Message encodings (note, not encodings for MACs or IVs, just plaintext to ciphertext or ciphertext to plaintext) need to be changed from Latin1 to Utf8. This is because Latin1 does not support sending and receiving messages in say, Arabic script.

Example:

encryptAES = function (msg, c, iv) {
    var opts = {
        mode: CryptoJS.mode.CTR,
        iv: CryptoJS.enc.Latin1.parse(iv),
        padding: CryptoJS.pad.NoPadding
    }
    var aesctr = CryptoJS.AES.encrypt (
        CryptoJS.enc.Latin1.parse(msg),
        CryptoJS.enc.Hex.parse(c),
        opts
    )
    return aesctr.toString();
}

decryptAES = function (msg, c, iv) {
    msg = CryptoJS.enc.Base64.parse(msg);
    var opts = {
        mode: CryptoJS.mode.CTR,
        iv: CryptoJS.enc.Latin1.parse(iv),
        padding: CryptoJS.pad.NoPadding
    }
    var aesctr = CryptoJS.AES.decrypt(
        CryptoJS.enc.Base64.stringify(msg),
        CryptoJS.enc.Hex.parse(c),
        opts
    )
    return aesctr.toString(CryptoJS.enc.Latin1);
}

Change to:

encryptAES = function (msg, c, iv) {
    var opts = {
        mode: CryptoJS.mode.CTR,
        iv: CryptoJS.enc.Latin1.parse(iv),
        padding: CryptoJS.pad.NoPadding
    }
    var aesctr = CryptoJS.AES.encrypt (
        CryptoJS.enc.Utf8.parse(msg),
        CryptoJS.enc.Hex.parse(c),
        opts
    )
    return aesctr.toString();
}

decryptAES = function (msg, c, iv) {
    msg = CryptoJS.enc.Base64.parse(msg);
    var opts = {
        mode: CryptoJS.mode.CTR,
        iv: CryptoJS.enc.Latin1.parse(iv),
        padding: CryptoJS.pad.NoPadding
    }
    var aesctr = CryptoJS.AES.decrypt(
        CryptoJS.enc.Base64.stringify(msg),
        CryptoJS.enc.Hex.parse(c),
        opts
    )
    return aesctr.toString(CryptoJS.enc.Utf8);
}

I'm ready to submit a patch ASAP if you'd like me to. I've already modified this for my local copy of otr.js and it did solve the problem where I couldn't send Arabic messages.

Can't get this work on Firefox (20.0). If only I include biging.js like this

<script src="js/salsa20.js"></script>
<script src="js/crypto.js"></script>
<script src="js/bigint.js"></script>

it says throw new Error('Keys should not be generated without CSPRNG.')
Further usage is impossible because if only I try to call DSA constructor I'll get BigInt is undefined and DSA is not a constructor

• Send less informative erros to avoid error code distinguishing attacks.
• Consider reseeding occasionally to replenish depleted entropy.
• SMP api needs to be fleshed out ... also, verify that the correct SSID is used.
• Switch to an evented model
• Import long lived keys from adium / pidgin

Since WebCrypto API is starting to show up in browsers, I'd like to request that it be used instead of CryptoJS when available (similar to the way OpenPGP.js is doing it[1]).

Has this implementation undergone a crypto audit?

Thanks.

See the Key Management section in both Protocol v3 and v2.

Upon completing the AKE:
If the specified keyid equals either their_keyid or their_keyid-1, and the DH pubkey contained in the AKE messages matches the one you've stored for that keyid, that's great. Otherwise, forget all values of their_y[], and of their_keyid, and set their_keyid to the keyid value given in the AKE messages, and their_y[their_keyid] to the DH pubkey value given in the AKE messages. their_y[their_keyid-1] should be set to NULL.

In ake.js:126, you check for keyid match with the existing OTR object, but you don't seem to look at the OTR object's public key to check the second condition ("the DH pubkey contained in the AKE messages matches the one you've stored for that keyid") anywhere. So if the public keys don't match, but the keyids do, the library fails to replace the keys, and you end up with a situation where A and B have different ideas of what key to use.

This is causing issues for me with chats where A drops silently, and B stays on, and then A is reinstantiated, reAKEs with B, and then tries to chat (messages after that AKE succeeds have mismatched MACs).

:D

Are there any way to define whether received text encrypted or not? In my application no all messages will be encrypted so I need a way to define this...

DSA class can export public key as string and parse it back.
That should be possible for private key too. Users of the library could then easily export the long-lived key, e.g. encrypt it with a passphrase and store in HTML5 local storage or on a server. On the next session, the same key could be recovered.

Will this be evaluated by security researchers? I'm interested in using this for some projects, but I don't know how to test for effectiveness.

For example, HLP.twotothe at https://github.com/arlolra/otr/blob/master/lib/helpers.js#L185 depends on the representation in BigInt.js being a little-endian array of words (and on how signedness is represented). Is this intended, and is it a good idea?

