Improved User Authentication in Off-The-Record Messaging Chris Alexander Ian Goldberg David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada N2L 3G1 {cialexan,iang}@cs.uwaterloo.ca ABSTRACT faced with such puzzling terms, many users will sooner ignore the Instant Messaging software is now used in homes and businesses security features of a program than take the time to determine their by a wide variety of people. Many of these users would benefit proper use. from additional privacy, but do not have enough specialized knowl- This is especially true for Instant Messaging (IM) software. IM edge to use existing privacy-enhancing software. There is a need clients allow users to chat with other known users online, and are for privacy software to be easy to understand, with complicated easy enough for children to understand and use effectively. As cryptographic concepts hidden from the user. We look at improv- such, they have become a very popular way for people to commu- ing the usability of Off-the-Record Messaging, a popular privacy nicate both at home and, increasingly, at work. They are used by a plugin for instant messaging software. By using a solution to the wide variety of people, most of whom know very little, if anything, Socialist Millionaires’ Problem, we are able to provide the same about security and privacy, and it is unlikely that all such people level of privacy and authentication as in older versions of OTR, but will learn the basics of public-key cryptography before installing we no longer require that the user understand any difficult concepts their first IM client. Therefore there exists a need to provide secure such as keys or fingerprints. software that protects people’s privacy, while at the same time hid- ing cryptographic details from the user, presenting instead a user interface that is simple and intuitive. Categories and Subject Descriptors There are serious consequences if this need is not met. As an K.4.1 [Management of Computing and Information Systems]: example, consider the case of a man-in-the-middle (MITM) attack. Public Policy Issues—Privacy; E.3[Data]: Data Encryption; K.6.5 Here, two honest parties, Alice and Bob, wish to chat with each [Management of Computing and Information Systems]: Secu- other. Unbeknownst to them, a third party, Eve, wishes to learn the rity and Protection—Authentication; H.4.3 [Information Systems contents of their conversation. So when Alice and Bob establish Applications]: Communication Applications—Computer confer- a connection, Eve simply ensures that they both establish connec- encing, teleconferencing, and videoconferencing; C.2.2[Computer- tions with herself instead of each other. Eve may now pass mes- Communication Protocols]: Network Protocols—Applications sages from her connection with Alice to her connection with Bob, so no messages go missing, but they are all read by Eve before reaching their intended destination. General Terms IM networks have an inherent weakness towards MITM attacks. Security, Algorithms, Human Factors Since popular IM protocols tend to route all messages through a central server, MITM attacks from this central point can be very ef- Keywords fective. Even if messages are properly encrypted, such attacks can succeed. For example, using Trillian’s SecureIM feature encrypts Authentication, fingerprints, instant messaging, socialist million- messages but does not perform any authentication at all, so MITM aires’ protocol attacks are not detected. Another good example is the Jabber pro- tocol, where messages are only encrypted between a client and the 1. INTRODUCTION central server, not from client to client. Thus an attack at the server As pointed out by Whitten and Tygar [15], it is very difficult to would still recover the contents of every message. develop security software for the general population. Many of the That said, there are good solutions available that prevent MITM basic tools used, including keys, fingerprints and digital signatures, attacks and many others. One such solution, called Off-the-Record are difficult for an uninitiated user to understand. Further, when Messaging (OTR) [1], is freely available online and compatible with many of the popular IM protocols used today. Unfortunately, it requires users to verify each other’s fingerprints in real time, which is outside of the comfort zone of many others. Other tools are no Permission to make digital or hard copies of all or part of this work for better. PGP requires even more knowledge of public-key cryptog- personal or classroom use is granted without fee provided that copies are raphy than OTR, and is difficult for new users to understand [15]. not made or distributed for profit or commercial advantage and that copies In this paper, we offer an improvement to OTR that would not affect bear this notice and the full citation on the first page. To copy otherwise, to its security and privacy properties, but allow it to be used properly republish, to post on servers or to redistribute to lists, requires prior specific with a much smaller amount of prior knowledge. permission and/or a fee. WPES’07, October 29, 2007, Alexandria, Virginia, USA. Section 2 explains the goals and history of the OTR protocol, Copyright 2007 ACM 978-1-59593-883-1/07/0010 ...