Protecting IM From Big Brother

holden writes "Ian Goldberg, leading security researcher, professor at the University of Waterloo, and co-creator of the Off-the-Record Messaging (OTR) protocol recently gave a talk on protecting your IM conversations. He discusses OTR and its importance in today's world of warrant-less wire tapping. OTR users benefit from being able to have truly private conversations over IM by using encryption to obtain authentication, deniability, and perfect forward secrecy, while working within their existing IM infrastructure. With the recent NSA wiretapping activities and increasing Big Brother presence, security and OTR are increasingly important. An avi of the talk is available by http as well as by bittorrent and a bunch of other formats."

Encrypted RAM and HDD Storage

[EmagGeek]

You can't have perfect secrecy unless your RAM contents are also encrypted. Wasn't there some case recently where the RAM contents of some server were subpoenaed in a court case? If your RAM is unencrypted, then your IM conversation is stored in plain text SOMEWHERE, even if it is encrypted on the network stack. Of course, having encrypted RAM would be a HUMONGOUS performance hit, but it could be done. Hmmm..

Off to the patent office I go..

Re:Encryption

[shikadi]

It's not just about encryption, it's about privacy too. Do you want instant messaging to be used as evidence against you in the future? The reason it is called OTR is because it really is off the record. Recording of conversations is not evidence that a conversation ever occurred, since it purposely lets anyone forge messages after the conversation is over. If the person you were talking to decides to record everything you say to them, it doesn't matter, since you can easily show that what you said could have been forged. In fact, tools are created specifically for this purpose.

Re:Deniability may sound fine

[99BottlesOfBeerInMyF]

"I do not recall." If it's good enough for the administration to use and get away with, it's good enough for me.

Unless you're in the administration, that will get you tossed in jail. Normal citizens require plausible deniability. For hard drive encryption, this can be accomplished by saving dummy data accessible with a second password. For IM, perhaps we need something similar. If an IM client were to give a user the option of using a dummy password which would still initiate encrypted messages, but with a warning flag to the user on the other end, we might have parity.

Encryption technologies that provide plausible deniability are possible, but I doubt they will enter widespread use (or even encryption in general) until the big players champion them. Why one of the major IM providers has not jumped on this as a differentiating feature is beyond me. I guess I see why Google would not include it in GTalk, seeing as they want to use the data to target ads (ditto yahoo and MS), but why isn't it built into ichat yet?

Re:Encrypted RAM and HDD Storage

[uofitorn]

Exactly. But you can take steps to limit the lifetime of sensitive data in memory.

See Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation http://www.stanford.edu/~blp/papers/shredding.pdf [stanford.edu]

Pfft. Don't talk to me, I log all my IM sessions

[NotQuiteReal]

They are sitting in plain text on my HDD.

Anyone who is IM'ing with super-secret encoding and hoping that they are safe better not be IM'ing me, or someone like me who checks the "log" button...

Sorry, sometimes I like to refer back to them, and that is the way they are kept. I am too lazy to do anything about it.

I always assume I am just part of the noise in the s/n ratio that "they" are listening to.

What's the opposite of tin-foil hat?

Re:Encryption

[jmcnaught]

I regularly use OTR in Pidgin with MSN and Jabber (Gmail chat) and have never had a problem. Adium X on the Mac also includes OTR support out of the box.

I try to use OTR as much as possible, all of the time. I figure if I only protect the stuff that needs to be secret, it sticks out like a sore thumb. And the more encrypted traffic on the internet in general, the harder it is for them to break it all even if they do have magic quantum computers.

Trying to get more people to use PGP/GPG with me over email for the same reasons, but it's a little harder to understand and get started so I'm not making as much progress.

Ian Goldberg

[Anonymous Coward]

..lectures to me Tuesdays and Thursdays. I'm in his undergraduate course "Computer Security and Privacy". Cool to log on Slashdot and see your prof on the front page.

-Ryan

Re:Encryption

[thegrassyknowl]

The beauty of OTR messaging is that it claims to guarantee perfect forward secrecy. In other words, if you lose control of your private keys no previous conversation is compromised. This is a big plus, because even if they force you to turn over the keys they can't see the previous conversations.

It works (as I understand) by using your key pair to derive and exchange public session keys. The session keys then are used to do actual encryption and are changed frequently. The private key at each end is only ever stored in RAM and is discarded when the session ends or after a timeout.

It's neat because even listening in to the whole session and obtaining the public session keys isn't enough to compromise the session. Of course, having the public keys and obtaining the master private key may go a long way to helping with a mathematical attack of the algorithm.

Hmm

[ILongForDarkness]

Nice how a Canadian researcher is looking into solutions to a mostly US problem, at least it is always US media talking about wiretaps. Perhaps if ~21% of the US budget wasn't blown on the military and God knows how much more on espionage, everyone wouldn't have to be as paranoid. My solution: if big brother gets the brillant idea to tap innocent people for no reason, big brother should invest in a gun and blow his brains out.

Re:Encryption

[xiphoris]

Email isn't trivial to fake in such a way that it would stand up to any kind of scrutiny whatsoever. Already there are simple authentication protocols that are becoming widespread enough to secure the average user. If the receiving domain has any kind of proper configuration, it will be able to validate whether a mail was sent properly using one of SPF records, PTR, DomainKeys, or any reputation system.

Try to fake an email that looks like it authentically came from Amazon.com to a Yahoo account -- even from the perspective of a naive user, you can't do it.

To a user smart enough to examine mail headers, no forged email is good enough to stand up to any inspection. It is an incorrect rumor that email is easy to forge. Certainly if the issue came up in court, an expert witness would lay the question of whether it was forged to rest by examining the mail headers. Any decent MTA can do the same automatically.