Encrypting Instant Messaging with OTR
This screenshot tutorial covers how to use the Pidgin instant messaging (IM) client to use Off-the-Record (OTR) encryption. Pidgin was chosen because it is a popular, multi-platform, and free IM client. This tutorial assumes that you already have Pidgin installed on your computer and access to an IM account. While a Google XMPP account is used in this tutorial, these instructions will work for any IM protocol Pidgin supports.
Add your account to Pidgin
The first step is to make sure your IM account is added to Pidgin. Pidgin will ask you to add an account if this is the first time it has been run.
Install the Pidgin OTR plugin
Pidgin does not come with OTR built in. Fortunately, there is a plugin that can be added and enabled to add OTR features. You should download and install the plugin from here.
Once the OTR plugin has been installed, it must be enabled. From the Tools menu, click Plugins. Scroll down to the "Off-the-Record Messaging" plugin and select the checkbox to enable the plugin.
Before you can use OTR, you must generate your keypair. To do this, click the Configure Plugin button, and then the Generate button. After a few seconds your keys will have been made.
Begin an OTR session
You are now ready to begin an OTR session. First, open a chat window with someone from your roster. At the bottom right corner you should see "Not private". This lets you know that encryption is not being used and the other person is not verified.
To begin using encryption, click on the "Not private" button and select "Start private conversation". If the other person is using a client with OTR support, public keys will be shared and a private conversation will be initiated.
At this point encryption is already being used. However, since OTR does not sign messages like S/MIME email, the authenticity has yet to be confirmed. This is why the OTR plugin says "Unverified".
To verify the recipient, the Socialist Millionaire Protocol (SMP) is used. Each user must ask the other a question to confirm their identity. Click on the "Unverified" button and select "Authenticate buddy". A new window will open letting you specify a question and a (case sensitive) answer. When you're ready, press Authenticate.
You will see a dialog box while the other person is answering. If the other user answers successfully, you have confirmed their identity.
The other user will now ask you a question so they can also verify your identity. A dialog box will open presenting you with the question. Enter the answer here and press Authenticate.
Now both people have verified each other's identity. The OTR plugin will now say "Private", and both of you can begin messaging.
Encrypted? Prove it!
To show how these messages are encrypted, take a look at the following Google Chat logs. If someone has tapped your connection or assumed control of Google's servers they will not be able to make sense of your messages.
Need help? Found an error? Have a suggestion? Contact me!