[Underground Security Paper no. 1] Encrypting Instant Messaging Conversations v1.0 By: DIzzIE [antikopyright 2006] Whenever you talk online with your instant messaging (IM) client of choice, your conversations can be, and in all probability are, recorded, monitored, and read. Any data which travels over a network can be viewed using programs known as packet sniffers, with some specially crafted programs, such as IM Sniffer or AIM Sniff, designed exclusively to capture IM communications. No matter how pathetically dull your treacherous life is, chances are someone is bored enough to fuck with it. What will soon follow is a list of various programs and plugins which you can use with most standard IM clients to encrypt your conversations. The focus will be predominantly on Windows systems (though the tools discussed are often available for other platforms as well), and will also only cover free (as in beer) software, as there's no need to pay when there are plenty of gratis alternatives (if, however, a time does come when the below mentioned tools stop being free, there's a textfile on finding serial numbers here: www.dizzy.ws/serials.htm). Nota Bene: Always encrypt your conversations (even the seemingly innocuous ones) and always keep regenerating (changing) your encryption keys. The reason for the former is that, unless you are intentionally spreading disinformation which you plan on the sniffers seeing, whatever data you consider to be unimportant can be used to compile a profile of you and your activities, which can in turn be used to gain insight into life habits, password choices or those fun password reminder questions, and so forth. The reason for the latter is that the longer you use the same key to encrypt your conversations, the more data and time the attacker has to spend on trying to crack your encryption. Change your key once every hour, every day, every week, or every chat session. The choice is yours, just remember that the longer you use the same key, the more vulnerable you become. Regenerating your key is also easier to do with some of the programs below than with others, while some even regenerate the key for you. Now then, with no particular order in mind, on with the list! --- Name: Gaim-Encryption (http://gaim-encryption.sourceforge.net/) Key Strength: 512 to 4096 bit RSA keys. Works With: Gaim (http://gaim.sourceforge.net/) Operating Systems Supported: Windows/*nix Protocols Supported: AIM, Jabber, ICQ, [unconfirmed], YIM [unconfirmed], MSN [unconfirmed], Gadu-Gadu [unconfirmed], GroupWise [unconfirmed], Napster [unconfirmed], SILC [unconfirmed], IRC [not supported (while Gaim does act as a primitive IRC client, the Gaim- Encryption plugin does not work with Gaim IRC, see below for IRC encryption options)] Installation Example: Download and install Gaim. Download the Gaim- Encryption plugin and run the installer. Run Gaim. Click on Preferences and go down to Plugins on the left-hand side. Find 'Gaim- Encryption' listed on the right, and check the accompanying checkbox. Restart Gaim. Go back to Preferences, and this time you should see 'Gaim-Encryption' listed under Plugins on the left-hand side. Select 'Gaim-Encryption' and in the Config tab on the right make sure that 'accept conflicting keys automatically' is unchecked, and 'automatically encrypt if buddy has plugin', 'broadcast encryption capability' are both checked. Checking the remaining 'accept key automatically if no key on file' box is optional. Next, click on the Local Keys tab and select your key. If you don't see any keys listed there, you will first need to start an encrypted conversation with someone else who is using the Gaim-Encryption plugin. Once the conversation has been started, go back to the Local Keys tab and select your key. Click on Regenerate Key and in the Generate Keys pop-up type in 4096 (the maximum key strength the GE plugin supports at the time of this writing) instead of the 1024 value listed in the Key Size field, and hit OK. On slower machines it will appear as if Gaim has frozen on the 'generating RSA key pair...' screen. This is normal, and therefore you should not attempt to restart Gaim, just give it a few minutes. The person with whom you first initiated the conversation should also be regenerating zir key. Once your key has been successfully regenerated, click on the Trusted Buddy Keys and the Recent Buddy Keys tabs and delete the existing 1024 bit keys from your list. Finally, restart Gaim and reinitiate your conversation. Both the Tx and Rx locks in the IM window should now be red (you may also see a confirmation dialogue pop up, which asks whether you want to accept the key once or accept