Return to Privacy Online

Off The Record Messaging (Pidgin Secure IM)

Tutorial Key Facts
Supported Operating SystemWindows XP , Vista , 7 , 8 , 10
Pidgin IM version2.10.6
OTR Version 3.2.1-1
Last Update2016/09/11
AuthorNihad Hassan

According to its creators’ Off-the-Record (OTR) Messaging allow you to have private conversations over instant messaging by providing:

Encryption: No one else can read your instant messages.

Authentication: You are assured the correspondent is who you think it is.

Deniability: The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.

Perfect forward secrecy: If you lose control of your private keys, no previous conversation is compromised.

In order to use OTR, we need first to install Pidgin IM client on our system:

Download pidgin offline installer from here http://sourceforge.net/projects/pidgin/files/Pidgin/2.10.6/pidgin-2.10.6-offline.exe/download

The above link may not always be valid as it points to version 2.10.6, a newer version may be released after lunching this tutorial, you can always go to Pidgin main website and select download http://www.pidgin.im/download/ to install the latest version.

Double click the installer to begin installing Pidgin

pidgin-install1

Choose your preferred language and click “Ok”

pidgin-install2

Click “Next” To Continue

pidgin-install3

Accept the license agreement and press “Next”pidgin-install4

Choose the components you want to add or remove to Pidgin Installation (default settings is suitable for most users)

pidgin-install5

Choose your installation directory (default is C\:Program Files\Pidgin in Win XP)

pidgin-install6

The installation proceed, if everything is OK the final window will appears as follow

pidgin-install7

Finally Click the “Finish” Button and your Pidgin IM is ready to go.

Now we need to install the OTR plugin for our Pidgin IM

Go to http://www.cypherpunks.ca/otr/ , download the windows installer version of the OTR (you can also download it directly from here http://www.cypherpunks.ca/otr/binaries/windows/pidgin-otr-3.2.1-1.exe  , this link could be changed according to new releases names)

Double click the installer to begin installing

otr1otr2

Click “Next” to continue…

otr3

Click “I agree” to accept the license agreement of the Software

otr4

Now select your installation directory location (this is not related to Pidgin IM installation and it will not affect it).

Click “Install” to continue…

otr5

Finally click the “Finish” Button and you are done.

Now we need to integrate the OTR plugin to our Pidgin IM client.

Open Pidgin IM and go to the “Tools” Menu and select “Plugins” as appears in next screen:

otr6

The plugins window appears as we can see from the next capture.

otr7

Check the box “Off-the-Record Messaging” and click the “Close” Button

You can see further details about the activated plugin through clicking on the plus sign “+” in the bottom of the window

otr8

Now you need to generate your private keys, click on the “Configure Plugin” and the following window appears

otr9

otr10

To generate the keys we need to press the long button labeled “Generate” as appears in the screen capture above.

otr11

otr12

Press “Ok” and check the OTR configure window to see a long key already generated as appears in next capture.

otr13

As we note from the previous screen, we can choose another account from the drop down menu to generate keys for it.

Now, let us start our first conversation using Pidgin with OTR enabled

When we initiate our first secure conversation using OTR with a friend , the following warning appears on the chat box:

otr14

This warning states that we need to verify the person we are trying to communicate with (Authenticate him/her) , this is very important because we need to know  that this person is whom who is claimed to be and not another one who is trying to impersonate someone else.

Whenever we communicate with a friend through OTR , we need to authenticate this friend first , once this done , no need to repeat this process again as OTR will recognize him/her automatically , unless the user has changed his PC or he is communicating through another account. In both cases we need to repeat the Authentication process which we are going to describe later on.

OTR Authentication Types:

  • Question and answer
  • Shared secret
  • Manual fingerprint verification

Let us start authenticating using the first option “Question and answer”

We need to be in “Unverified” or “Private” states with the buddy we are communicating with for this method to work

otr15

From the OTR menu in the chat window choose “Authenticate Buddy”, the following appears

otr16

Here you can choose from the first drop down menu which Authentication method you prefer; here we are using the first one “Question and Answer”

Enter your secret question and your answer as appears in next window

otr17

In our case, my secret question “What is my Second age” and my secret answer was “109″

Click “Authenticate” in the bottom of the window to begin the authentication process, the following window appears on my side

otr18

And the following window appears on my buddy side ( next screen capture)

My Buddy needs to enter my secret answer (which is only shared between me and him) in the text box , if he entered the correct one , this means Iam communicating with the correct person , otherwise , it means another person is impersonating my buddy and it’s better to end the conversation.

My Buddy enters the secret answer “109” and click “Authenticate” as follow

otr20

After my Buddy clicks “Authenticate”, the following window appears on his/her PC

otr18

If the my Buddy entered the correct answer the following window appears telling him that he/she has successfully authenticated to me, my Buddy can also authenticate me in the same way if he wants.

otr21

After completing this process we notice that in our chat window the OTR label has changed to “Private” as appears in next screen capture.

otr22

otr22-1

But as we note from the following window, in the other side (my buddy side) it still in the unverified status.

otr23

As we stated before, to make both windows has the “Private” status, our buddy needs to Authenticate us also using the same process, this step is optional and could be used for further security from both sides of communication.

Shared Secret Method:

In this method of Authentication, both parties (you and your buddy) should enter the same password or phrase in the dialog box. First enter your phrase and click “Authenticate”  , now your buddy need to enter the same word or phrase as you. If he/she entered it correctly you can start a private conversation with him/her , otherwise he may be another user trying to impersonate your friend and it is better to end the conversation.

otr24

Both you and your friends should use the same word/phrase to Authenticate in this method.

Note:This method first appeared in pidgin-otr 3.1.0; if your buddy is using an older version, this will not work.

Manual fingerprint verification:

If your buddy is using a version of pidgin-otr before 3.1.0, or a different OTR client that does not support the other authentication methods, you will need to use manual fingerprint verification.

In this method , each side of communication has a fingerprint , each one needs to know the other fingerprint in order to make a secure connection , however , the channel in which the fingerprint will be exchanged should be secure enough , otherwise the entire system will be compromised.

otr25

If the fingerprint your buddy tells you matches the one listed as his or her “purported fingerprint”, pull down the selection that says “I have not” (verified that this is in fact the correct fingerprint), and change it to “I have” and you are done.

In this tutorial we describes how to install Pidgin client and how to install and configure OTR plugin used to make secure conversation with Pidgin client , I will be happy to receive your suggestions and comments regarding this tutorial.
Happy Secure Chatting!

Download Pidgin IM messenger from Here (Offline Installer 31.4 M.B)

Download OTR plugin for Pidgin from here (1.3 M.B)

Permanent link to this article: http://www.darknessgate.com/security-tutorials/privacy-online/off-the-record-messaging-pidgin-secure-im/