How to Use OTR to Initiate a Secure Messaging Session in Pidgin
List of sections on this page:
- 3.0 About Pidgin and OTR
- 3.1 How to Configure the Pidgin-OTR Plugin
- 3.2 The First Step - How to Generate a Private Key and Display its Fingerprint
- 3.3 The Second Step - How to Authenticate a Messaging Session
- 3.4 The Third Step - How to Authenticate the Identity of Your Correspondent
3.0 About Pidgin and OTR
Both your correspondent and yourself must configure the OTR plugin before you can enable private and secure Instant Messaging (IM) sessions. OTR plugin will automatically detect when both parties have installed and properly configured the OTR plugin.
Note: If you request a private conversation with a friend who has neither installed nor configured OTR, it will automatically send a message explaining how they can obtain the OTR plugin.
3.1 How to Configure the Pidgin-OTR Plugin
To enable the OTR plugin, perform the following steps:
Step 1. Double click or select Start > All Programs > Pidgin to launch Pidgin and activate the Buddy List window (please refer to Figure 1).
Step 2. Open the Tools menu, and then select the Plugins item as follows:
Figure 1: The Buddy List window with the Plugins item selected from the Tools menu
This will activate the Plugins window as follows:
Step 2. Scroll down to the Off-the-Record Messaging option, then click its associated check box to enable it.
Figure 2: The Pidgin Plugins window with Off-the-Record Messaging selected
Step 3. Click to begin configuring the Off-the-Record Messaging windows.
Basically, there are 3 steps involved in configuring OTR properly to effectively enable private and secure IM sessions and they are explained below:
- The First Step: This involves generating a unique private key associated with your account, and displaying its fingerprint.
The next two steps involve securing the IM session and authenticating your buddies.
The Second Step: This involves one party requesting a private and secure messaging session with another party currently on-line.
The The Third Step involves authenticating or verifying the identity of your Pidgin buddy. (Note: In Pidgin, a buddy is anyone you correspond with during IM sessions.) This process of verifying a buddy's identity is referred to as authentication in Pidgin. This means establishing that your buddy is exactly the person who he/she is claims to be.
3.2 The First Step - How to Generate a Private Key and Display its Fingerprint
Secure chat sessions in Pidgin are enabled by generating a private key for the relevant account. The Off-the-Record configuration window is divided into the Config and the Known fingerprints tabs. The Config tab is used to generate a key for each of your accounts and to set specific OTR options. The Known fingerprints tab contains a list of fingerprints of the keys of your contacts. You must possess a key for any buddy with whom you wish to chat privately.
Figure 3: The Off-the-Record Messaging screen displaying the Config tab
Step 1. To optimise your privacy, check the Enable private messaging, Automatically initiate private messaging and Don't log OTR conversations options in the Config tab as shown in Figure 3 above.
Step 2. Click to begin generating your secure key; a screen notifying you that a private key is being generated appears as follows:
Figure 4: The Generating private key confirmation box
Note: Your buddy must perform the same steps for his/her own account.
Step 3. Click after the private key (which resembles the following), has been generated:
Figure 5: An example of a fingerprint of the key generated by the OTR engine
Important: You have now created a private key for your account on your computer. This will be used to encrypt your conversations so that nobody else can read them, even if they do manage to monitor your chat sessions. The fingerprint is a long sequence of letters and numbers used to identify the key for a particular account, as shown in Figure 5 above.
Pidgin automatically saves your fingerprint, and those of your buddies, on the computer you are using, so that you will not have to remember them. If you reinstall Pidgin or if you change to another computer you will either have to regenerate your key and re-authenticate your buddies, or you will need to move your key and fingerprints of your buddies to the new computer. To do this you will need to copy content of %APPDATA%\.purple folder (~/.purple on Linux or Mac) to similar folder on new computer.
3.3 The Second Step - How to Authenticate a Private Conversation
Step 1. Double-click the account of a buddy who is currently on-line to begin a new IM conversation. If both of you have the OTR plugin installed and properly configured, you will notice that a new OTR button appears at the bottom right corner of your chat window.