(Note that the otr.js 2.6 implementation of HLP.twotothe did not depend on the representation. I haven't checked other HLP functions.)

After OTR.CONST.STATUS_END_OTR triggered, otr sends some more packages so it is not actually the moment when otr ended.

In my case I use XMPP to deliver messages and when disconnecting I have to first run otr.endOtr() and wait until it stop sending any messages and only then run disconnection routine.

So if I put xmpp.disconnect() in OTR.CONST.STATUS_END_OTR handler it would case error because xmpp would be disconnected but otr would try to send few more packages. And this is the problem.

Maybe?

The constant time comparison function will return false faster if the two inputs are not equal length[1]. I'm not sure it's a security risk, but Defensive JS has a constant time comparison function that is still constant time even with different input lengths[2].

AES, SHA256, SHA1, etc. should all just be called off of CryptoJS

Cryptocat uses otr.js, while replacing seedrandom.js. We do this because Math.seedrandom() relies on an RC4 RNG, which is considered deprecated.

Instead, we rely on salsa20.js, which is seedable in a similar fashion to seedrandom.js (except it takes a byte array instead of a string,) but returns a faster and more secure CSPRNG.

If you're okay with this, Arlo, I'd like to submit a pull request in the near future that replaces seedrandom.js with salsa20.js. I will also include the necessary functions for otr.js to interface with and seed salsa20.js.

I was wondering if it's possible, and if yes, if there are any plans to support Axolotl Ratchet. I think async apps like LoquiIM can greatly benefit from this. It's also being used (and sort of invented) by TextSecure.

See also: https://whispersystems.org/blog/advanced-ratcheting/

Implement to spec.

Does it make sense to pad messages so that the encrypted message cannot be guessed by length? Or is otr taking care of this?

This line causes the following error upon successful authentication:

Uncaught TypeError: Cannot read property 'worker' of null

While this does not crash or break anything to my knowledge, it should still probably be fixed.

If we receive a data message and our msgstate is plaintext we should receive an error:

https://github.com/arlolra/otr/blob/master/lib/otr.js#L396

if (this.msgstate !== CONST.MSGSTATE_ENCRYPTED || msg.length !== 8) {
   if (!ign) this.error('Received an unreadable encrypted message.', true)
   return
}

But the message will be ignored at https://github.com/arlolra/otr/blob/master/lib/otr.js#L595

if ( msg.version === CONST.OTR_VERSION_3 &&
   this.checkInstanceTags(msg.instance_tags)
) return  // ignore

A diff seems to show them as identical apart from the presence of the vendor/cryptojs directory.

Verify that the message length doesn't exceed the 8 byte chunk counter available in the AES IVs.

1. OTR should send fragments:
   AssertionError: Message state unencrypted. Msg: MACs do not match.

Introduced in a726c96

is there a way to manage sessions? I have the following scenario:

User A and User B are talking
User B falls off a cliff
User B gets back online, but has different instance tags so User A ignores him.

One way of solving this:

User A's OTR instance can notify it about query messages, e.g. via an event 'query'. Then User A can create a new OTR instance to respond to that new connection

Do you know of a better way?

EDIT: skimmed over OTR spec...it's long :) Here's another option I see, though I'm not sure I see confirmation in the spec:

When receiving a "query" message, if you already know the other party's instance tags, then in addition to re-initializing AKE, like the code already does, reset this.their_instance_tag. Otherwise continuing with AKE has no chance of succeeding.

EDIT: oof, another obvious solution is having persistent instance tags. But if for the sake of argument you don't use persistent instance tags?

If I try to send a smp request without a question, it send "undefined" as question.

otr_object.smpSecret("secret")

I think this problem is related to line 529 from otr.js.

question = CryptoJS.enc.Utf8.parse(question).toString(CryptoJS.enc.Latin1)

Workaround:

otr_object.smpSecret("secret", "")

Is there any chance for you to join to @omemo and experiment with OMEMO.js?

It would be quite a challenge, since OMEMO is Device Trusted.

With OMEMO you no longer trust user identities but device identities. If you are communicating with a contact for the first time or if that contact recently got a new device, you will be presented with a fingerprint for that device. You can then either verify that fingerprint out of band (for example via a quick phone call) or, if you are reasonably sure that your transport is secure (for instance if you are chatting on the same, trusted server), you can choose to trust a device on first use. If you have trusted devices of your contact in the past you can also use those devices as a secure channel to verify the fingerprint of a new device by having your contact verify the fingerprint via chat.

Read more at https://conversations.im/omemo/

I want to implement XEP-0184 (received notifications) and for that reason I have to attach an unique id to a sending message and bind it to the plaintext message. Now the problem, how can I do this with the current implementation?

{msg: "foo", id: "bar"}  -----> OTR.sendMsg()  -----> build xml stanza with id

Because I think there is no working solution, I added an extra parameter to the sendMsg method which will be passed through to the io event handler. What do you think about that? Are you interested in a pr?

