Recently many companies started to inject their security policies with securing IM communication. It makes sense, since everything you type in that chat window to your buddy flies over the network in a clear text. That does not sound to bad, you think, but what it really means, is if anybody wanted to see what you are talking to your colleague, or even to your wife, about, s/he can see it easily by reading your network packets – which is a very easy thing to do now days.
Another example could be the client whose policy is to monitor all the incoming/outgoing network request, and you want to talk over IM to your colleague about something that you do not want your client to see.
Below I’ll show you how to secure you IM communication with SimpServer: http://www.secway.fr/us/products/simpserver/ on Unix client/server boxes. I am going to use Ubuntu here as an example, but it should work for most if not for all Unix flavours.
1. Get the SimpServer.
According to the liink above “SimpServer is currently beta software and is free for any use”, hence let’s get it for free from here:
wget http://download.secway.com/public/products/simpserver/simpserver-2.1.5c-linux-x86.tgz |
wget http://download.secway.com/public/products/simpserver/simpserver-2.1.5c-linux-x86.tgz
2. Install the SimpServer.
Before untarring it, let’s make sure the standard C++ libraries that SimpServer uses are installed:
sudo apt-get install libstdc++5 |
sudo apt-get install libstdc++5
Now let’s untar it and move to “/usr/local” – that is where it will search for its binary files, so make sure you do that:
tar -xvzf simpserver-2.1.5c-linux-x86.tgz
sudo mv simp/ /usr/local/ |
tar -xvzf simpserver-2.1.5c-linux-x86.tgz
sudo mv simp/ /usr/local/
Go to “/usr/local/simp/bin/”, and run the SimpServer:
cd /usr/local/simp/bin/
./simpserver
----------------------------------------------------------------------------------
SimpServer Linux 2.2.1.5c - (c) Copyright Secway 2000-2005
All rights reserved
Visit http://www.secway.com/products/simpserver/ for updates.
Visit http://www.secway.com/support/ for support.
MSN Service on 0.0.0.0:11863, mode 1
MSN Service on 0.0.0.0:1863, mode 0
AIM Service on 0.0.0.0:15191, mode 1
ICQ Service on 0.0.0.0:15190, mode 1
YAHOO Service on 0.0.0.0:15050, mode 1
Admin Service on 127.0.0.1:10023, mode 0
---------------------------------------------------------------------------------- |
cd /usr/local/simp/bin/
./simpserver
----------------------------------------------------------------------------------
SimpServer Linux 2.2.1.5c - (c) Copyright Secway 2000-2005
All rights reserved
Visit http://www.secway.com/products/simpserver/ for updates.
Visit http://www.secway.com/support/ for support.
MSN Service on 0.0.0.0:11863, mode 1
MSN Service on 0.0.0.0:1863, mode 0
AIM Service on 0.0.0.0:15191, mode 1
ICQ Service on 0.0.0.0:15190, mode 1
YAHOO Service on 0.0.0.0:15050, mode 1
Admin Service on 127.0.0.1:10023, mode 0
----------------------------------------------------------------------------------
If there are any problems, grab the simpserver version that is offered here: http://www.secway.fr/us/products/simpserver/download.php
3. Configure the SimpServer.
While SimpServer is running, telnet to it (port 10023). Default “username/password” are “admin/admin”:
$ telnet localhost 10023
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SimpServer Linux 2.2.1.5c - (c) Copyright Secway 2000-2005
All rights reserved
Visit http://www.secway.com/products/simpserver/ for updates.
Visit http://www.secway.com/support/ for support.
Login: admin
Password: admin |
$ telnet localhost 10023
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SimpServer Linux 2.2.1.5c - (c) Copyright Secway 2000-2005
All rights reserved
Visit http://www.secway.com/products/simpserver/ for updates.
Visit http://www.secway.com/support/ for support.
Login: admin
Password: admin
Let’s see what it is capable of by asking for “help”:
> help
SimpServer Linux 2.2.1.5c - (c) Copyright Secway 2000-2005
All rights reserved
Visit http://www.secway.com/products/simpserver/ for updates.
Visit http://www.secway.com/support/ for support.
