Off-the-record Messaging (OTR) is a
cryptographic protocol
A cryptographic protocol is an abstract or concrete Communications protocol, protocol that performs a information security, security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol desc ...
that provides encryption for
instant messaging
Instant messaging (IM) technology is a type of synchronous computer-mediated communication involving the immediate ( real-time) transmission of messages between two or more parties over the Internet or another computer network. Originally involv ...
conversations. OTR uses a combination of
AES symmetric-key algorithm
Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between ...
with 128 bits key length, the
Diffie–Hellman key exchange
Diffie–Hellman (DH) key exchangeSynonyms of Diffie–Hellman key exchange include:
* Diffie–Hellman–Merkle key exchange
* Diffie–Hellman key agreement
* Diffie–Hellman key establishment
* Diffie–Hellman key negotiation
* Exponential ke ...
with 1536 bits group size, and the
SHA-1
In cryptography, SHA-1 (Secure Hash Algorithm 1) is a hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits. It was designed by the United States ...
hash function. In addition to
authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...
and
encryption
In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...
, OTR provides
forward secrecy
In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session ke ...
and
malleable encryption.
The primary motivation behind the protocol was providing
deniable authentication In cryptography, deniable authentication refers to message authentication between a set of participants where the participants themselves can be confident in the authenticity of the messages, but it cannot be proved to a third party after the event ...
for the conversation participants while keeping conversations confidential, like a private conversation in real life, or
off the record in
journalism sourcing. This is in contrast with cryptography tools that produce output which can be later used as a verifiable record of the communication event and the identities of the participants. The initial introductory paper was named "Off-the-Record Communication, or, Why Not To Use
PGP".
The OTR protocol was designed by cryptographers
Ian Goldberg and
Nikita Borisov and released on 26 October 2004.
They provide a client
library
A library is a collection of Book, books, and possibly other Document, materials and Media (communication), media, that is accessible for use by its members and members of allied institutions. Libraries provide physical (hard copies) or electron ...
to facilitate support for instant messaging client developers who want to implement the protocol. A
Pidgin
A pidgin , or pidgin language, is a grammatically simplified form of contact language that develops between two or more groups of people that do not have a language in common: typically, its vocabulary and grammar are limited and often drawn f ...
and
Kopete plugin exists that allows OTR to be used over any IM protocol supported by Pidgin or Kopete, offering an
auto-detection feature that starts the OTR session with the buddies that have it enabled, without interfering with regular, unencrypted conversations. Version 4 of the protocol
has been in development since 2017 by a team led by Sofía Celi, and reviewed by Nik Unger and Ian Goldberg. This version aims to provide online and offline deniability, to update the cryptographic primitives, and to support
out-of-order delivery
In computer networking, out-of-order delivery is the delivery of data packets in a different order from which they were sent. Out-of-order delivery can be caused by packets following multiple paths through a network, by lower-layer retransmissi ...
and asynchronous communication.
History
OTR was presented in 2004 by Nikita Borisov,
Ian Avrum Goldberg, and
Eric A. Brewer as an improvement over the OpenPGP and the S/MIME system at the "Workshop on Privacy in the Electronic Society" (WPES).
The first version 0.8.0 of the reference implementation was published on 21 November 2004. In 2005 an analysis was presented by Mario Di Raimondo, Rosario Gennaro, and Hugo Krawczyk that called attention to several vulnerabilities and proposed appropriate fixes, most notably including a flaw in the key exchange.
As a result, version 2 of the OTR protocol was published in 2005 which implements a variation of the proposed modification that additionally hides the public keys. Moreover, the possibility to fragment OTR messages was introduced in order to deal with chat systems that have a limited message size, and a simpler method of verification against man-in-the-middle attacks was implemented.
