July 26, 2006
This article was contributed by Jake Edge.
Usage of instant messaging (IM) is growing rapidly to facilitate real-time
communication across the internet. Unfortunately, it provides the illusion
of privacy
which can fool users into chatting about subjects that they would not normally
discuss in public. A new tool,
ScatterChat has recently been released
that provides a cross-platform solution for encryption over the public IM
networks. Using it
provides actual privacy for IM conversations without much additional burden
for the user.
ScatterChat is a 'friendly fork' of the
Gaim IM client that adds
encrypted chat, key management, and encrypted file transfer for many
of the IM protocols supported by Gaim. In addition, ScatterChat
optionally interfaces to Tor to provide
traffic analysis resistance for additional privacy. It is available in
source form for Linux and MacOS as well as Windows binaries.
In order to use ScatterChat, a user first generates a public/private
key pair that gets associated with a particular IM screen name. Once that
is complete, the program logs the user into the IM network and provides the
same basic interface as Gaim. A user can then choose a buddy to chat
with and ScatterChat provides an extra button in the chat window to request
encryption. If necessary, a key exchange is done between the user and
their buddy, but one can always refuse encryption and the key exchange
protocol will be silently ignored. This ability allows users to control
who knows that they are using ScatterChat; if they refuse the key exchange,
it will look no different than someone who is using a standard IM client.
Once an encrypted session has been established (verified by the now familiar
padlock icon), it works just like an unencrypted session. Users can type
back and forth to each other but any intermediary will not be able to
decrypt the traffic without compromising the keys. Even if the conversation
is recorded, it cannot be decrypted without compromising the private keys
at both ends of the conversation, providing 'perfect forward security'.
Of course, one must be careful that the other end is not logging the
conversation as that would store an unencrypted version of the conversation
on the hard drive of the logger.
ScatterChat seems to have a well thought out architecture and philosophy.
Users are not allowed to choose encryption methods, key lengths or any of
the other technical parameters that often accompany encryption tools. The
choices made by the ScatterChat developers are very strong (2048-bit El Gamal
public/private key with 256-bit AES symmetric encryption) and removing those
kinds of choices makes it a much simpler solution to deploy for non-technical
users. The developers also have chosen to use existing encryption code
(libgcrypt) rather than creating yet another encryption library that needs
to be audited.
ScatterChat is targeted for human rights activists and dissidents who may
be communicating through internet servers that are or can be subverted by
oppressive governments. It may also be useful for those living in
supposedly free countries whose governments have recently determined that
spying on its citizens leads to better national security. A
great deal of communication of a sensitive nature is done via IM these days
and companies may wish to use this tool to secure chats between their
employees to protect trade secrets and the like. Many IM users will not
have any need for the capabilities provided by ScatterChat, as the NSA is
probably uninterested in teenage dating gossip and the like, but for those
who do, ScatterChat is an essential tool.
Comments (9 posted)