Figure 6: A Pidgin messaging window displaying the OTR icon outlined in black
Step 2. Click to activate its associated pop-up menu, and then select the Start private conversation item as follows:
Figure 7: The pop-up menu with the Start private conversation item selected
Your Pidgin IM window will then resemble the following screen:
Figure 8: The Pidgin IM window displaying the Unverified button
Note: Pidgin automatically begin communicating with your buddy's IM program, and generating messages whenever you attempt to enable a private and secure chat session. As a result of this, the OTR button changes to , indicating that you are now able to have an encrypted conversation with your buddy.
Warning! Although this conversation is now secure, the identity of your buddy has not been verified yet. Beware: Your buddy might actually be someone else pretending to be your buddy.
3.4 The Third Step - How to Authenticate the Identity of Your Pidgin Buddy
You may use one of three methods of identification to authenticate your Pidgin buddy; you could use 1). a pre-arranged secret code phrase or word, 2). pose a question, the answer to which is only known to both of you or 3) manually verify the fingerprints of your key using a different method of communication.
The Secret Code Phrase or Word Method
You can arrange a code phrase or word in advance, either by meeting each other in person or by using another communications medium (like a telephone, voice chat by Jitsi or a mobile phone text message). Once you both type in the same code phrase or word, your session will be authenticated.
Note: The OTR secret code word recognition feature is case sensitive, that is, it can determine the difference between capital (A,B,C) letters and lower case (a,b,c) ones. Bear this in mind when inventing a secret code phrase or word!
Step 1 . Click the OTR button in the chat window, then select the Authenticate Buddy item as follows:
Figure 9: The Unverified pop-up menu with the Authenticate buddy item selected
This will activate the Authenticate Buddy window, prompting you to select an authentication method.
Step 2. Click and select Shared Secret as follows:
Figure 10: The Authenticate buddy screen with the drop-down list revealed
Step 3. Enter the secret code word or phrase as follows:
Figure 11: The Shared Secret screen
Step 4. Click to activate the following screen:
Figure 12: The Authenticate Buddy window for a fictitious correspondent
Note: At this time your buddy will see window shown on figure 13 at his/her end and will have to enter the same code word. If they match, your session will be authenticated.
Figure 13: The Authenticate Buddy window for a fictitious correspondent
Once the session is authenticated, the OTR button will change to . Your session is now secure and you can be sure that you are really speaking with your buddy.
The Question and Answer Method
Another method of authenticating each other, is the question and answer method. Create a question and an answer to it. After reading the question, your buddy must type in the exact answer, and if their answer matches yours, your identity will be automatically authenticated.
Step 1. Click the OTR menu in active message window to activate its associated pop-up menu, and then select Authenticate Buddy item (please refer to Figure 9).
Figure 14: A Pidgin chat window displaying the OTR icon
An Authenticate Buddy window will pop up prompting you to choose the method for authentication.
Step 2. Click the drop-down menu and select the Question and Answer item as follows:
Figure 15: The Authenticate buddy screen
Step 3. Enter a question and its corresponding answer. This question will be sent to your buddy.
Figure 16: The Questions and Answer screen
If your buddy's answer matches yours, then your identities will have been mutually authenticated or verified, and both parties are who they claim to be!
Once the session has been authenticated, the OTR button will change to . Your session will now be secure and you can be certain of your chat buddy's identity.
Manual fingerprint verification
The third method of authenticating each other, is the fingerprint verification. In this method you need to exchange displayed fingerprints (see figure 17 below) for your buddy and yourself over another communication channel (like secure email or voice call). If exchanged fingerprints are the same you can select I have verified that this is in fact the correct fingerprint and Authenticate the session.
Figure 17: The Manual fingerprint verification screen
Notice that when you Select > Buddy List > Tools > Plugins > Off The Record Messaging > Configure Plugin, the Known fingerprints tab now displays your buddy's account, and a message that their identity has been verified.
Figure 18: The Off-the-Record Messaging screen displaying the Known Fingerprints tab
Congratulations! You may now chat privately. The next time you and your buddy chat (using the same computers), you should only have to request a secure connection (as on figure 7 above) and have your buddy accept it. Your session should already be authenticated.