it and save it, or reject it. Ideally, you should Accept Once). Now go back to the Recent/Trusted Buddy Keys tabs and make sure that the key now stored there for your chat partner is 4096 bits. Assuming you possess a secure email account and/or secure phone line, you should contact each other and confirm the Key Fingerprint to help ascertain the identity of your chat partner, and then hit Close to exit out of the Preferences menu. You should now be ready to engage in secure conversations. Note: if when messaging your chat partner the locks in the IM window do not turn red, make sure you both have the 'automatically encrypt if buddy has plugin' and 'broadcast encryption capability' options checked in the Config tab, and try clicking on the lock icons. --- Name: Off-the-Record (OTR) Messaging (http://www.cypherpunks.ca/otr/) Key Strength: ??? (some sort of Diffe-Hellman protocol?) [The description of the OTR protocol is available here: http://www.cypherpunks.ca/otr/Protocol-v2-3.0.0.html. It is complex and convoluted, so I was unable to figure out what the key strength is, if you do, however, then let me know!] Works With: Gaim, Adium, Miranda IM [unconfirmed], iChat [unconfirmed], Trillian [unconfirmed], vanilla AIM client [unconfirmed] [note: with iChat, Trillian, and the vanilla AIM client, OTR works using the OTR proxy program which I couldn't get to work, however, Gaim, Adium, and Miranda IM use an easier to implement OTR plugin which doesn't require the proxy tool] Operating Systems Supported: Windows/Mac (OS X)/*nix [unconfirmed] Protocols Supported: AIM; in theory, most other protocols the aforementioned programs support should work as well (i.e. YIM, MSN, etc, though I haven't tested them. Oh, and IRC which Gaim/Trillian/others support is also not encrypted, so, once again, see below for IRC encryption options). Installation Example: Download the OTR plugin for Gaim and run the installer. Run Gaim. Click on Preferences and go down to Plugins on the left-hand side. Find 'Off-the-Record messaging' listed on the right, and check the accompanying checkbox. Restart Gaim. Go back to Preferences, and this time you should see 'Off-the-Record messaging' listed under Plugins on the left-hand side. Select 'Off-the-Record messaging' and click on the Config tab. Be sure that the 'Enable private messaging' and 'Automatically initiate private messaging' fields are checked. You can now initiate the IM conversation with your chat partner. Once the conversation has been initiated, and assuming you possess a secure email account and/or secure phone line, you should contact each other and confirm the Key Fingerprint to help ascertain the identity of your chat partner. After the fingerprint is confirmed, go back to the Known fingerprints tab and, selecting the screenname of the chat partner whose fingerprint you have just confirmed, select Verify fingerprint and hit Close to exit out of the Preferences menu. You should now be ready to engage in secure conversations. --- Name: SecureIM (http://www.ceruleanstudios.com/) Key Strength: 128-bit Blowfish keys Works With: Trillian Operating Systems Supported: Windows Protocols Supported: AIM/ICQ Installation Example: Download and install Trillian. Run Trillian and, clicking on the globe on the bottom left (or right-clicking on the Trillian icon in the taskbar and then going to Options), click on Preferences. Go down to AIM and/or ICQ under Chatting Services on the left-hand side, then select Misc. In the SecureIM section, be sure to check both 'Activate SecureIM Capabilities' and 'When possible, make a best effort to automatically maintain a SecureIM session with my contacts.' You'll need to do this for both AIM and ICQ if you plan on using both protocols. Hit Apply and then OK to exit out of the Preferences menu. You can now initiate the IM conversation with your chat partner. The locks in your IM window should turn red. You should now be ready to engage in secure conversations. --- Name: SSL Certificates (Available from syLIkc.NET: http://secure.sylikc.net:8080/self_signed/ and Thawte: http://www.thawte.com/secure-email/personal-email- certificates/index.html) [IMPORTANT:: www.aimencrypt.com also offers certificates, or rather just one same certificate for everybody, which in turn means that anyone can decrypt your conversations. In other words: Do not use AimEncrypt!] Key Strength: 128-bit keys Works With: AIM; and possibly other IM clients which allow importation of SSL certificates [such as?