Trillian Secure IM

Hi,

I've been poking around Oscar (ICQ/AIM) protocol parsing 
and had a look at Trillian's SecureIM handshake protocol.

For those who don't know, Trillian is a very popular multi-
protocol instant messanging application for Windows. One of
its notable features, for which is got some rave/positive
reviews, is an ability to encrypt ICQ/AIM IMs exchanged by 
two Trillian instances. AOL made repeated attempts to block

SecureIM, but eventually stopped them [1].

The protocol is closed, but it was reversed engineered by
some guys over at GAIM project. It appeared to be a
Blowfish
encryption of bulk IMs using a key derived from an anonymous

DH exchange [2]. This was also indirectly confirmed by
another
project [3].

Leaving aside the lack of authentication and replay
protection,
here's what is even more striking -

SecureIM handshake between two version 3.1 (latest) clients

takes about .. 48 bytes. That's altogether, 32 bytes in one

direction, and 16 in another. And that's between the clients

that have never talked to each other before, so there's no 
"session resuming" business happenning.

If that's DH exchange, then it's 128 bit one. Fertile
ground
for some interesting speculation, don't you think ?

Alex

[1]
http://en.wikipedia.org/wiki/Trillia
n_%28instant_messenger%29#Entry_into_mai
nstream_and_the_.22IM_Wars.22
[2]
http://sourceforge.net/track
er/download.php?group_id=235&atid=300235&file_id

=56799&aid=777300
[3] http://code.google.com/p/joscar/wiki/TrillianSecureIm


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

> If that's DH exchange, then it's 128 bit one. Fertile
ground
> for some interesting speculation, don't you think ?

There is no speculation. It is 128-bit DH.

I have reported over three years ago to the Trillian forum
that they  
are using 128-bit DH and that it is not secure. You can look
up my  
messages about it and how much I got abused for it by
everyone trying  
to explain to me that 1) it IS secure and 2) no one cares
anyway.  
They did not change it since then although they promised to.
I'd also  
made an open-source replacement DLL back then with 512-bit
ECDH,  
which also supported their 128-bit DH clients if they
initiated  
secure communication first, but it may have some
compatibility issues  
with later versions of Trillian. It's supposed to display
the common  
key fingerprint, not sure if it works now. Feel free to
correct it  
and to improve it, but Cerulean Studios won't pay for it.
It's still  
on http://cryptolib.com/rup
tor/

Marcos el Ruptor

PS: There was also a buffer overflow in their original DLL
if you  
send a very long key. I don't know if they have fixed it or
not. I  
haven't used Trillian since I bought a Mac.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

"Alex Pankratov" <apponeyhot.org> writes:

>SecureIM handshake between two version 3.1 (latest)
clients takes about .. 48
>bytes. That's altogether, 32 bytes in one direction, and
16 in another. And
>that's between the clients that have never talked to
each other before, so
>there's no "session resuming" business
happenning.

Or they could be using static/ephemeral DH with fixed shared
DH key values,
which isn't much better.  (This is just speculation, it's
hard to tell without
knowing what the exchanged quantities are).

Peter.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Marcos el Ruptor wrote:
>> If that's DH exchange, then it's 128 bit one.
Fertile ground
>> for some interesting speculation, don't you think
?
> 
> There is no speculation. It is 128-bit DH.
> 
> I have reported over three years ago to the Trillian
forum that they are 
> using 128-bit DH and that it is not secure. You can
look up my messages 
> about it and how much I got abused for it by everyone
trying to explain 
> to me that 1) it IS secure and 2) no one cares anyway.
They did not 
> change it since then although they promised to. 

Had a look, but it seems to me they said they wouldn't fix
it unless 
there was an actual, active exploit for it, and my guess
would be even 
then they would just make cosmetic changes to stop that
particular 
instance of an exploit from working..

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

I found those threads:

http://forums.ceruleanstudios.com/showthread.php?t=53433


http://forums.ceruleanstudios.com/showthread.php?t=56207


As you can see from the last post in the second thread,
ultimately  
they agreed that 128-bit DH is secure and that I am just
some crazy  
guy trying to scare them.

Ruptor

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On Mon, 8 Oct 2007 09:17:48 -0700
"Alex Pankratov" <apponeyhot.org> wrote:

>
> I am actually curious to see what was the DH modulus
size in 
> T's versions that were blocked by AOL. Given T's
installation
> base, strong SecureIM would've dramatically complicated
"lawful 
> intercepts", which AOL is probably required to
implement.
> 
They're not required to decrypt anything unless they're
providing the
keys.  The lawful intercept requirement is to deliver the
ciphertext in
this case.



		--Steve Bellovin, http://www.cs.columbi
a.edu/~smb

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com