||This article possibly contains original research. (August 2013)|
Off-the-Record Messaging, commonly referred to as OTR, is a cryptographic protocol that provides strong encryption for instant messaging conversations. OTR uses a combination of the AES symmetric-key algorithm, the Diffie–Hellman key exchange, and the SHA-1 hash function. In addition to authentication and encryption, OTR provides perfect forward secrecy and malleable encryption.
The primary motivation behind the protocol was providing deniability for the conversation participants while keeping conversations confidential, like a private conversation in real life, or off the record in journalism sourcing. This is in contrast with other cryptography tools that produce output which can be later used as a verifiable record of the communication event and the identities of the participants. In most cases, people using such cryptography software are not aware of this and might be better served by OTR tools instead. The initial introductory paper was named "Off-the-Record Communication, or, Why Not To Use PGP".
The OTR protocol was designed by cryptographers Ian Goldberg and Nikita Borisov. They provide a client library to facilitate support for instant messaging client developers who want to implement the protocol. A Pidgin and Kopete plugin exists that allows OTR to be used over any IM protocol supported by Pidgin or Kopete, offering an auto-detection feature that starts the OTR session with the buddies that have it enabled, without interfering with regular, unencrypted conversations.
In addition to providing encryption and authentication — features also provided by typical public-key cryptography suites, such as PGP, GnuPG, and X.509 (S/MIME) — OTR also offers some less common features:
- Perfect forward secrecy: Messages are only encrypted with temporary per-message AES keys, negotiated using the Diffie-Hellman key exchange protocol. The compromise of any long-lived cryptographic keys does not compromise any previous conversations, even if an attacker is in possession of ciphertexts.
- Deniable authentication: Messages in a conversation do not have digital signatures, and after a conversation is complete, anyone is able to forge a message to appear to have come from one of the participants in the conversation, assuring that it is impossible to prove that a specific message came from a specific person. Within the conversation the recipient can be sure that a message is coming from the person they have identified.
As of OTR 3.1, the protocol supports mutual authentication of users using a shared secret through the socialist millionaire protocol. This feature makes it possible for users to verify the identity of the remote party and avoid a man-in-the-middle attack without the inconvenience of manually comparing public key fingerprints through an outside channel.
Due to limitations of the protocol, OTR does not support multi-user group chat as of 2009 but may be implemented in the future. As of version 3 of the protocol specification, an extra symmetric key is derived during authenticated key exchanges that can be used for secure communication (e.g. encrypted file transfers) over a different channel. Support for encrypted audio or video is not planned.
Since OTR 4.0.0 the plugin supports multiple OTR conversations with the same buddy who is logged in at multiple locations.
These clients support Off-the-Record Messaging out of the box.
- Adium (OS X)
- climm (Unix-like), since (mICQ) 0.5.4
- Cryptocat (cross-platform), since 2.0
- MCabber (Unix-like), since 0.9.4
- CenterIM (Unix-like), since 4.22.2
- Jitsi (cross-platform)
- BitlBee (cross-platform), since 3.0 (optional at compile-time)
- ChatSecure (Android, iOS)
- Xabber (Android)
- yaxim (Android)
- IronChat, based on Xabber development (Android)
- Kopete (Unix-like)
Gmail's Google Chat "Off the Record"
Gmail's Google Talk uses the term "off the record" to mean that a chat log is not retrievable by an end user from the Gmail website. Gmail's "off the record" mode has no connection to Off-the-Record Messaging, and its chats are not encrypted in the way described above and may be logged internally by Google even if not accessible by end-users. Google uses the term to mean that chat logs are not accessible from the Google website (usually all chats are saved and can be displayed again at any time). Google's policy on "off the record" chats does not state that logs are not stored on Google's servers.
The following clients require a plug-in to use Off-the-Record Messaging. Plugin support allows use of OTR with all of a client's implemented instant messaging protocols (e.g. OSCAR, XMPP, MSNP, YMSG etc.).
- Pidgin (cross-platform), with a plugin available from the OTR homepage
- Miranda IM (Microsoft Windows), with a third-party plugin
- Psi (cross-platform), with a third-party plugin and build, in Psi+ native usable
- irssi, WeeChat, and xchat, with a third-party plugin
- Gajim, with a third-party plugin
- Nikita Borisov, Ian Goldberg, Eric Brewer (2004-10-28). "Off-the-Record Communication, or, Why Not To Use PGP" (PDF). Workshop on Privacy in the Electronic Society. Retrieved 2006-08-29.
- Ian Goldberg (May 27, 2009). "multi-party OTR communications? (and other OTR details)". OTR-users mailing list.
- "Off-the-Record Messaging Protocol version 3".
- Ian Goldberg (September 4, 2012). "pidgin-otr and libotr 4.0.0 released!". OTR-announce mailing list.
- "kopete-otr in KDE for 4.1".
- "kopete-otr review request".
- "Chatting off the record - Talk Help".
- "OTR plugin for pidgin".
- "Miranda OTR Plugin".
- Psi-Patches and OTR-Plugin on tfh-berlin.de
- Website of the Psi-Developperversion Psi+
- "irssi-otr / xchat-otr plugin".
- "OTR plugin for Gajim".
- Joseph Bonneau, Andrew Morrison (2006-03-21). Finite-State Security Analysis of OTR Version 2 (PDF). doi:10.1.1.165.7945. Retrieved 2013-09-05.
- Mario Di Raimondo, Rosario Gennaro, and Hugo Krawczyk (2005). Secure Off-the-Record Messaging (PDF). Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society. Association for Computing Machinery. doi:10.1.1.101.1143. Retrieved 2013-08-27.
- OTR project site
- Protocol specification
- Off-the-Record Messaging: Useful Security and Privacy for IM, talk by Ian Goldberg at the University of Waterloo (video).
- OTR tutorial (video)