CyTRAP Labs - Wincurity - smarter protection

Get the news first, save yourself time thanks to our e-mail service. It’s much more convenient.

E-mail this posting to your buddies, they will appreciate the information (see e-mail button at the end of this posting).

In the previous story we showed you where to get hold off:

• CyTRAP Labs’ guide - safer Instant Messaging (IM) now - off-the-Record (OTR) plugin for Gaim saves the day - introduction
  

We also explained how it works and way it helps to use it.

In this posting we focus on the issue regarding the effective use of Off-the-Record (OTR) plug-in for Gaim to manage:

1. deniable authentication which means that while Linus is talking to Peter, he’s assured that he really is talking to Peter, and not an imposter, as well as .
2. perfect forward secrecy, meaning Sonja cannot turn around and prove that Linus was talking to Peter.

For explanation regarding the above two concepts see (CyTRAP Labs’ guide - safer Instant Messaging (IM) now - off-the-Record (OTR) plugin for Gaim saves the day - introduction).

Take about 30 minutes and install Gaim, the OTR plug-in and test it… it is worth your trouble. This will make sure that:

A) Captured or archived messages prove nothing, and
B) forward secrecy means Big Brother can’t read your messages even if he wiretaps you AND grabs your computer later on

The Offe-the-Record (OTR) plug-in is offered through three downloads,

1. the OTR library (libotr),
2. the Gaim OTR plugin (gaim-otr), and the
3. OTR localhost proxy (otrproxy).

If you have either Linux, Windows, or Mac OS X installed, just download the OTR library and the OTR plugin for Gaim, install it and your are set.

How to use OTR with Gaim

To begin with you have to download and install the OTR library and the Gaim plugin (see Nr’s 1 and 2 above).

The plugin puts the gaimotr.so library under

• /usr/local/lib/gaim/

If you have a separate drive for all programs as is recommended to better safeguard your hard-drive, Gaim’s lib directory is elsewhere (for example, /usr/lib/gaim under drive D, Program Files/communication/Gaim) (if you want to know how to securely and effectively managing your hard-drive in case you install such programs have a look at CASEScontact guide - New PC or Hard Drive - Partitioning - Improve Performance and Security in Windows XP, just copy the the plugin to that directory.

This plugin depends upon the libotr.so.1 library, which it looks for under /usr/lib/ — although it resides in /usr/local/lib/. You need to create a symbolic link to run the plug-in:

• in -s /usr/local/lib/libotr.so.1 /usr/lib/libotr.so.1

Once the installation is done, you:

• open Gaim and choose Tools -> Preferences
• select the Plugins option in the left panel of the window
• scroll to the Off-the-Record Messaging option and select the check box

This enables the plugin, and an Off-the-Record Messaging option appears under Plugins. Select it to bring up the OTR interface.

How to generate private keys when using OTR with Gaim

To achieve this easily, do as follows:

• select the Config tab,
• choose one of your accounts from the pull-down menu, and click Generate

Naturally, the sequence of numbers and letters that appears above the Generate button is your fingerprint. If you use several chat accounts, please generate separate fingerprints for each of these.

So how does IM work with OTR in practice?

Start Gaim and once you open a chat window, a new buttion at the bottom right of the window that reads:

• ‘OTR: Not private’ will appear

Clicking this will activate the OTR protocol and start a new private session. The button will then read ‘OTR: private.’

The first time you use OTR to have aprivate conversation with one of your friends, a dialog box appears with your friend’s fingerprint. Of course, you will have to verify and accept this fingerprint. Thereafter, it will be stored on your computer’s hard-drive.

Going back to the OTR preference interface will show you your buddy and his fingerprint listed as well as her status. On subsequent sessions, the plugin will automatically establish a secure connection with this individual.

When you establish a private chat with your friend, a pop-up will appear showing the other person’s:

• screen name,
• fingerprint, and
• a secure ID for the session that has two parts
  one part as bold that you see and
  your buddy gets the other part as bold.

If you now use Gaim to chat, your IM session is being protected because all messages are encrypted, which means:

1. data being transferred across the network is gibberish or plain incomprehensible, as well as,
2. the fingerprint sent for establishing the connection is also encrypted

Accordingly, OTR messaging is not that difficult to sept up but most important is that besides encrypting gives you deniable authentication and perfect forward secrecy (see beginning of posting for explanation on this).

