Making your IM secure--and deniable

By Robert Lemos
Staff Writer, CNET News.com Published: February 14, 2005 5:05 PM PST
Tools
Talkback
Print
Related Stories
Triple threat: IM viruses get big jump on 2005
February 14, 2005
Putting a plug in insider leaks
January 24, 2005
Consortium forms IM threat center
December 7, 2004
SAN FRANCISCO--When you hit the Send button on an instant message, do you really know who is on the other end?

Two researchers at the University of California at Berkeley have created an add-on to instant messaging that they claim will enable the participants to identify each other and have a secure conversation without leaving any proof that the chat occurred.

The result, dubbed off-the-record (OTR) messaging by security researchers Ian Goldberg and Nikita Borisov, is a plug-in for the Gaim instant-messaging client that enables encrypted messages sans leaving a key--a sequence of characters--that could be used to verify that the conversation happened. That attribute, known in cryptography as perfect forward security, also prevents snoopers from reading any copies of the conversation.

"If tomorrow, my computer is broken into and the encryption key is stolen, the attacker can't read future messages," said Goldberg, a graduate of Berkeley.

In order for a secure and deniable IM conversation to occur, both parties need to have the off-the-record program installed on Gaim or use America Online's Instant Messenger with a server set up to be a proxy with software also developed by Goldberg and Borisov, the researchers said.

When a previously unregistered user wants to have an OTC conversation, a dialog box will appear with a digital key, identifying the sender. If the user accepts the credentials of the person contacting him, the key will be stored on his computer so that in the future, the sender is considered to be trusted. After that, the two participants can chat securely; the conversation is encoded so that others cannot intercept and read it.

Goldberg and Borisov presented their program at the annual CodeCon gathering of developers Saturday. People worried about instant-messaging security can download the software from the duo's site.

Goldberg said current messaging is insecure and criticized other solutions for leaving around logs and encryption keys that could be used as proof that a conversation happened. He said OTR messaging would give the participants the security without leaving any more trace of the conversation than today's instant-messaging clients--a worry for the privacy-centric security community.

"I would like to see this on by default," Goldberg said. "When you chat today, the messages are going through the clear, and there is no proof of who you are talking to."

While both the OTR messaging plug-ins and today's instant-messaging clients enable either participant to record logs of a conversation, those logs mean little after the conversation, Goldberg argued. The logs could be edited to add content.

That's why the two researchers avoided using digital signatures, Goldberg said. That technology for encrypting messages would have also acted as a digital signature and left a signed record of the conversation.

More from News.com on this story's topics

Authentication and encryption

 Create an email alert | RSS feed

Instant messaging

 Create an email alert | RSS feed

Security

 Create an email alert | RSS feed

See more CNET content tagged:
conversation, Pidgin, IM, participant, proof

Add a Comment (Log in or register) 5 comments (Page 1 of 1)
would we still know?
by nrlz February 14, 2005 11:49 PM PST
All it takes is for me to wait until my brother leaves the computer for me to start impersonating him on his computer. I'm doing it right now!
Reply to this comment
would we still know?
by nrlz February 14, 2005 11:49 PM PST
All it takes is for me to wait until my brother leaves the computer for me to start impersonating him on his computer. I'm doing it right now!
Reply to this comment
Deniability is the silver bullet for privacy
by February 15, 2005 2:45 PM PST
Deniability gives writers the freedom to claim that they have written something lame, instead of the actual "hot" writing, they are accused of. AGS Encryptions Ltd. holds the only modern
deniability ciphersystem (US Patent 6,823,068). Check out www.agsencryptions.com
Reply to this comment
Deniability is the silver bullet for privacy
by February 15, 2005 2:45 PM PST
Deniability gives writers the freedom to claim that they have written something lame, instead of the actual "hot" writing, they are accused of. AGS Encryptions Ltd. holds the only modern
deniability ciphersystem (US Patent 6,823,068). Check out www.agsencryptions.com
Reply to this comment
by Ignorexx May 19, 2008 9:15 AM PDT
Deniability is the titlting blow in the privacy invasion seesaw. It reverses the government intrusion into people's life. Way to go! Also look at YouDeny.com for deniabl email!
Reply to this comment
Powered by Jive Software
advertisement
RSS Feeds
Add headlines from CNET News.com to your homepage or feedreader.
Google
Yahoo
MSN
More feeds available in our RSS feed index.

Latest tech news headlines

Most Popular Stories
Google's search secret: It gets rid of you
Developer creates copy-paste tech for iPhone
Will Wright on the origins of 'Spore'
Palm Treo Pro: Not digging it
American Airlines launches in-flight Wi-Fi
Markets

Market news, charts, SEC filings, and more

Related quotes

Dow Jones Industrials (0.11%) 12.78 11,430.21
S&P 500 (0.25%) 3.18 1,277.72
NASDAQ (0.00%) 0.00 1,816.15
CNET TECH (-0.11%) -1.71 1,629.09
  Symbol Lookup
advertisement
Welcome (log out) |View profile
Log in | Sign up Why join?
On MovieTome: TRANSFORMERS 2 SPOILERS!
Advanced
search
Advanced
search
Visit other CBS Interactive sites