In 2007
Olivier Goffart published
mod_otr
for
ejabberd, making it possible to perform
man-in-the-middle attack
In cryptography and computer security, a man-in-the-middle (MITM) attack, or on-path attack, is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communi ...
s on OTR users who don't check key fingerprints. OTR developers countered this attack by introducing a
socialist millionaire protocol implementation in libotr. Instead of comparing key checksums, knowledge of an arbitrary shared secret can be utilised for which relatively low
entropy
Entropy is a scientific concept, most commonly associated with states of disorder, randomness, or uncertainty. The term and the concept are used in diverse fields, from classical thermodynamics, where it was first recognized, to the micros ...
can be tolerated.
Version 3 of the protocol was published in 2012. As a measure against the repeated reestablishment of a session in case of several competing chat clients being signed on to the same user address at the same time, more precise identification labels for sending and receiving client instances were introduced in version 3. Moreover, an additional key is negotiated which can be used for another data channel.
Several solutions have been proposed for supporting conversations with multiple participants. A method proposed in 2007 by Jiang Bian, Remzi Seker, and Umit Topaloglu uses the system of one participant as a "virtual server".
The method called "Multi-party Off-the-Record Messaging" (mpOTR) which was published in 2009 works without a central management host and was introduced in
Cryptocat
Cryptocat is a discontinued open-source software, open-source Application software, desktop application intended to allow encrypted online chatting available for Microsoft Windows, Windows, OS X, and Linux. It uses end-to-end encryption to secur ...
by Ian Goldberg et al.
In 2013, the
Signal Protocol was introduced, which is based on OTR Messaging and the
Silent Circle Instant Messaging Protocol (SCIMP). It brought about support for asynchronous communication ("offline messages") as its major new feature, as well as better resilience with distorted order of messages and simpler support for conversations with multiple participants.
OMEMO
OMEMO is an extension to the Extensible Messaging and Presence Protocol (XMPP) for multi-client end-to-end encryption developed by Andreas Straub. According to Straub, OMEMO uses the Double Ratchet Algorithm "to provide multi-end to multi-end e ...
, introduced in an Android XMPP client called
Conversations in 2015, integrates the
Double Ratchet Algorithm
In cryptography, the Double Ratchet Algorithm (previously referred to as the Axolotl Ratchet) is a key management algorithm that was developed by Trevor Perrin and Moxie Marlinspike in 2013. It can be used as part of a cryptographic protocol t ...
used in Signal into the instant messaging protocol
XMPP
Extensible Messaging and Presence Protocol (abbreviation XMPP, originally named Jabber) is an Open standard, open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. Based on XML (Ext ...
("Jabber") and also enables encryption of file transfers. In the autumn of 2015 it was submitted to the
XMPP Standards Foundation
XMPP Standards Foundation (XSF) is the foundation in charge of the standardization of the protocol extensions of Extensible Messaging and Presence Protocol, XMPP, the open standard of instant messaging and presence of the Internet Engineering Ta ...
for standardisation.
Currently, version 4 of the protocol has been designed. It was presented by Sofía Celi and Ola Bini on PETS2018.
Implementation
In addition to providing encryption and authentication — features also provided by typical public-key cryptography suites, such as
PGP,
GnuPG
GNU Privacy Guard (GnuPG or GPG) is a free-software replacement for Symantec's cryptographic software suite PGP. The software is compliant with the now obsoleted , the IETF standards-track specification of OpenPGP. Modern versions of PGP are ...
, and
X.509 (
S/MIME) — OTR also offers some less common features:
;
Forward secrecy
In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session ke ...
: Messages are only
encrypted
In cryptography, encryption (more specifically, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the information, known as plain ...
with temporary per-message
AES keys, negotiated using the
Diffie–Hellman key exchange
Diffie–Hellman (DH) key exchangeSynonyms of Diffie–Hellman key exchange include:
* Diffie–Hellman–Merkle key exchange
* Diffie–Hellman key agreement
* Diffie–Hellman key establishment
* Diffie–Hellman key negotiation
* Exponential ke ...
protocol. The compromise of any long-lived cryptographic keys does not compromise any previous conversations, even if an attacker is in possession of
ciphertext
In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...
s.
;
Deniable authentication In cryptography, deniable authentication refers to message authentication between a set of participants where the participants themselves can be confident in the authenticity of the messages, but it cannot be proved to a third party after the event ...
