New Secure IM Client from NTT Due this Year

An anonymous reader writes "NTT in Japan has developed a new TLS-based secure instant messaging system that it says will comply with corporate compliance regulations, such as the post-Enron Sarbanes-Oxley Act. There's a PC version, as well as a Java one for i-Mode cell phones."

Gaim and OTR

[ChazeFroy]

OTR doesn't use TLS, but it does a great job encrypting conversations. Much better approach than SecureIM by Trillian or gaim-encryption.

Re:Gaim and OTR

[fossa]

Um... OTR is not PGP for a reason. I'm no crypto expert, but with PGP, Alice and Bob know each others public keys. They encrypt messages to each other, and anyone with the secret key, hopefully only Alice or Bob, can decrypt or forge a message. If these messages are stored, any breach due to a trojan, subpoena, etc. will be able to recover the messages.

OTR uses PGP to create a "shared secret" which is used to generate temporary encryption keys for each conversation. During the conversation, the security is the same as in the PGP case. After the conversation, the temporary encryption keys are discarded, so that no one may now decrypt the conversation (at least, they should be discarded). I'm a bit confused on the final step, but I think the shared secret is then published which allows anyone to create new temporary encryption keys which may be used to generate messages that belong to the conversation. This fact may be used to deny the validity of any claimed transcript of the conversation (and this way you don't need to trust that Bob has really discarded the temporary keys).

This is just one more attempt ....

[zappepcs]

This is just one more attempt, IMO, to realign privacy and security values to where they were before new technologies. Where IM is replacing conversations around the water cooler in the workplace, securing it from snooping is an okay thing. Logging it as official corporate communications is getting into, perhaps, dangerous territory. There is the part where it is a company resource, but when it comes close to being thought police, it is dangerous.

I think that modern society is still trying to find a place of 'normalcy' in the midst of new technology. I don't believe that there is an equivelant of IM prior to the advent of IM, other than private conversations. Recording private conversations is still not an okay thing to do. Comparing this to text based conversations that deaf/mute people have with text based phones, it all gets a bit confusing as to what is okay to record and what isn't.

Until it is clearly understood what is okay to snoop and record and what is not, people will make mistakes in what they allow to be recorded, and why, and how those recordings are used. No manner of encryption will fix the real issues. It seems that the only secure mannner to communicate is whispering so that no one can hear what is being said.... very low tech!

Source?

[xtal]

If I can't look at the source.. it ain't secure.

Re:Jabber?

[Randle_Revar]

The XMPP RFC describes the useage of SASL and TLS:
http://www.ietf.org/rfc/rfc3920.txt
TLS can be used on client-sever connections and on sever-server connections.

JEP 27 describes the useage of OpenPGP for encryption:
http://www.jabber.org/jeps/jep-0027.html

RFC 3923 describes S/MIME useage:
http://www.ietf.org/rfc/rfc3923.txt

JEP 116 describes Encrypted Sessions, which seems to be somewhat reminiscent of SSH:
http://www.jabber.org/jeps/jep-0116.html
I don't know that anyone implements this yet.

BTW Can someone tell me whether the connection between the two people chatting with Jabber is P2P or whether it is routed via the server?

Normal chatting at least is all client-server. File transfer can be p2p (normal case) or client-server, while Jingle Audio is p2p.