You may wonder why you my use deniable authentication or perfect forward secrecy? There are two examples from regulation and courts in the UK and the U.S. that suggest you should:

1. Regulation that matters - UK - Part 3 of the Regulation of Investigatory Powers Act that requires a bank or an individual to hand over encryption keys if demanded by authorities
2. IM and e-mail can be used in a divorce case but not if acquired with the help of spyware - see Florida (just click on Login as a guest).

With this plug in, you neither have the keys nor can you be attributed to have had a particular conversation.

: If you work with a proxy there are some additional steps you have to consider and you will find information here:

: Gaim has the beta for 2.0 out right now, and when it stops being beta, it will support webcams and voice chat (including VoIP).

Get the news first, save yourself time thanks to our e-mail service. It’s much more convenient.

E-mail this posting to your buddies, they will appreciate the information (see e-mail button at the end of this posting).

We have previously pointed out that being save while using instant messaging requires some careful steps to be followed as outlined here:

• Steps 1-5 - better security when using IM, and
• Steps 6-10 - better security when using IM

Additionally, we have also suggested you use such a program as gaim and encrypt the software

• CyTRAP Labs’ Choice - Get Gaim
• CyTRAP Labs’ Choice - GAIM encryption plug in

Unfortunately, sometimes encryption is not enough for keeping conversations private. For instance, keys can be stolen, thereby permitting a malicious user to decipher your conversations. For conversations that need to be kept confidential, the:

• Off-the-Record (OTR) plugin for Gaim saves the day

This plug in makes sure that no trace of a conversation you ever had using IM will be recorded. The software provides:

• standard security features like authentication, to ensure you are talking to the person you think you are, and
• encryption, so no one can tap into your conversation.

However what is really neet is that OTR introduces two new security concepts to instant messaging:

1. deniable authentication, which means that while Linus is talking to Peter, he’s assured that he really is talking to Peter, and not an imposter, as well as .
2. perfect forward secrecy, meaning Sonja cannot turn around and prove that Linus was talking to Alice.

The key here is that all the messages between Linus and Peter come with proof that they were written by either Linus or Peter but what is great is that you cannot tell which. When Peter gets a message from Linus, he knows that he did not write it, hence it must have been written by his pal Linus. But if Peter shows this message to Sonja, she has no justification for believing that Linus wrote it, since Peater could have very well written it himself.

A bit confused, don’t be it works but what is neat indeed is the perfect forward secrecy. This prevents third parties from decrypting a conversation. Should not be ignored considering that several governments including the UK want people to be able to provide the encryption keys if asked to do so. But the OTR messaging client does not store encryption keys on their computers at all; it only stores signature keys.

At the beginning of every conversation, Linus’ client creates a brand-new encryption key (and never writes it to disk), and sends Peter a signed message saying ‘this is my current encryption key: …, signed, Linus.’ Linus then uses that encryption key to send messages to Peter. The signature proves that Peter is an OTR user, but it cannot be traced to a specific message. This allows an OTR user to maintain deniability.

Also, as frequently as possible, Peter’s OTR messaging client generates new encryption keys, and sends them to Linus. When Linus’ client confirms he’s received a new key, Peter’s client erases the old one from memory. Once Peter’s client has erased the secret part of her encryption key, no one can read the old messages, even if Peter’s and Linus’ computers are compromised later.

Get instructions abut how to install this plug-in in the

• how to use OTR effectively

Get the news first, save yourself time thanks to our e-mail service. It’s much more convenient.

Get your hands on the newsletter read by Europe’s IT security experts via e-mail by subscribing to CASEScontact.org

This week’s newsletter can be read online by visiting:

• CyTRAP Labs — EU IST News (ISSN 1600-1869) 2006/22

This week’s highlights are:

1. Regulation - USA - CALEA and wiretapping - VOIP - security breaches you should be concerned about,
2. Regulation - European Union - improved security stage 3 but will it make a difference?
3. Do you use stickies - here comes the electronic version - neat

If you want past issues you get them here in the archive of CyTRAP Labs — EU IST News (ISSN 1600-1869)

Enjoy