--know of one? Then email me about it!] Operating Systems Supported: Windows/Mac[unconfirmed]/*nix [unconfirmed] Protocols Supported: AIM; (same as Works With) Installation Example: pr0to has written a great tutorial on generating/installing a Thawte-issued certificate: http://www.rorta.net/index.php?page=aimcrypt, and the sylikc.net import instructions are here: http://secure.sylikc.net:8080/self_signed/aim.php. After generating/importing the certificate, you should now be ready to engage in secure conversations. --- Name: SimpLite (http://www.secway.fr/us/products/all.php) Key Strength: 1024 to 2048 bit RSA keys Works With: Gaim, Trillian, and the following vanilla clients: AIM, ICQ, MSN, YIM, Jabber Operating Systems Supported: Windows Protocols Supported: AIM, ICQ, MSN, YIM, Jabber [unconfirmed] Installation Example: Download and install SimpLite for your particular protocol (note that each protocol has a separate SimpLite program that you need to download). Run your particular flavour(s) of SimpLite and the Keys Generation Wizard should pop up. If it doesn't, click on Keys in the menu and go down to Generate key pair. Follow the instructions and after a few steps you should have your key. Run your supported chat program of choice, making sure that SimpLite is still running in the background. After sending a message to your chat partner, you should see your partner's key show up in the SimpLite program, and your conversations should be under the Green authenticated/encrypted arrows. Assuming you possess a secure email account and/or secure phone line, you should contact each other and confirm the Key ID to help ascertain the identity of your chat partner. You should now be ready to engage in secure conversations. --- Name: FiSH (http://fish.sekure.us/) Key Strength: 1080 bit Diffie-Hellman keys Works With: mIRC, irssi, xchat Operating Systems Supported: Windows/*nix/Mac (OS X) [unconfirmed] Protocols Supported: IRC Installation Example: Download the latest FiSH archive and extract the contents into your mIRC directory (wherever mirc.exe is located). Run mIRC and type '/load -rs1 FiSH.mrc' (sans quotes). Close mIRC. Run the patch executable that matches your version of mIRC (click on Help, then About (or just click on that yellow icon on the far right of your toolbar) in mIRC to find out your version number). When you extracted all of the files into your mIRC directory, you should have extracted a file called blow.ini-EXAMPLE. Open this file in Notepad and copy all of the contents. Close this file and open a blank Notepad window. Paste the contents and save the file as blow.ini (being sure to select 'All Files' from the Save As menu). You just did this so that you have a nice clean backup copy of the ini file in case you completely screw up this copy. For detailed information regarding setting up the blow.ini file, read the FiSH.txt file included in the FiSH archive you downloaded. However, a bare bones blow.ini file will look something like this: [FiSH] process_incoming=1 process_outgoing=1 plain_prefix="+p " [#RORTA] key=d8SfskY0riaqsfd19ks220dUtQZmKdeWrp8ksfdLjsoig49dp7G encrypt_topic=1 The first two lines mean that FiSH will drecrypt all incoming messages and encrypt all outgoing messages, respectively. The plain_prefix line says that all messages you send that start with '+p ' (note the trailing space) will be sent as plaintext (unencrypted). The next line is the name of the channel you want to encrypt (you can add more channels below, following the same format). The key value is the encryption key for your channel, be sure to make it difficult to guess by using a long string of mixed-case letters and numbers. The encrypt_topic line asks if you want to encrypt the topic in the channel (1 for yes, 0 for no). As the FiSH.txt file rightly points out, exchanging channel key information in plaintext is a security risk. Thus, you should ideally tell other members of your channel the channel encryption key only through an IM window that has been encrypted using one of the aforementioned methods. To encrypt private messages, either double-click on the user's name to open up a private message window or message the user manually (/msg username moo!) and wait for a reply to get a PM window open (if you two aren't in the same channel). Then right-click in the PM window and go to FiSH-->Auto-KeyXchange-->Enable, and then either close/reopen the PM window or/and click on DH 1080 KeyXchange (which is also in the PM right-click window under FiSH). You should now be ready to engage in secure conversations. Nota Bene I: The FiSH encryption key is not the same thing as the channel key (mode +k). Naturally, your channel should also be set to modes +sk to further protect the conversation. First, type /mode #channelname +s (this prevents the channel from showing up in either /whois or /list), followed by /mode #channelname +k yourchannelkey. Your channel key should be different from your FiSH key, and merely means that no one can join the channel without knowing this key (to join the channel type /join #channelname yourchannelkey), whereas the FiSH key means that no one can read the conversation, irrespective of whether or not they can join the channel or not (network administrators can monitor all traffic on their server, even if they're not in the channel with you). Nota Bene II: You can further secure your IRC connection by using SSL (Secure Sockets Layer) (assuming both your client and the particular IRC network support it). If you are using the latest version of mIRC (6.14+), instructions for setting up SSL are available here: http://www.mirc.co.uk/ssl.html (the needed DLLs can be downloaded here: http://remus.oru.se/tsub/mirc-ssl/mirc-ssl.zip, or extracted from the OpenSSL installer linked to on the abovementioned mIRC site). Once you install the necessary DLLs, type //echo $sslready and you should get a reply of '$true.' To connect to an SSL server you can use the - e switch before the server address or/and a plus sign (+) before the port number, for instance: /server -e irc.rizon.net +9999. Consult the readme files of other clients for information on their SSL implementation capabilities. For instance, if you are using xchat on *nix, install the OpenSSL libraries (www.openssl.org) and then when connecting to the particular IRC server with SSL support add a plus sign before the port, e.g. /server irc.rizon.net +9999. Some networks also let you set certain modes for the channel (for example, +S on Rizon), which require SSL to be enabled in order to join the channel (ask in #help or browse the network's website to find out if SSL servers and SSL-Only channel modes are supported). Nota Bene III: The great thing about IRC encryption is that you can encrypt entire channels, and thus have secure conversations between groups of more than two partners (something which, as far as I know, is not possible with any of the other aforementioned encryption tools), so appreciate it and enjoy it! :) --- Caveats & Miscellanea As you have doubtless noticed, there's a plethora of encryption plugins, with various levels of key strength. The Gaim-Encryption plugin provides by far the strongest key pair (at 4096 bits), however, it doesn't fly well on Macs. Therefore a feasible scenario may have one user running Adium on a Mac, while another runs Gaim on Windows, with both using the OTR plugin. Keep your options open, and always use the strongest key pair possible (combine malleability with security!). There is no such thing as 'perfect security.' When I have repeatedly stated that 'you should now be ready to engage in secure conversations' don't come crying when your key is compromised due to poor key handling on your part (insecure storage of keys, infrequent regenerations, etc.). In other words: don't get sloppy, you lazy sack of shit (this is a note to self as much as it is general advice ;)). On the subject of log files: many IM clients have the option to store logfiles of your conversations (and in many clients this option is enabled by default!--so be sure to scan the preferences/settings areas of your clients to disable logging). Logs are often (read: almost always) stored in plaintext, even when you use the various encryption plugins! Therefore if you do decide to enable logging, be sure to encrypt the logfiles themselves (info on encrypting data will be presented in a future segment of this Underground Security Paper series). You've probably noticed that various clients/protocols/OSes have the '[unconfirmed]' label after them. This is simply due to the fact that I haven't yet tested the particular encryption tool on those protocols/systems. If you have, please let me know so I can update the information in subsequent versions of this textfile! Finally, note that the 'installation examples' are just that: examples. As stated at the outset of this textfile, the focus has been on Windows and therefore the examples lean towards Windows scenarios. (Don't take them too literally). If you have any comments, suggestions, see any IM encryption plugin which wasn't mentioned, or anything else, feel free to drop me a line at xcon0 @.t yahoo d0t c|o|m . This is also the first textfile in a series I'm calling the Underground Security Papers. Successive papers will discuss encrypting emails, miscellaneous data files, as well as tips on maintaining anonymity and the like. To be kept abreast of more USPs, send me an email with 'USP' in the subject. Enjoy! For more knowledge visit www.dizzy.ws & www.rorta.net.