Off-the-record messaging - Wikipedia

Off-the-record messaging - Wikipedia
Jump to content
From Wikipedia, the free encyclopedia
(Redirected from
Off-the-Record Messaging
Cryptographic protocol
Off-the-record messaging
OTR
) is a
cryptographic protocol
that provides encryption for
instant messaging
conversations. OTR uses a combination of
AES
symmetric-key algorithm
with 128 bits key length, the
Diffie–Hellman key exchange
with 1536 bits group size, and the
SHA-1
hash function. In addition to
authentication
and
encryption
, OTR provides
forward secrecy
and
malleable encryption
The primary motivation behind the protocol was providing
deniable authentication
for the conversation participants while keeping conversations confidential, like a private conversation in real life, or
off the record
in
journalism sourcing
. This is in contrast with cryptography tools that produce output which can be later used as a verifiable record of the communication event and the identities of the participants. The initial introductory paper was named "Off-the-Record Communication, or, Why Not To Use
PGP
".
The OTR protocol was designed by cryptographers
Ian Goldberg
and
Nikita Borisov
and released on 26 October 2004.
They provide a client
library
to facilitate support for instant messaging client developers who want to implement the protocol. A
Pidgin
and
Kopete
plugin exists that allows OTR to be used over any IM protocol supported by Pidgin or Kopete, offering an
auto-detection
feature that starts the OTR session with the buddies that have it enabled, without interfering with regular, unencrypted conversations. Version 4 of the protocol
has been in development since 2017
by a team led by Sofía Celi, and reviewed by Nik Unger and Ian Goldberg. This version aims to provide online and offline deniability, to update the cryptographic primitives, and to support
out-of-order delivery
and asynchronous communication.
According to classified
NSA documents
published in the
Der Spiegel
article on 28 December 2014, the
NSA
intercepted a conversation between two users, but messages could not be decrypted by the NSA because the users were using the OTR protocol.
History
edit
OTR was presented in 2004 by Nikita Borisov,
Ian Avrum Goldberg
, and
Eric A. Brewer
as an improvement over the OpenPGP and the S/MIME system at the "Workshop on Privacy in the Electronic Society" (WPES).
The first version 0.8.0 of the reference implementation was published on 21 November 2004. In 2005 an analysis was presented by Mario Di Raimondo, Rosario Gennaro, and Hugo Krawczyk that called attention to several vulnerabilities and proposed appropriate fixes, most notably including a flaw in the key exchange.
As a result, version 2 of the OTR protocol was published in 2005 which implements a variation of the proposed modification that additionally hides the public keys. Moreover, the possibility to fragment OTR messages was introduced in order to deal with chat systems that have a limited message size, and a simpler method of verification against man-in-the-middle attacks was implemented.
In 2007
Olivier Goffart
published
mod_otr
for
ejabberd
, making it possible to perform
man-in-the-middle attacks
on OTR users who don't check key fingerprints. OTR developers countered this attack by introducing a
socialist millionaire protocol
implementation in libotr. Instead of comparing key checksums, knowledge of an arbitrary shared secret can be utilised for which relatively low
entropy
can be tolerated.
Version 3 of the protocol was published in 2012. As a measure against the repeated reestablishment of a session in case of several competing chat clients being signed on to the same user address at the same time, more precise identification labels for sending and receiving client instances were introduced in version 3. Moreover, an additional key is negotiated which can be used for another data channel.
10
Several solutions have been proposed for supporting conversations with multiple participants. A method proposed in 2007 by Jiang Bian, Remzi Seker, and Umit Topaloglu uses the system of one participant as a "virtual server".
11
The method called "Multi-party Off-the-Record Messaging" (mpOTR) which was published in 2009 works without a central management host and was introduced in
Cryptocat
by Ian Goldberg et al.
12
In 2013, the
Signal Protocol
was introduced, which is based on OTR Messaging and the
Silent Circle Instant Messaging Protocol
(SCIMP). It brought about support for asynchronous communication ("offline messages") as its major new feature, as well as better resilience with distorted order of messages and simpler support for conversations with multiple participants.
13
OMEMO
, introduced in an Android XMPP client called
Conversations
in 2015, integrates the
Double Ratchet Algorithm
used in Signal into the instant messaging protocol
XMPP
("Jabber") and also enables encryption of file transfers. In the autumn of 2015 it was submitted to the
XMPP Standards Foundation
for standardisation.