: Messages in a conversation do not have
digital signatures, and after a conversation is complete, anyone is able to forge a message to appear to have come from one of the participants in the conversation, assuring that it is impossible to prove that a specific message came from a specific person. Within the conversation the recipient can be sure that a message is coming from the person they have identified.
Authentication
As of OTR 3.1, the protocol supports mutual authentication of users using a shared secret through the
socialist millionaire protocol. This feature makes it possible for users to verify the identity of the remote party and avoid a
man-in-the-middle attack
In cryptography and computer security, a man-in-the-middle (MITM) attack, or on-path attack, is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communi ...
without the inconvenience of manually comparing
public key fingerprints through an outside channel.
Limitations
Due to limitations of the protocol, OTR does not support multi-user group chat
but it may be implemented in the future. As of version 3
of the protocol specification, an extra symmetric key is derived during authenticated key exchanges that can be used for secure communication (e.g., encrypted
file transfer
File transfer is the transmission of a computer file through a communication channel from one computer system to another. Typically, file transfer is mediated by a communications protocol. In the history of computing, numerous file transfer protoc ...
s) over a different channel. Support for encrypted audio or video is not planned. (
SRTP with
ZRTP
ZRTP (composed of Z and Real-time Transport Protocol) is a cryptographic key-agreement protocol to negotiate the keys for encryption between two end points in a Voice over IP (VoIP) phone telephony call based on the Real-time Transport Protocol ...
exists for that purpose.) A project to produce a protocol for multi-party off-the-record messaging (mpOTR) has been organized by
Cryptocat
Cryptocat is a discontinued open-source software, open-source Application software, desktop application intended to allow encrypted online chatting available for Microsoft Windows, Windows, OS X, and Linux. It uses end-to-end encryption to secur ...
,
eQualitie, and other contributors including Ian Goldberg.
Since OTR protocol v3 (libotr 4.0.0) the plugin supports multiple OTR conversations with the same buddy who is logged in at multiple locations.
Client support
Native (supported by project developers)
These clients support Off-the-Record Messaging out of the box (incomplete list).
Via third-party plug-in

The following clients require a plug-in to use Off-the-Record Messaging.
*
HexChat
HexChat is a discontinued Internet Relay Chat client and is a fork of ''XChat''. It has a choice of a tabbed document interface or tree interface, support for multiple servers, and numerous configuration options. Both command-line and graphi ...
, with a third-party plugin
*
Miranda NG (
Microsoft Windows
Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...
), with a third-party plugin
*
Pidgin
A pidgin , or pidgin language, is a grammatically simplified form of contact language that develops between two or more groups of people that do not have a language in common: typically, its vocabulary and grammar are limited and often drawn f ...
(
cross-platform
Within computing, cross-platform software (also called multi-platform software, platform-agnostic software, or platform-independent software) is computer software that is designed to work in several Computing platform, computing platforms. Some ...
), with a plugin available from the OTR homepage
*
WeeChat, with a third-party plugin
*
HexChat
HexChat is a discontinued Internet Relay Chat client and is a fork of ''XChat''. It has a choice of a tabbed document interface or tree interface, support for multiple servers, and numerous configuration options. Both command-line and graphi ...
, for *nix versions, with a third-party plugin
Confusion with Google Talk "off the record"
Although Gmail's
Google Talk
Google Talk was an instant messaging service that provided both text and voice communication. The instant messaging service was variously referred to colloquially as Gchat, Gtalk, or Gmessage among its users.
Google Talk was also the name o ...
uses the term "off the record", the feature has no connection to the Off-the-Record Messaging protocol described in this article, its chats are not encrypted in the way described above—and could be logged internally by Google even if not accessible by end-users.
See also
*
References
Further reading
*
*
External links
*
Protocol specification, talk by
Ian Goldberg at the University of Waterloo (video)
*
{{FLOSS
Cross-platform free software
Cryptographic protocols
Cryptographic software
Free security software
Instant messaging
Internet privacy software