Tutorial Key Facts
Supported Operating System Windows XP , Vista , 7 , 8 , 10
Pidgin IM version 2.10.6
OTR Version 3.2.1-1
Last Update 2016/09/11
Author Nihad Hassan
According to its creators’ Off-the-Record (OTR) Messaging allow you to have private conversations over instant messaging by providing:
Encryption: No one else can read your instant messages.
Authentication: You are assured the correspondent is who you think it is.
Deniability: The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
Perfect forward secrecy: If you lose control of your private keys, no previous conversation is compromised.
In order to use OTR, we need first to install Pidgin IM client on our system:
Download pidgin offline installer from here http://sourceforge.net/projects/pidgin/files/Pidgin/2.10.6/pidgin-2.10.6-offline.exe/download
The above link may not always be valid as it points to version 2.10.6, a newer version may be released after lunching this tutorial, you can always go to Pidgin main website and select download http://www.pidgin.im/download/ to install the latest version.
Double click the installer to begin installing Pidgin
Choose your preferred language and click “Ok”
Click “Next” To Continue
Accept the license agreement and press “Next”
Choose the components you want to add or remove to Pidgin Installation (default settings is suitable for most users)
Choose your installation directory (default is C\:Program Files\Pidgin in Win XP)
The installation proceed, if everything is OK the final window will appears as follow
Finally Click the “Finish” Button and your Pidgin IM is ready to go.
Now we need to install the OTR plugin for our Pidgin IM
Go to http://www.cypherpunks.ca/otr/ , download the windows installer version of the OTR (you can also download it directly from here http://www.cypherpunks.ca/otr/binaries/windows/pidgin-otr-3.2.1-1.exe , this link could be changed according to new releases names)
Double click the installer to begin installing
Click “Next” to continue…
Click “I agree” to accept the license agreement of the Software
Now select your installation directory location (this is not related to Pidgin IM installation and it will not affect it).
Click “Install” to continue…
Finally click the “Finish” Button and you are done.
Now we need to integrate the OTR plugin to our Pidgin IM client.
Open Pidgin IM and go to the “Tools” Menu and select “Plugins” as appears in next screen:
The plugins window appears as we can see from the next capture.
Check the box “Off-the-Record Messaging” and click the “Close” Button
You can see further details about the activated plugin through clicking on the plus sign “+” in the bottom of the window
Now you need to generate your private keys, click on the “Configure Plugin” and the following window appears
To generate the keys we need to press the long button labeled “Generate” as appears in the screen capture above.
Press “Ok” and check the OTR configure window to see a long key already generated as appears in next capture.
As we note from the previous screen, we can choose another account from the drop down menu to generate keys for it.
Now, let us start our first conversation using Pidgin with OTR enabled
When we initiate our first secure conversation using OTR with a friend , the following warning appears on the chat box:
This warning states that we need to verify the person we are trying to communicate with (Authenticate him/her) , this is very important because we need to know that this person is whom who is claimed to be and not another one who is trying to impersonate someone else.
Whenever we communicate with a friend through OTR , we need to authenticate this friend first , once this done , no need to repeat this process again as OTR will recognize him/her automatically , unless the user has changed his PC or he is communicating through another account. In both cases we need to repeat the Authentication process which we are going to describe later on.
OTR Authentication Types:
- Question and answer
- Shared secret
- Manual fingerprint verification
Let us start authenticating using the first option “Question and answer”
We need to be in “Unverified” or “Private” states with the buddy we are communicating with for this method to work
From the OTR menu in the chat window choose “Authenticate Buddy”, the following appears
Here you can choose from the first drop down menu which Authentication method you prefer; here we are using the first one “Question and Answer”
Enter your secret question and your answer as appears in next window
In our case, my secret question “What is my Second age” and my secret answer was “109″
Click “Authenticate” in the bottom of the window to begin the authentication process, the following window appears on my side
And the following window appears on my buddy side ( next screen capture)
My Buddy needs to enter my secret answer (which is only shared between me and him) in the text box , if he entered the correct one , this means Iam communicating with the correct person , otherwise , it means another person is impersonating my buddy and it’s better to end the conversation.
My Buddy enters the secret answer “109” and click “Authenticate” as follow
After my Buddy clicks “Authenticate”, the following window appears on his/her PC
If the my Buddy entered the correct answer the following window appears telling him that he/she has successfully authenticated to me, my Buddy can also authenticate me in the same way if he wants.
After completing this process we notice that in our chat window the OTR label has changed to “Private” as appears in next screen capture.
But as we note from the following window, in the other side (my buddy side) it still in the unverified status.
As we stated before, to make both windows has the “Private” status, our buddy needs to Authenticate us also using the same process, this step is optional and could be used for further security from both sides of communication.
Shared Secret Method:
In this method of Authentication, both parties (you and your buddy) should enter the same password or phrase in the dialog box. First enter your phrase and click “Authenticate” , now your buddy need to enter the same word or phrase as you. If he/she entered it correctly you can start a private conversation with him/her , otherwise he may be another user trying to impersonate your friend and it is better to end the conversation.
Both you and your friends should use the same word/phrase to Authenticate in this method.
Note:This method first appeared in pidgin-otr 3.1.0; if your buddy is using an older version, this will not work.
Manual fingerprint verification:
If your buddy is using a version of pidgin-otr before 3.1.0, or a different OTR client that does not support the other authentication methods, you will need to use manual fingerprint verification.
In this method , each side of communication has a fingerprint , each one needs to know the other fingerprint in order to make a secure connection , however , the channel in which the fingerprint will be exchanged should be secure enough , otherwise the entire system will be compromised.
If the fingerprint your buddy tells you matches the one listed as his or her “purported fingerprint”, pull down the selection that says “I have not” (verified that this is in fact the correct fingerprint), and change it to “I have” and you are done.
In this tutorial we describes how to install Pidgin client and how to install and configure OTR plugin used to make secure conversation with Pidgin client , I will be happy to receive your suggestions and comments regarding this tutorial.
Happy Secure Chatting!
Download Pidgin IM messenger from Here (Offline Installer 31.4 M.B)
Download OTR plugin for Pidgin from here (1.3 M.B)