14
15
Currently, version 4 of the protocol has been designed. It was presented by Sofía Celi and Ola Bini on PETS2018.
16
Implementation
edit
In addition to providing encryption and authentication — features also provided by typical public-key cryptography suites, such as
PGP
GnuPG
, and
X.509
S/MIME
) — OTR also offers some less common features:
Forward secrecy
Messages are only
encrypted
with temporary per-message
AES
keys, negotiated using the
Diffie–Hellman key exchange
protocol. The compromise of any long-lived cryptographic keys does not compromise any previous conversations, even if an attacker is in possession of
ciphertexts
Deniable authentication
Messages in a conversation do not have
digital signatures
, and after a conversation is complete, anyone is able to forge a message to appear to have come from one of the participants in the conversation, assuring that it is impossible to prove that a specific message came from a specific person. Within the conversation the recipient can be sure that a message is coming from the person they have identified.
Authentication
edit
As of OTR 3.1, the protocol supports mutual authentication of users using a shared secret through the
socialist millionaire
protocol. This feature makes it possible for users to verify the identity of the remote party and avoid a
man-in-the-middle attack
without the inconvenience of manually comparing
public key fingerprints
through an outside channel.
citation needed
Limitations
edit
Due to limitations of the protocol, OTR does not support multi-user group chat as of 2009
[update]
17
but it may be implemented in the future. As of version 3
10
of the protocol specification, an extra symmetric key is derived during authenticated key exchanges that can be used for secure communication (e.g., encrypted
file transfers
) over a different channel. Support for encrypted audio or video is not planned. (
SRTP
with
ZRTP
exists for that purpose.) A project to produce a protocol for multi-party off-the-record messaging (mpOTR) has been organized by
Cryptocat
eQualitie
, and other contributors including Ian Goldberg.
12
18
Since OTR protocol v3 (libotr 4.0.0) the plugin supports multiple OTR conversations with the same buddy who is logged in at multiple locations.
19
Client support
edit
libotr
Developer
OTR Development Team
Stable release
4.1.1
/ 9 March 2016
; 10 years ago
2016-03-09
Written in
Operating system
Cross-platform
Type
Software Library
License
LGPL
v2.1+
20
Website
otr
.cypherpunks
.ca
/index
.php
#downloads
Off-The-Record authentication in
Pidgin
using
Socialist millionaires
protocol
These clients support Off-the-Record Messaging out of the box or via a plugin.
Adium
OS X
Another.IM
BitlBee
(cross-platform), since 3.0 (optional at compile-time)
21
Blink SIP client
OS X
CenterIM
Unix-like
), since 4.22.2
ChatSecure
iOS
CoyIM
HexChat
, for *nix versions, with a third-party plugin
22
HexChat
, with a third-party plugin
23
Jitsi
(cross-platform)
Kopete
Unix-like
24
25
Miranda NG
Microsoft Windows
), with a third-party plugin
26
monocles chat
, XMPP client supports OTR since 2022
Mozilla Thunderbird
, since 68
Pidgin
cross-platform
), with a plugin available from the OTR homepage
27
Profanity
, since 0.4.1
Psi
cross-platform
28
Spark
Zom Mobile Messenger
Android
Tkabber
cross-platform
), since version 1.1
29
WeeChat
, with a third-party plugin
30
climm
Unix-like
), since (mICQ) 0.5.4
irssi
, since 1.2.0
31
See also
edit
Free software portal
References
edit
Nikita Borisov
Ian Goldberg
Eric Brewer
(28 October 2004).
"Off-the-Record Communication, or, Why Not To Use PGP"
(PDF)
Workshop on Privacy in the Electronic Society
. Retrieved
6 March
2014
Ian Goldberg
(26 October 2014).
[OTR-users] Happy 10th anniversary!
. Retrieved
27 April
2015
Sofía Celi, Ola Bini (15 February 2019).
"Off-the-Record Messaging Protocol version 4"
GitHub
"Add disclaimer · otrv4/otrv4@0c0847e"
GitHub
. Retrieved
20 September
2023
"Inside the NSA's War on Internet Security"
. 28 December 2014.
Mario Di Raimondo; Rosario Gennaro; Hugo Krawczyk (2005).
"Secure off-the-record messaging"
(PDF)
Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society
. Association for Computing Machinery:
81–
89.
