How-to: Encrypted Instant Messaging on Mac OS X with Adium and Off The Record (OTR)

This document is intended to help people quickly get started encrypting their Instant Messages on Mac OS X.

Some background:

Adium is a free and open source instant messaging client for Mac OS X that supports multiple IM networks, including Windows Live Messenger, Yahoo! Messenger, Google Talk, AIM, ICQ and Jabber / XMPP.

Off-the-Record Messaging, commonly referred to as OTR, is a cryptographic protocol that provides strong encryption for instant messaging conversations.

Important: Known Limitations:
- Adium is capable of having direct one-on-one chats as well as group chats. However, due to limitations of the OTR protocol, Adium does not support encryption during multi-user group chat. It only works in one-on-one chats.
- Adium keeps unencrypted logs of OTR chats by default. See Step 6 to learn how to disable logging of encrypted chat sessions.

Now let's jump right in.

Step 1: Download Adium

Begin by opening your favorite web browser ( Safari, Firefox, Chrome, Tor Browser Bundle or the browser of your choice ) and loading up the Adium website: https://adium.im

You will see the mascot for Adium, a green duck. Underneath the duck it will say "Download Adium". Click on that link. You will be taken to the Adium project's download page at Sourceforge.net. That page will say "Your download will start in 5 seconds..." and will count down to 0. The download will begin.

The file that you get will be called Adium_x.y.z.dmg" where x.y.z is the version number. At the time of this writing, the current version is 1.5.7. The download may take a while to complete, as it is over 20MB in size.

Step 2: Install Adium

Open the Adium_x.y.z.dmg file by double clicking on it. In a default configuration the file will be in your Downloads folder inside your account's home directory. In the menu bar at the bottom of your screen, next to the recycle bin icon, there will be an icon for your Downloads directory. Click on it and inside you should find the Adium.x.y.z.dmg file. Click on the file. A dialog box will open up saying "Opening Adium_x.y.z.dmg" it will go through several stages: verifying, checking volumes, mounting. After a few seconds, a folder will open up containing the Adium application. If you have ever installed a Mac OS X application this should be familiar to you. Simply drag the Adium icon onto the Applications Folder icon that is also inside the folder. This will install the application on your system.

Step 3: Running Adium for the first time

When you run Adium for the first time you will have the option to import your account information from other IM clients such as iChat. Or you can manually enter in your account information.

If you don't have an instant messaging account on any of the supported services you can try creating an account on Calyx's free jabber server, jabber.calyxinstitute.org. To set up an account on the Calyx server, in Adium, navigate in the menu bar to File > Add Account > XMPP (Jabber).

For your jabber ID, choose a username and append @jabber.calyxinstitute.org. So for example if you choose 'mickeymouse' as your username then fill in 'mickeymouse@jabber.calyxinstitute.org'. Then choose a strong password. ( See: Generate a Strong Password using Mac OS X Lion’s Built-in Utility )

Alternately you can use the jabber.ccc.de server ( a public XMPP / Jabber server run by the Chaos Computer Club ) by selecting 'XMPP' for the Service, and making up an account in the format user@jabber.ccc.de and the password of your choice.

Once you have filled in the Jabber ID field and the password field, you can click 'Register New Account'. A new window will pop up asking you for server details. If you chose the Calyx server then use jabber.calyxinstitute.org for the Server. If you chose the CCC server then use jabber.ccc.de.
You can leave the port at the default of 5222. Then click the 'Request New Account' button.

You will be prompted to again enter your Jabber ID and password

Step 3: Generating your Encryption keys

After getting online with your IM account, go to the Adium menu and select Preferences.

In the preferences window that opens up, click the right-most icon, Advanced. In the Advanced preference pane, there will be a column of icons along the left-hand side. Select 'Encryption'.

This is where you will generate a key pair for your account. The key pair has two components, the public key and the private key. The public key is used to encrypt messages to you. Your private key is used to decrypt messages that are encrypted with your public key. You don't need to know all of this in order to encrypt your Instant messages, but the more you know the better. To learn more, check out the wikipedia entry on public key cryptography

The Encryption preferences page will say 'No private key present'. There will be a button next to your account name that says 'Generate'. Press that button.

Once the generation process completes, where it said 'No private key present' it will now say Fingerprint: and there will be a set of random characters, probably 5 groups of 8 characters for a total of 40 characters.

Step 4: Using Off The Record to encrypt your messages

At this point you can test out OTR Encryption by starting an Instant Message conversation with a contact of yours who also has Adium or another OTR-capable IM client installed.

You will notice that when you open the conversation with your contact that there is a padlock icon which starts out in an 'unlocked' state. If you click on that icon and select 'Inititate Encrypted OTR Chat' then the key exchange process will begin.

The first time you attempt to communicate over an encrypted channel with your contact, you will get a pop-up window stating that your contact has sent you an unknown encryption fingerprint.

You will be asked whether you want to accept that fingerprint as verified. This is actually a vitally important moment because verification of your contact's fingerprint is the only way you can be sure that your messages are not being intercepted by a 3rd party.

In security circles, people sometimes print their fingerprints on the backs of their business cards, or publish them in a public place such as on their website, on their twitter account's about page, or something along those lines.

You can even confirm the fingerprint with your contact either by hand in person, via email ( preferably encrypted / signed email ) or over the phone if you want.

However you choose to verify the fingerprint is up to you. But to have any real assurance of security you must actually verify the fingerprint. Do not simply click 'Accept' and assume that all is well, especially if your safety may be at risk if your communications would be intercepted by a 3rd party.

Once you hit the 'Accept' button, your contact's public key will be saved within your Adium preferences. You can view it at any time by going to the Encryption preferences pane and selecting their username.

After you hit Accept, the padlock icon should change to a locked state. Now your communications are being encrypted and are protected against being easily intercepted and read.

Step 5: Verifying that your messages are being encrypted

Note: Do not intercept network traffic on a network where you do not have legal authority to do so. Interception of traffic may violate the law in your jurisdiction. This is not legal advice. Check with an attorney to be certain.

The simple and straight-forward way to accomplish this is to verify that the padlock icon is closed which indicates that your instant message session is encrypted.

If you really need strong communications security then don't simply trust that a padlock icon says your traffic is being encrypted. You should directly verify it yourself using network tools. Here are some ideas on how you could accomplish that:

If you are using AOL IM as your Service then tools such as dsniff can be used to intercept the traffic and extract the raw messages. If you are using XMPP then something like tcpflow or wireshark would work well to intercept your messages.

Step 6: Disable logging of your Encrypted chats

Adium keeps unencrypted logs of OTR chats by default. By design, OTR supports Perfect Forward secrecy, but by logging OTR enabled chats, it violates one of the design goals of OTR, and may put you at risk if the contents of your computer are ever captured by an adversary.

To disable logging of OTR encrypted chats, go to the Adium Preferences panel, and select 'General' and uncheck the box that says 'Log OTR-secured chats'