Secure Instant Messaging

1
Secure Instant Messaging

• Brad Wellington

2
AOL - Protocols

• 1. Two protocols TOC and Oscar
• 2. BIM uses TOC (open source)
• 3. Both protocols talk to a central server

Hi Alice
AOL Central Server
3
Problems with TOC

• TOC is clear text
• It easy to alter messages
• It is easy to spy on messages passing through

4
Eavesdropping
AOL Central Server
My credit card number 1234
5
Altered Messages
Pick me up at 8
8, you say?
AOL Central Server
Pick me up at 7
6
PKI Public Key Infrastructure

• Each user has a public and private key
• Public keys are public knowledge, but private
  keys are kept a secret always
• An encoded message is encoded with one key and
  decoded with the other
• Encoding can be used for multiple purposes

7
Encryption

• If I want to send Alice a message I encode it
  with her public key
• Only the holder of her private key can read it,
  namely Alice

8
Digital Signatures

• I encode a hash of my message (MD5) using my
  private key
• Alice can verify it was me who sent the message
  by using my public key to decode the hash

9
Man in the Middle

• BIM requires the swapping of public keys

AOL Central Server
My public key is B
I will encrypt messages with B
My public key is A
10
CA Certificate Authorities

• Instead of swapping raw public keys, swap signed
  public keys signed by a third party
• BIMs CA-bot signs anything but one could imagine
  stricter standards