Improving Instant Messaging - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Improving Instant Messaging

Description:

... vulnerable since the protocol's specification calls for a lot of connection ... However, there are few papers offering solutions to the problems. ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 18
Provided by: kimberl54
Category:

less

Transcript and Presenter's Notes

Title: Improving Instant Messaging


1
Improving Instant Messaging
  • By Boris Kurktchiev and Kimberly Yonce

2
Project Description
  • Our project analyzes instant messaging and its
    various vulnerabilities and flaws.
  • We propose ways in which to counter those
    vulnerabilities by the use of Transport Layer
    Security (TLS) and Single Packet Authorization
    (SPA).
  • We show that although the simultaneous use of TLS
    and SPA can increase network traffic, the gains
    in terms of user and server security make the
    task worthwhile.

3
Current Instant Messenger Usage
  • There are many free public domain instant
    messaging services.
  • The most popular ones are AIM, ICQ, MSN
    Messenger, and Yahoo! Messenger.
  • Today there are over 200 million active IM users
    across all the popular IM networks, with over 1
    billion users being actually registered with all
    the networks.

4
Problems with Current Solutions
  • Oscar (ICQ)

5
Problems Continued
  • From the packet below and the unofficial ICQ
    specification we know that the password is
    located after the fourth byte following the User
    Identification Number.

6
Yahoo Protocol (Continued)
  • Yahoo Protocol
  • Uses MD5 hashing in order to protect the users
    password, however a lot of info is still revealed.

7
MSN Messenger (Continued)
  • MSN Messenger
  • Microsoft made TLS communication mandatory in
    their latest protocol release.
  • MSN users are still vulnerable since the
    protocol's specification calls for a lot of
    connection opening and closing to different
    servers and services in order to authenticate and
    establish conversation connections.
  • This means that at the very least an attacker
    will be able to get the IP address of a user.

8
Related Works
  • There were many papers that inform you of the
    problems and vulnerabilities with current IM
    solutions.
  • However, there are few papers offering solutions
    to the problems.
  • Stefan Savage's paper published in the 2003 ACM
    WORM 03 workshop

9
More Related Works
  • Instant Insecurity Security Issues of Instant
    Messaging we were able to gain a more in depth
    look at how IM is being used in the corporate
    world in order to increase productivity rather
    than hinder it.

10
Influence of Related Works
  • Based on these articles we decided we needed to
    use flexible technologies in order to create
    better IM communication.
  • We settled on Transport Layer Security (TLS).
  • However, we also saw the need to use an extra
    layer of authentication that is less common than
    the username/password approach.
  • Based on a thesis written by Sebastien Jeanquier
    at the University of London we settled on using
    Single Packet Authorization (SPA).

11
Why TLS?
  • It allows client/server applications to
    communicate in a way designed to prevent
    eavesdropping, tampering, and message forgery.
  • It provides the client with end point
    authentication and communications privacy over
    the Internet using cryptography.
  • Typically, TLS is used for server authentication.
    This means that the identity of the server is
    ensured, allowing an application to know who it
    is talking to.

12
Why SPA?
  • Protocol Independent we can implement it for
    any network protocol, i.e. TCP, UDP
  • Built in symmetric encryption with planned
    support for GPG key rings.
  • Built in replay attack defense mechanisms.
  • Costs a client only a single packet in order to
    be authenticated to the system.

13
Our Proposed Approach
  • First Step of Initiating Communication

14
Our Approach Continued
  • Second step of initiating communication

15
Certificate Used in our Implementation
  • A client side generated anonymous certificate
    using the Diffie-Hellman key exchange with 128
    bit AES encryption and SHA as the hashing
    function.
  • TLS_DH_anon_WITH_AES_128_CBC_SHA
  • The reason for using this ciphersuite is speed
    and optimization of the protocol.

16
Usernames in our Implementation
  • Finally, the protocol does not allow non-original
    usernames to be used on the network.
  • Therefore, if two clients have the same name then
    both clients are going to be disconnected from
    the network.

17
Conclusion
  • We have shown how insecure the current instant
    messaging protocols are and how they disclose
    information about the user whether they want it
    to or not.
  • We have argued that the simultaneous use of TLS
    and SPA provides a more secure protocol which
    utilizes available technologies in order to
    assure user's identity, user's security, user
    satisfaction and server protection.
  • All of this has been achieved using Transport
    Layer Security, Single Packet Authorization and
    the Java language.
Write a Comment
User Comments (0)
About PowerShow.com