A Protocol for Secure Public Instant Messaging

  • Mohammad Mannan
  • Paul C. van Oorschot
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4107)


Although Instant Messaging (IM) services are now relatively long-standing and very popular as an instant way of communication over the Internet, they have received little attention from the security research community. Despite important differences distinguishing IM from other Internet applications, very few protocols have been designed to address the unique security issues of IM. In light of threats to existing IM networks, we present the Instant Messaging Key Exchange (IMKE) protocol as a step towards secure IM. A discussion of IM threat model assumptions and an analysis of IMKE relative to these using BAN-like logic is also provided. Based on our implementation of IMKE using the Jabber protocol, we provide insights on how IMKE may be integrated with popular IM protocols.


Forward Secrecy Dictionary Attack Instant Messaging Server Instant Messaging System Instant Messaging Client 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Armando, A., et al.: The AVISPA tool for the automated validation of Internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, Springer, Heidelberg (2005). Project website, http://www.avispa-project.org CrossRefGoogle Scholar
  2. 2.
    Battistoni, R., Gabrielli, E., Mancini, L.V.: A host intrusion prevention system for Windows operating systems. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, Springer, Heidelberg (2004)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: ACM Symposium on Theory of Computing (STOC 1995) (1995)Google Scholar
  4. 4.
    Bellovin, S., Merritt, M.: Encrypted Key Exchange: Password-based protocols secure against dictionary attacks. In: IEEE Symp. on Security and Privacy (1992)Google Scholar
  5. 5.
    Borisov, N., Goldberg, I., Brewer, E.: Off-the-record communication, or, why not to use PGP. In: ACM Workshop on Privacy in the Electronic Society (2004)Google Scholar
  6. 6.
    Boyd, C., Mao, W.: On a limitation of BAN logic. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, Springer, Heidelberg (1994)Google Scholar
  7. 7.
    Burrows, M., Abadi, M., Needham, R.: A logic of authentication. In: ACM Symposium on Operating Systems Principles (1989)Google Scholar
  8. 8.
    Cherry, S.M.: IM means business. IEEE Spectrum Online 39, 28–32 (2002)CrossRefGoogle Scholar
  9. 9.
    ComputerWorld staff. Instant Messaging takes financial twist, News article (April 2002), http://www.computerworld.com/
  10. 10.
    Denning, D.E., Sacco, G.M.: Timestamps in key distribution protocols. Comm. ACM 24(8), 533–536 (1981)CrossRefGoogle Scholar
  11. 11.
    Di Crescenzo, G., Ferguson, N., Impagliazzo, R., Jakobsson, M.: How to forget a secret (extended abstract). In: Meinel, C., Tison, S. (eds.) STACS 1999. LNCS, vol. 1563, Springer, Heidelberg (1999)CrossRefGoogle Scholar
  12. 12.
    Diffie, W., van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Designs, Codes and Cryptography 2(2), 107–125 (1992)CrossRefMathSciNetGoogle Scholar
  13. 13.
    Gong, L., Lomas, M.A., Needham, R.M., Saltzer, J.H.: Protecting poorly chosen secrets from guessing attacks. IEEE Selected Areas in Comm. 11(5) (1993)Google Scholar
  14. 14.
    Halevi, S., Krawczyk, H.: Public-key cryptography and password protocols. ACM Transactions on Information and Systems Security 2(3), 230–268 (1999)CrossRefGoogle Scholar
  15. 15.
    IT Strategy Center Staff. The coming IM threat, News article (May 2005), http://www.itstrategycenter.com/itworld/Threat/viruses/coming_im_threat
  16. 16.
    Kikuchi, H., Tada, M., Nakanishi, S.: Secure Instant Messaging protocol preserving confidentiality against administrator. In: Advanced Information Networking and Applications (AINA 2004) (2004)Google Scholar
  17. 17.
    Koblitz, N., Menezes, A.: Another look at provable security. Journal of Cryptology (to appear, 2006)Google Scholar
  18. 18.
    Kwon, T.: Practical authenticated key agreement using passwords. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Designs, Codes and Cryptography 28(2) (2003)Google Scholar
  20. 20.
    MacKenzie, P.D., Patel, S., Swaminathan, R.: Password-authenticated key exchange based on RSA. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, Springer, Heidelberg (2000)CrossRefGoogle Scholar
  21. 21.
    Mannan, M., van Oorschot, P.C.: Secure public Instant Messaging: A survey. In: Privacy, Security and Trust (PST 2004) (2004)Google Scholar
  22. 22.
    Mannan, M., van Oorschot, P.C.: On Instant Messaging worms, analysis and countermeasures. In: ACM Workshop on Rapid Malcode (WORM 2005) (2005)Google Scholar
  23. 23.
    Mannan, M., van Oorschot, P.C.: A protocol for secure public Instant Messaging (extended version). Technical Report TR-06-01 (January 2006)Google Scholar
  24. 24.
    Menezes, A., van Oorschot, P.C., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  25. 25.
    Open Source. Gaim-e, http://gaim-e.sourceforge.net/
  26. 26.
    Padmanabhan, V.N., Subramanian, L.: An investigation of geographic mapping techniques for Internet hosts. ACM Computer Comm. Review 31(4) (2001)Google Scholar
  27. 27.
    Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: ACM Computer and Communications Security (2002)Google Scholar
  28. 28.
    Riikonen, P.: Secure Internet Live Conferencing (SILC), protocol specification, Internet-Draft (February 2004), http://www.silcnet.org/docs/draft-riikonen-silc-spec-08.txt
  29. 29.
    Rivest, R.L., Shamir, A.: How to expose an eavesdropper. Comm. ACM 27(4), 393–394 (1984)CrossRefGoogle Scholar
  30. 30.
    Saint-Andre, P.: Extensible messaging and presence protocol (XMPP): Core, RFC 3920, Status: Standards Track (October 2004), http://www.ietf.org/rfc/rfc3920.txt
  31. 31.
    SecurityPark.net Staff. Instant messaging: communications godsend or security back door (July 2005), new article http://www.securitypark.co.uk/
  32. 32.
    Shamir, A., van Someren, N.: Playing hide and seek with stored keys. In: Franklin, M.K. (ed.) FC 1999. LNCS, vol. 1648, Springer, Heidelberg (1999)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Mohammad Mannan
    • 1
  • Paul C. van Oorschot
    • 1
  1. 1.School of Computer ScienceCarleton UniversityOttawaCanada

Personalised recommendations