"Off-the-Record Messaging Protocol version 2"
"mod_otr - Man in the Middle module for Off-The-Record | ejabberd"
www.ejabberd.im
Chris Alexander; Ian Avrum Goldberg (February 2007). "Improved user authentication in off-the-record messaging".
Proceedings of the 2007 ACM workshop on Privacy in electronic society
(PDF)
. New York: Association for Computing Machinery. pp.
41–
47.
doi
10.1145/1314333.1314340
ISBN
9781595938831
S2CID
17052562
"Off-the-Record Messaging Protocol version 3"
Jiang Bian; Remzi Seker; Umit Topaloglu (2007).
Off-the-Record Instant Messaging for Group Conversation
. IEEE International Conference on Information Reuse and Integration. IEEE.
doi
10.1109/IRI.2007.4296601
Ian Avrum Goldberg; Berkant Ustaoğlu; Matthew D. Van Gundy; Hao Chen (2009). "Multi-party off-the-record messaging".
Proceedings of the 16th ACM conference on Computer and communications security
(PDF)
. Association for Computing Machinery. pp.
358–
368.
doi
10.1145/1653662.1653705
hdl
11147/4772
ISBN
9781605588940
S2CID
6143588
Nik Unger; Sergej Dechand; Joseph Bonneau; Sascha Fahl; Henning Perl; Ian Avrum Goldberg; Matthew Smith (2015).
"SoK: Secure Messaging"
(PDF)
Proceedings of the 2015 IEEE Symposium on Security and Privacy
. IEEE Computer Society's Technical Committee on Security and Privacy:
232–
249.
Straub, Andreas (25 October 2015).
"OMEMO Encryption"
XMPP Standards Foundation website
. Archived from
the original
on 29 January 2016
. Retrieved
16 January
2016
Gultsch, Daniel (2 September 2015).
"OMEMO Encrypted Jingle File Transfer"
XMPP Standards Foundation website
. Retrieved
16 January
2016
Sofía Celi, Ola Bini (21 July 2018).
No evidence of communication: Off-the-Record Protocol version 4
(PDF)
. Retrieved
29 November
2018
Ian Goldberg (27 May 2009).
"multi-party OTR communications? (and other OTR details)"
OTR-users mailing list
Nadim Kobeissi (1 February 2014).
"mpOTR Project Plan"
Cryptocat wiki on GitHub
Ian Goldberg (4 September 2012).
"pidgin-otr and libotr 4.0.0 released!"
OTR-announce mailing list
"Off-the-Record Messaging"
"BitlBee Wiki"
. Wiki.bitlbee.org. 25 January 2014
. Retrieved
15 May
2014
"TingPing/hexchat-otr"
GitHub
. Retrieved
14 March
2017
"Off the record plugin for HexChat"
GitHub
. 2 December 2021.
"kopete-otr in KDE for 4.1"
. Archived from
the original
on 28 March 2008.
"kopete-otr review request"
"Miranda OTR Plugin"
"OTR plugin for Pidgin"
"OTR Plugin"
. Github.com
. Retrieved
18 March
2026
"Tkabber OTR Plugin"
. Archived from
the original
on 11 March 2014.
"OTR plugin for WeeChat"
GitHub
. January 2019.
"Irssi Changelog - 1.2.0"
Further reading
edit
Joseph Bonneau; Andrew Morrison (21 March 2006).
"Finite-State Security Analysis of OTR Version 2"
(PDF)
. Retrieved
5 September
2013
{{
cite journal
}}
Cite journal requires
|journal=
help
Mario Di Raimondo; Rosario Gennaro & Hugo Krawczyk (2005).
Secure Off-the-Record Messaging
(PDF)
. Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society.
Association for Computing Machinery
. Retrieved
27 August
2013
External links
edit
Official website
Protocol specification
Implementations of XEP-0364
list of messengers and libraries that supports the OTR.