?, help print this help
list, list_keys [all, public, private]
generate, generate_private_key [-e<account>] [-s<service>] [-c<cipher>] [-b<size>] [-n<name>] [-p
<password>]
load, load_private_key -i<keyid> [-e<account>] [-s<service>] [-c<cipher>] [-p
<password>]
unload, unload_private_key -i<keyid> [-e<account>] [-s<service>] [-c<cipher>]
change, change_password -i<keyid> [-e<account>] [-s<service>] [-c<cipher>] [-o
<old_password>] [-p<new_password>]
delete, delete_key -i<keyid> [-e<account>] [-s<service>] [-c<cipher>] [-force] [-pendinf]
accept, accept_pending_key -i<keyid> [-e<account>] [-s<service>] [-c<cipher>]
quit, exit exit |
> help
SimpServer Linux 2.2.1.5c - (c) Copyright Secway 2000-2005
All rights reserved
Visit http://www.secway.com/products/simpserver/ for updates.
Visit http://www.secway.com/support/ for support.
?, help print this help
list, list_keys [all, public, private]
generate, generate_private_key [-e<account>] [-s<service>] [-c<cipher>] [-b<size>] [-n<name>] [-p
<password>]
load, load_private_key -i<keyid> [-e<account>] [-s<service>] [-c<cipher>] [-p
<password>]
unload, unload_private_key -i<keyid> [-e<account>] [-s<service>] [-c<cipher>]
change, change_password -i<keyid> [-e<account>] [-s<service>] [-c<cipher>] [-o
<old_password>] [-p<new_password>]
delete, delete_key -i<keyid> [-e<account>] [-s<service>] [-c<cipher>] [-force] [-pendinf]
accept, accept_pending_key -i<keyid> [-e<account>] [-s<service>] [-c<cipher>]
quit, exit exit
4. Create private/public certificates.
Notice that the “list” command, from the above help, shows all/public/private keys, including your public/private key, and all your IM buddies that you are talking to.
Let’s try to see what keys we have right away (without doing anything yet):
> list
Prv Loaded KeyId SHA-1 fingerprint Date Type Srv Name
-------------------------------------------------------------------------------------------------------------------- |
> list
Prv Loaded KeyId SHA-1 fingerprint Date Type Srv Name
--------------------------------------------------------------------------------------------------------------------
As you can see, we have no keys – because for now we have neither “secure/encrypted” IM buddies, nor our public/private key pair.
Hence start by by running a “generate” command that would create your the key pair (link to certificates article) that will be used:
> generate
generating the new key pair, please wait... done!
new key: 278dc025d92cdbc4 b14e 7b16 6415 e88f 2a67 2fe6 2e31 579b 580e 1a89 2008-10-16 RSA-2048 [admin] KeyPair |
> generate
generating the new key pair, please wait... done!
new key: 278dc025d92cdbc4 b14e 7b16 6415 e88f 2a67 2fe6 2e31 579b 580e 1a89 2008-10-16 RSA-2048 [admin] KeyPair
Now let’s “list” the keys again:
> list
Prv Loaded KeyId SHA-1 fingerprint Date Type Srv Name
--------------------------------------------------------------------------------------------------------------------
Yes Yes 278dc025d92cdbc4 b14e 7b16 6415 e88f 2a67 2fe6 2e31 579b 580e 1a89 2008-10-16 RSA-2048 * [admin] KeyPair |
> list
Prv Loaded KeyId SHA-1 fingerprint Date Type Srv Name
--------------------------------------------------------------------------------------------------------------------
Yes Yes 278dc025d92cdbc4 b14e 7b16 6415 e88f 2a67 2fe6 2e31 579b 580e 1a89 2008-10-16 RSA-2048 * [admin] KeyPair
Perfect – you have your own “KeyPair”, that will be used to authenticate and encrypt communication from your IM buddies.
