Digital Messaging has typically operated in an unsecure environment. However, a growing number of people use digital messaging in the business environment to communicate with co-workers, and with people they do business with at other companies outside of company firewalls.
Off-the-Record Messaging (“OTR”) is a cryptographic protocol that provides encryption for instant messaging conversations. OTR allows a user to have private conversations over instant messaging by providing encryption, authentication, and deniability. The messages sent do not have digital signatures that are checkable by a third party. Thus, anyone can forge messages after a conversation to make them look like they came from another.
OTR uses a combination of Advanced Encryption Standard (“AES”) symmetric-key algorithms with 128 bits key length, the Diffie-Hellman key exchange with 1536 bits group size, and the SHA-1 hash function. Keys are not ephemeral (meaning the keys are persistent and remain in place), so messages are subject to cryptographic attacks which operate on large bodies of ciphertext encrypted with the same key. Furthermore, out of band communication is required and all ciphertext is stored on a central server for later access, leaving it open to ciphertext attacks should an attacker gain access.
Services that use a central server are vulnerable to attacks on the server, potentially compromising all communications. For example, while communications in Gmail are secured to and from the server (preventing eavesdroppers from reading contents), malicious insiders or hackers who gain access to Gmail itself can still exfiltrate the contents of conversations at will, regardless of this security while in transit.
It would be advantageous to provide a secure digital messaging system that lacks the problems described above.