XEP-0364: Current Off-the-Record Messaging Usage
Off-the-Record Messaging: Useful Security and Privacy for IM
Archived
30 December 2013 at the
Wayback Machine
, talk by
Ian Goldberg
at the University of Waterloo (video)
'Off-the-Record' Instant Messaging Tutorial (encryption, authentication, deniability, ..)
on
An odyssey of encryption in XMPP
an overview of the current support of the OTR in XMPP clients
Cryptographic software
Email clients
Apple Mail
Autocrypt
Claws Mail
Enigmail
GPG
Gpg4win
GPG Mail
Kontact
Outlook
p≡p
PGP
Proton Mail
Sylpheed
Thunderbird
Secure
communication
OTR
Adium
BitlBee
Centericq
ChatSecure
climm
Jitsi
Kopete
Profanity
SSH
Dropbear
lsh
OpenSSH
PuTTY
SecureCRT
WinSCP
wolfSSH
TLS & SSL
BBM Enterprise
Bouncy Castle
BoringSSL
Botan
cryptlib
GnuTLS
JSSE
LibreSSL
MatrixSSL
NSS
OpenSSL
mbed TLS
BSAFE
SChannel
SSLeay
stunnel
TeamNote
wolfSSL
VPN
Check Point VPN-1
Hamachi
Openswan
OpenVPN
SoftEther VPN
strongSwan
Tinc
WireGuard
ZRTP
Jitsi
Linphone
Jami
Zfone
P2P
Bitmessage
Briar
RetroShare
Tox
DRA
Matrix
OMEMO
Cryptocat
ChatSecure
Proteus
Session
Signal Protocol
Facebook Messenger
Google Allo
Google Messages
Signal
TextSecure
WhatsApp
Disk encryption
Comparison
BestCrypt
BitLocker
Cryptoloop
dm-crypt
DriveSentry
E4M
eCryptfs
FileVault
FreeOTFE
GBDE
geli
LUKS
PGPDisk
Private Disk
Scramdisk
Sentry 2020
TrueCrypt
History
VeraCrypt
Anonymity
GNUnet
I2P
Java Anon Proxy
Mixnet
Tor
Vidalia
RetroShare
Ricochet
Wickr
File systems
List
EncFS
EFS
eCryptfs
LUKS
PEFS
Rubberhose
StegFS
Tahoe-LAFS
Security-focused
operating system
GrapheneOS
Tails
Qubes
Service providers
Hyphanet
NordLocker
Proton Drive
Tresorit
WinPT
Wuala
Educational
CrypTool
Anti–computer forensics
USBKill
BusKill
Related topics
Outline of cryptography
Timeline of cryptography
Hash functions
Cryptographic hash function
List of hash functions
Homomorphic encryption
End-to-end encryption
S/MIME
Category
Commons
Free and open-source software
General
Alternative terms for free software
Comparison of open-source and closed-source software
Comparison of source-code-hosting facilities
Free software
Free software project directories
Gratis versus libre
Long-term support
Open-source software
Open-source software development
Outline
Timeline
Software
packages
Audio
Bioinformatics
Codecs
Configuration management
Drivers
Graphics
Wireless
Health
Mathematics
Office suites
Operating systems
Routing
Television
Video games
Web applications
E-commerce
Android apps
iOS apps
Commercial
Formerly proprietary
Formerly open-source
Community
Free software movement
History
Open-source-software movement
Events
Advocacy
Organisations
Free Software Movement of India
Free Software Foundation
Licenses
AFL
Apache
APSL
Artistic
Beerware
BSD
Creative Commons
CDDL
EPL
Free Software Foundation
GNU GPL
GNU AGPL
GNU LGPL
ISC
MIT
MPL
Python
Python Software Foundation License
Shared Source Initiative
Sleepycat
Unlicense
WTFPL
zlib
Types and
standards
Comparison of licenses
Contributor License Agreement
Copyleft
Debian Free Software Guidelines
Definition of Free Cultural Works
Free license
The Free Software Definition
The Open Source Definition
Open-source license
Permissive software license
Public domain
Challenges
Digital rights management
License proliferation
Mozilla software rebranding
Proprietary device drivers
Proprietary firmware
Proprietary software
SCO/Linux controversies
Software patents
Software security
Tivoization
Trusted Computing
Related
topics
Forking
GNU Manifesto
Microsoft Open Specification Promise
Open-core model
Open-source hardware
Shared Source Initiative
Source-available software
The Cathedral and the Bazaar
Revolution OS
Portal
Category
Retrieved from "
Categories
Cross-platform free software
Cryptographic protocols
Cryptographic software
Free security software
Instant messaging
Internet privacy software
XMPP
Hidden categories:
Articles with short description
Short description is different from Wikidata
Use dmy dates from June 2019
All articles with unsourced statements
Articles with unsourced statements from February 2026
Articles containing potentially dated statements from 2009
All articles containing potentially dated statements
CS1 errors: missing periodical
Webarchive template wayback links
Off-the-record messaging
Add topic