$5.00. Section 3 explains the basic usability shortcoming of OTR thus far, used is a hash of the decryption key for that message. This way, and Section 4 gives the protocol used to address this shortcoming. anyone who can decrypt the message can also forge a correct MAC Section 5 examines how to use the protocol securely, Section 6 tag, but an adversary unable to decrypt messages cannot. describes the actual modification of OTR and Section 7 offers our The last desirable feature that was put into OTR was deniability. conclusions. So far, the protocol ensures that only Bob can read Alice’s mes- sages, but we have not discussed the situation where Bob attempts 2. OTR MESSAGING PROTOCOL to prove the contents of the conversation to a third party. First of In this section we describe the evolution of the Off-the-Record all, simply by using symmetric encryption and HMAC, OTR guar- Messaging protocol, from its inception to the present day. antees that all proper messages were generated by someone who knew the secret key; that is, either Alice or Bob. On its own, this 2.1 Original OTR Protocol prevents Bob from proving anything, as he could simply have pro- The original OTR protocol was presented by Borisov, Goldberg, duced all of the messages himself. However, OTR goes beyond and Brewer in 2004 [1]. It was motivated by the idea of two people, this. say Alice and Bob, conversing face-to-face in a private room. In The specific encryption scheme used is AES in counter mode, this case, Alice may be assured that no one else may hear what she which is a stream cipher. This means that an adversary may alter says to Bob. She may also be assured that there is no evidence of a bit of a ciphertext to cause a corresponding change to that bit in the conversation outside of Bob’s memory, so Bob will be unable the plaintext. Also, after a key is deleted, the corresponding MAC to prove to anyone what she said. Alice is then free to say whatever key is published. This means that after the fact, anyone could alter she wishes, without having to worry about her words later being a ciphertext to be anything they wished and then generate a valid used against her. MAC for it. This expands the deniability of Alice’s messages; as Today, many social and business conversations occur not in per- soon as a MAC key is published, any message using that key could son, but over the Internet using IM. OTR was developed as a way have been generated not only by either Alice or Bob, but also by to give the same level of privacy to an IM conversation as to a face- anyone casually observing their communication. Any link between to-face one. Alice and the messages she sends under OTR is thus broken. To begin with, OTR uses a Diffie-Hellman (DH) key exchange to establish a shared secret between Alice and Bob [5]. After this 2.2 Attack on OTR version 1 exchange, they can use their shared secret to encrypt their mes- About a year after the original publication, Di Raimondo, Gen- sages, preventing any adversary from learning about their conver- naro, and Krawczyk [4] found an attack on OTR version 1. They sation or launching a man-in-the-middle (MITM) attack. However, pointed out that Diffie et al.’s identity misbinding attack [6] would a MITM attack is still possible during the DH key exchange it- work on the initial DH key exchange in OTR. This attack allows an self. To prevent this, Alice and Bob sign their DH key exchange adversary Eve to interfere with the initial key exchange in such a messages using long-lived public keys. If Alice and Bob possess way that Alice and Bob still reach the same key at the end of the public/private key pairs (vA,sA) and (vB ,sB) respectively, then protocol, but Alice believes that she is talking to Bob while Bob the key exchange runs as follows: believes that he is talking to Eve. x To do this, Eve runs a MITM attack, starting simultaneous con- A → B : SignsA (g ), vA y versations with both Alice and Bob. Messages from Alice to Bob B → A : SignsB (g ), vB are replaced with identical messages signed by Eve, while mes- If Bob knows Alice’s public key vA in advance, then he can check sages from Bob to Alice carry their original signatures.