Regards,
Klaus

According to the OTR protocol, keys should be securely erased from memory (not just dereferenced, or zeroed once) after they are used. Does this package do that? I couldn't find evidence in the source code.

AKE should be documented in README.md as a necessary step, since exchanging encrypted messages is impossible without doing AKE first. If anyone could point me to some test AKE code, I can handle the documentation myself.

Math.random cannot be relied upon for cryptographic purposes.

Currently, the much stronger window.crypto.getRandomValues(), relying on OS-level entropy, is only implemented in Chrome >= 11.0 and Safari >= 3.1
https://developer.mozilla.org/en-US/docs/DOM/window.crypto.getRandomValues

A stronger pure-js PRNG has been developed, which is meant as a drop-in replacement for Math.random:
http://baagoe.org/en/w/index.php/Better_random_numbers_for_javascript

window.crypto is preferred, but Alea can be used as a fallback

I think we should remove the line https://github.com/arlolra/otr/blob/master/lib/otr.js#L390, because with the new status trigger we don't need this anymore.

first of all, thanks for the wonderful library!

I think it would be easier to use if it didn't bundle all of its dependencies. Can you replace them with the ones from npm? crypto-js and events, not sure about bigint, maybe this one. I tried replacing crypto and works just fine, but it'd obviously require a bunch of other changes in gruntfile, dsa-webworker, etc. What do you think?

All the message for SM and AKE need to be joined and base64 encoded with (CryptoJS.enc.Latin1.parse()).toString(CryptoJS.enc.base64) and then formed into otr messages ('?OTR:' + b64 + '.'), and then unpackaged on the other side. There's an order in the spec.

For the SM, BigInts need to be HLP.packMPI'd first.

Right now, messages are just passed with JSON.

Opera gets stuck at new DSA() with the thread locked at 100% CPU indefinitely. Not sure why.

It seems that OTR fingerprints sometimes do not match (even when there is no MITM). This seems to happen randomly. It does not happen every time.

Scenario: Two people join Cryptocat

Person A sees his own fingerprint as: ABC123
Person B sees person A's fingerprint as: BBB222

This is a real security issue, please investigate. I'm investigating too right now.

Converse.js user is saying that message fragmentation is preventing initiation. They claim to have tried with several clients, including a nightly Jitsi, which should have an otr4j that implements it. Pidgin seems to be the only one working for them, which makes sense because we test against libotr.

Implement to spec.

N.B. Receiving message fragments is already handled. This is just for outgoing messages.

https://github.com/arlolra/otr/blob/master/vendor/bigint.js#L206 has the following code:

for (bpe = 0; (1<<(bpe+1)) > (1<<bpe); bpe++);  // bpe = number of bits in the mantissa on this platform
bpe>>=1; // bpe = number of bits in one element of the array representing the bigInt

From the comments, the author appears to expect bpe to end up as half of the number of significant bits in a floating point mantissa or fraction, rounded down. It does not; it ends up as 15.

Explanation:

The number of significant bits in the fraction (the correct term used in IEEE) of a JavaScript floating-point number is 52, independent of platform. (Whether you can actually use all the bits depends on some corner cases and I won't make any claims about that here.)

The code above calculates bpe = 30 in the first line. This is because the left-shift operator treats its left argument as a signed 32-bit integer, as per section 11.7.1 of the ECMAScript 5.1 spec. http://www.ecma-international.org/ecma-262/5.1/ . That is, 1<<(bpe+1) overflows to negative at bpe = 30. It then calculates bpe = 15 in the second line.

This does not affect correctness but it does make the representation unnecessarily inefficient, and in any case the comment is wrong.

I am looking for a nice XMPP client that I can use via a web browser that supports OTR. This library looks like a good solution. Are there any implementations already available that rely on it?

publishing v0.2.11 to the npm registry failed. putting this here so I don't forget to try again

I wanna encrypt a string "hai" and decrypt it using otr with out any protocol like xmpp, smp etc.,
is it possible?
plz suggest me...

Not sure how this should be addressed yet.
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.165.7945&rep=rep1&type=pdf

There's a discussion on the OTR mailing list which further confuses the matter.
http://www.cypherpunks.ca/pipermail/otr-dev/2006-March/000515.html

https://github.com/arlolra/otr/blob/c333ce308a19c9f3bd2fb3dd6b717f8d6417c99e/dsa.js#L97-138

There are ways to speed it up at: http://www.itl.nist.gov/fipspubs/fip186.htm

I'm trying to create a chat application using Titanium appcelerator for iOS. For that i have implemented OTR.JS in my node js application. That works fine, But now i want to implement OTR.JS in Titanium Appcelator.

I searching modules in Titanium Appcelator to implement OTR for my application. But I can't found any solution for this.

So can anyone clarify me, To use OTR.JS in my Titanium Appcelator Application. If there is any example, please suggest me.

Make a build for the browser that packages up all the otr files.

After AKE, if both users simultaneously attempt to run SMP, system will abort both. Can share example code if needed.