BIM 1.0

BIM version 1.00 is a free Java based AOL instant messenger client. BIM is a Java based AOL Instant Messenger Client with encryption support. It has a small code base (617KB w/encryption libs) and can be easily run on wide array of operating systems. BIM has been tested on OSX, Windows XP, Solaris and Linux. BIM also incorporates encryption technology so that a user can communicate securely with any other BIM user.

I think pictures speak louder then words so I decided a demonstration was in order. Using another brilliant open source product, PlugProxy, I was able to take a quick screen shot of what goes over a TCP connection when connected to AIM. As you can see the connection is not secure at all, everything is sent as clear text. A user is vulnerable to both eavesdropping and message alteration.

In addition to your messages being compromised, you have no way of knowing for sure that your buddys messages are genuine. They could have their connection altered much in the same way as your could be. A true security solution encompasses the following:

* Private Messages - Messages sent are not read or altered by others
* Authenticated Messages - Messages received can be verified that they were in fact sent by the sender
* Verified Messages - Your buddy is who they say they are

BIM addresses all three of these issues. BIM can run a chat session in what is referred to as secure mode, although BIMs secure messaging involves more then just encryption. Unlike other IM clients, BIM actually addresses all three of these issues. Every unique user of BIM can generate a public/private key pair for security use. BIMs security hinges on the secrecy of this private key, BIM will never send this key over the network however it is up to the user to secure the key on their local machine.

Private Messages

BIM does use encryption in order to send messages safely to other users. BIM uses RSA encryption to ensure only the intended receiver can decrypt your message. It does this by encoding each message with the public key of the recipient. By doing so only the intended recipient (and the NSA perhaps :)) can properly and easily decrypt each message.

Authenticated Messages

BIM uses digital signatures for the verification of messages. To be more specific BIM creates an MD5 hash of each message, which is then encoded using RSA again as specified by PKCS#1. This signature for each messages is appended to the message and serves two purposes. It allows the recipient to verify it was in fact the send of the message who reated this message, more specifically it proves the message was not sent by an imposter. In addition the signature verifies the content of the message, namely that the message was not altered in transit by a third party.

Verified Messages

All transactions in BIM (and most PKI schemas in general) begin with two parties swapping public keys. In order to prevent the famous man in the middle attack, public keys are signed by a certificate authority. Users can then verify the identity of the user sending them the public key. BIM does address this and comes with a bot (CAbot) which runs on the AOL network and can give out certificates. CA-bot in its current state is not that useful though for the following reasons:

* The CA-bot will give a certificate to anyone who wants one with a valid AIM id.
* The CA-bot has no way of revoking a certificate.

although it is provided in the bim distro for educational purposes. This bot might be upgraded in a future version of BIM. To run the bot do this:

java -cp bim.jar wellington_brad.bim.cabot.CaBot

You should see aol id cabot215 come online.

When BIM is running in secure mode, it becomes very difficult for a potential attacker to do anything but prevent communication. Here is picture of the same AOL conversation using PlugProxy as was shown above, this time in secure mode. Here is a link to a presentation I did on some of these issues.