Organisations | |||
| Licenses |
| ||
| Challenges | |||
| Related topics | |||