5. Connect IM clients to the SimpServer.
Next, let’s connect to our SimpPro / SimpLight / etc.. IM buddies. Here is an example on how to configure “Pidgin” to use a SimpServer:
For example you’d like your work AIM account to “follow the company standards” and use encryption via simp server. Here is what you should do
Go to "Accounts" -> (Choose your AIM account) "Edit Account" -> "Advanced"
Choose "SOCKS4" in "Proxy Options"
type "127.0.0.1" in Host
type "15191" in Port |
Go to "Accounts" -> (Choose your AIM account) "Edit Account" -> "Advanced"
Choose "SOCKS4" in "Proxy Options"
type "127.0.0.1" in Host
type "15191" in Port
Why “127.0.0.1”? Because you have started the SimpServer on your local box. By the way, you can start the server on one box, and use it from many other PCs by entering IP address of that box to the “host” field for the proxy settings of the account in your IM client.
Why “15191”? Let’s look at the server output once again:
MSN Service on 0.0.0.0:11863, mode 1
MSN Service on 0.0.0.0:1863, mode 0
AIM Service on 0.0.0.0:15191, mode 1
ICQ Service on 0.0.0.0:15190, mode 1
YAHOO Service on 0.0.0.0:15050, mode 1
Admin Service on 127.0.0.1:10023, mode 0 |
MSN Service on 0.0.0.0:11863, mode 1
MSN Service on 0.0.0.0:1863, mode 0
AIM Service on 0.0.0.0:15191, mode 1
ICQ Service on 0.0.0.0:15190, mode 1
YAHOO Service on 0.0.0.0:15050, mode 1
Admin Service on 127.0.0.1:10023, mode 0
We see that “AIM Service” listens on the port “15191”.
6. Start using the SimpServer with your IM client(s).
Now when you send an IM to anybody who runs SimpPro / SimpLight / or just a Simp Server, they would get a pop up asking them to accept your message. After they do accept it, your public key ( one of the keys that was generated by the “generate” command ) will be added to their Simp database. Same thing will happen when they ping you or respond to your IM encrypted message – their public key will be added to the simpserver:
Here is an example of what happens initially, when there is a new “Simp-Oriented” buddy pings you:
(2008-10-16 15:16:09) BuddyName: *** (*) SimpServer Linux 2.2.1.5c - Encrypted and Authenticated (*) ***
(2008-10-16 15:16:09) BuddyName: Hey, that is cool - so now our messages are encrypted...! |
(2008-10-16 15:16:09) BuddyName: *** (*) SimpServer Linux 2.2.1.5c - Encrypted and Authenticated (*) ***
(2008-10-16 15:16:09) BuddyName: Hey, that is cool - so now our messages are encrypted...!
And now you can go back to your “telnet” session and “list” the keys again:
> list
Prv Loaded KeyId SHA-1 fingerprint Date Type Srv Name
--------------------------------------------------------------------------------------------------------------------
Yes Yes 278dc025d92cdbc4 b14e 7b16 6415 e88f 2a67 2fe6 2e31 579b 580e 1a89 2008-10-16 RSA-2048 * [admin] KeyPair
No N/A 0f2292a9d40c2f90 ab1d 6f78 6bff a03e 892a 34df 2b3a 26e7 16ff cbb9 2008-10-16 RSA-2048 AIM <buddy1Name>
No N/A 62f02d7e858e0139 c315 616f 8518 d9c8 9827 e4c4 d8b4 2448 06f7 4278 2008-10-16 RSA-2048 AIM <buddy2Name> |
> list
Prv Loaded KeyId SHA-1 fingerprint Date Type Srv Name
--------------------------------------------------------------------------------------------------------------------
Yes Yes 278dc025d92cdbc4 b14e 7b16 6415 e88f 2a67 2fe6 2e31 579b 580e 1a89 2008-10-16 RSA-2048 * [admin] KeyPair
No N/A 0f2292a9d40c2f90 ab1d 6f78 6bff a03e 892a 34df 2b3a 26e7 16ff cbb9 2008-10-16 RSA-2048 AIM <buddy1Name>
No N/A 62f02d7e858e0139 c315 616f 8518 d9c8 9827 e4c4 d8b4 2448 06f7 4278 2008-10-16 RSA-2048 AIM <buddy2Name>
Notice that now you have your own “KeyPair”, a public key for “Buddy1Name”, and a public key for “Buddy2Name”.
Happy Secure IMing, and don’t abuse your secrecy :)