Off-the-Record Messaging

Off- the-Record Messaging ( in German: unofficial, confidential, not intended for the public messaging ) is a protocol for message encryption of instant messaging. In contrast to the transmission of encrypted messages using OpenPGP (or in rare cases, by means of X.509 certificate ) you can not find later in the Off- the-Record Messaging, if a key has been used by a specific person ( plausible deniability; principle of credible deniability ). This can be after finishing the entertainment of anyone (including any of the two communication partners ) prove that one of the communication partner has made ​​a certain statement.

Will be implemented this principle by the combined use of symmetric encryption method AES, the Diffie -Hellman key exchange and the hash function SHA-1. The two developers, Ian Goldberg and Nikita Borisov put, a library and a plugin for Pidgin available. The library is licensed under the LGPL. The included with the library toolkit for forgery of messages and the Pidgin plugin, however, are licensed under the GPL.

  • 3.1 Native support 3.1.1 An integral part of
  • 3.1.2 Plugin

Aims of the project

In the statutes of the project the following four cornerstones are defined:

Technical implementation

The following section presents simplifies the function of the OTR protocol dar. in version 2


During their communication with each other, Alice and Bob choose private keys respectively. In each case two, and for example, be used to generate a shared secret using the Diffie -Hellman key exchange. For this secret key and can be calculated.

Is used to encrypt each message by using Advanced Encryption Standard (AES) in the Counter mode. Thus, the symmetric block cipher AES is used to stream cipher. At the initial authentication using Alice and Bob digital signatures, which allows them to be safe throughout the entertainment, with whom they are communicating. is used to authenticate an individual message by means of the hash function SHA-1 (Secure Hash Algorithm), which is used as Message Authentication Code (MAC).

When sending messages, new private key, respectively, and the corresponding AES and MAC keys are generated. The private key is no longer used are deleted so that Alice can no longer be associated with their news. But this also means that Alice subsequently can not read their own nor the news of Bob. In addition, you no longer use MAC key will be published so that any other person the message from Alice could sign.

For the Diffie -Hellman key exchange a 1536 bit prime number and a primitive root modulo with are required. All exponentiations are then carried out modulo this prime.


At the beginning of a conversation initial keys have to be exchanged and the authenticity of the discussion participants are reviewed, namely Alice and Bob must each be sure with whom they are communicating. This prevents Alice, for example, instead of Bob with the attacker Eve performs a key exchange. The whole process is Authenticated Key Exchange ( AKE ) called and reacted with the SIGMA protocol:

In between, the connection is always possible encrypted with AES and authenticate individual messages using SHA256 -HMAC.

Send a message

Suppose Alice wants to send the message to Bob. She leads the following steps:

Receiving a message

Bob receives the above data generated by Alice and performs the following steps:

Review of the objectives

Another safety concept is the falsifiability. By using the encryption stream cipher ( AES in Counter Mode ), in which the plaintext is simply linked to a XOR to obtain the ciphertext, upon successful guessing a part of the plaintext, the attacker can modify the ciphertext so that this part to any text decrypted. This does not reduce the security, since Bob can be assured by signing the message with the MAC key that the falsified message did not originate from Alice. In retrospect, however, the attacker can sign this message because the corresponding MAC key was released. So difficult that Alice can be associated with the content of a message with her, because the apparent message for each is signable and limited modifiable.


A computer-based cryptanalysis of the protocol in version 2 was conducted by Stanford University, where several vulnerabilities were discovered: By a man-in -the -middle attack, it is possible to have an older version of the protocol ( for example, version 1 ) to change, so as to utilize its vulnerabilities. Furthermore, the deniability is in the strong sense, that is, that everyone could sign a message, no longer exists at an attacker with complete control over the network. This may publish the MAC key replace with random data, so it is no longer possible others to validly sign with this key messages. In addition, the authors have found an attack when authenticating in LFS, but which can be discovered and did not entail far-reaching consequences.


Native support

The following clients support Off- the-Record Messaging natively. This implies that one can use with all implemented instant messaging protocols with them OTR (eg OSCAR, XMPP, MSN and YIM ). Another list of programs can be found on the website of the developer.

An integral part of

  • Adium (Mac OS X) supports OTR innately
  • climm (Linux / Unix) is directly supported since 0.5.4
  • Mcabber ( Linux, several BSD derivatives, Mac OS X) OTR directly supported since 0.9.4
  • Centerim (Linux / Unix) supports OTR since version 4.21.0
  • Jitsi (formerly SIP Communicator ) ( platform independent )
  • BitlBee ( platform independent ), since version 3.0 (optionally configurable at compile time )
  • Xabber (Android) support OTR natively since 0.9.27 (only XMPP )
  • SecuXabber (Android) OTR support natively ( Beta)
  • Phonix Viewer ( platform independent ), a viewer for Second Life, supports OTR discussions within the game
  • Secure Chat ( Android / iOS )
  • IM (Android)
  • QutIM ( platform independent ) since 0.3.1
  • Spark ( platform independent )


  • Pidgin ( platform independent ) has an official plugin
  • Kopete (Linux / Unix) has a ( since version 4.1 0.50.80/KDE official ) plugin
  • Psi ( platform independent ) has an unofficial plugin, can be used in Psi this natively ( on Linux)
  • Miranda IM ( Microsoft Windows) has a plugin
  • Miranda NG ( Microsoft Windows) has a plugin
  • Irssi ( platform independent ) has a plugin
  • Gajim ( platform independent ) has since Version 0.15 a plugin
  • Xchat ( platform independent ) has a plugin
  • Vacuum IM ( Linux / Windows)
  • WeeChat ( platform independent ) has a plugin


First, a proxy has been developed which should allow the use of the OSCAR protocol ( AIM / ICQ), even if the chat client itself does not support OTR. The software is no longer being developed since 2005 and the manufacturer does not recommend its use.