Introduction to encrypted Internet chat

In the middle of a discussion about IRC chat, I mentioned SILC, which apparently, quite a few people haven't heard about yet. It's not terribly surprising. Once quite popular, IRC is now a fringe communications platform in the wake of instant messaging. If IRC users represent the fringe of Internet society, then SILC users are the consummate outliers.

This post was made mostly to go along with a quick presentation I'm doing for Cowtown Computer Congress this evening. This is a quick and dirty rough draft that will likely be edited for speling and grammer err0rz.

SILC is Secure Internet Live Conferencing, and it borrows many things directly from Internet Relay Chat, fixing some of the weaknesses of IRC by using certificates, key exchange algorithms, digital signatures and encrypted connections. The end result is a chat platform capable of being used by groups or one-on-one communication where you can be absolutely sure you are communicating with the person you think you're communicating with. With the appropriate measures, you can also be certain that messages can't be trivially intercepted or forged by outsiders, even if the SILC server or network has been compromised. When talking in public groups (equivalent to IRC channels), only those in the group can see the messages due to a shared session key. People sniffing your local network segment won't know what's being said or with whom you're communicating.

While on the topic of encrypted chat, I'll also discuss Off-The-Record, a cryptographic plug-in that sits on top of certain instant messaging platforms (like AIM) by sending strong-crypto messsages over base64-encoded strings between users. To this end, it's usually easy for someone monitoring the network to tell with whom you're communicating, but nearly impossible to determine the actual contents of said communication.

Of course, some of these things have been recently been addressed, albeit not nearly as thoroughly, by using SSL/TLS. Several modern IM protocols rely on SSL/TLS, and certain IRC implementations also can use SSL now. These are beyond the scope of this article, but worth mentioning in passing.

There are two actively-developed clients that I will cover:

  • A SILC plugin for irssi, a popular IRC client, which works best on Linux
  • Native SILC support in Pidgin IM, which works on Mac OS X, Linux and Windows. Pidgin plugins for Off-The-Record exist for Mac OS X, Linux and Windows as well.
Irssi is my favorite IRC client. It's a curses-based program that runs in the terminal. The SILC plugin for irssi can be found in many package repositories. For example, installing it (and all dependencies, including irssi itself) in Ubuntu is as easy as:

$ sudo apt-get install irssi-plugin-silc


If you're familiar with IRC, it uses some familiar derivatives of commands:

Load the SILC plugin, prompts for your private key passphrase
/load silc

Connect to a SILC server
/connect -silcnet SILCnet [silc-server]

Join a group (or channel)
/join [group]

Grant operator status to a user in a group you control
/cumode [group] +o [user]

Send a one-on-one message to another user
/msg [user] [message]

To compare, this is a screen shot of captured traffic from plain-text IRC, followed by one from SILC.
Hexdump showing cleartext IRC Chat

Hexdump showing encrypted SILC Chat


Pidgin is a cross platform open source chat application that natively supports all the major Instant Messaging protocols, including AIM, SILC and IRC. Once you've added a SILC server (via Accounts), you simply go to the Buddy List and select "Add chat" to join a group.

Adium, the Pidgin port for Mac OS X comes with OTR built right in!
Screen shot 2011-01-20 at 5.42.36 PM

Installing on Ubuntu is easy, as this will install Pidgin and the OTR plugin and all dependencies.
$ sudo apt-get install pidgin-otr

To get it up and running on Windows, first install Pidgin, then run the OTR plugin installer.

On Linux and Windows, you'll have to enable the plugin and generate a key before you can use it.

Generate OTR fingerprint

And then, once you initiate a chat with someone who also has OTR, you will need to verify their key. The best way to do this is in person or over a trusted communications platform. If you know their voice well enough, a phone call would probably work just fine.
Pidgin OTR authenticate fingerprint

Although AIM uses SSL by default these days, it's not uncommon to see AIM go across the wire in cleartext. Here's a screen shot comparing packet captures from a cleartext AIM session and one using OTR. You can't see it in the screen shots because of how large the OTR message is, but the OTR session only encrypts the message content itself. You can still see the names of the parties communicating.
Hexdump of cleartext AIM Chat

Hexdump of encrypted AIM+OTR Chat

That's all I've got for now.

blog comments powered by Disqus