AIM Encryption Certificates

AIM Encryption Certificates

What does the lock icon next to an AIM buddy mean?

The lock icon indicates that the buddy has an AIM Personal Digital Certificate installed and can support encrypted conversations. If you have such a certificate too, then instant messages you exchange with this buddy can be encrypted (scrambled), signed (verifiable as coming from you), or both. (Note that I'm just going to call these things encryption certificates even though they can be used for more than just encryption.)

What good is all this?

In theory, anyone sitting on the network between you and the person you're chatting with could be reading your instant messages because they're all transmitted in cleartext (i.e., in plain view). Actually, it's more than just theoretical -- in many cases, it's quite feasible to do it in practice. You're especially vulnerable if you're on a shared local network, but it's possible with switched networks too. For example, someone could eavesdrop on your messages using a tool as general as tcpdump, or as targeted as AIM Sniff. And let's not forget that Echelon, or something similar, is probably logging your messages, too.

So how secure are these certificates, you ask. AIM security is based on S/MIME, which is a relatively new standard, but is itself based on pretty established techniques and is gaining broad acceptance. So barring any implementation flaws (unintentional or not) in AIM or the certificate generation process, messages should be secure enough for most any AIM user. At any rate, it would almost certainly be easier to break into your house and install monitoring equipment, or infect your computer with a worm or trojan that phones home, than to bother mounting a direct attack. However, this also underscores the fact that cryptography is not a security panacea; there are lots of easier alternatives to cracking codes and protocols, and you need to be aware of them too.

The short of it is that your steamy exchanges, inane prattlings, or even treasonous plottings are possibly being read by someone or something out there. There are lots of people who really couldn't care less about this, and those people certainly won't feel any need for encryption. But for those who do...

How does one obtain an encryption certificate?

There are several ways, some better than others. In particular, note that for options (2) and (3) below, your buddies may get an annoying warning message about your certificate being unsigned (depending on how old their AIM clients are).
  1. Some certificate authorities (CA's) offer free certificates intended for encrypting and signing email. However, these can be used in AIM too. The CA's I know of that offer this are Thawte and Comodo. Of course, there are other CA's (e.g., Verisign) that will provide you with a similar certificate, except they'll charge you too. (Verisign does have a support page that might be helpful if you can't figure out how to install your AIM certificate, though.)

    Note that I've only tried the certificates from Thawte, though the ones from Comodo should work fine too. The sign-up process can be a bit annoying, but that's the price you pay.

    This is definitely the option I recommend, not least of all because you won't get any annoying "untrusted certificate" warnings, like you would for the other options I'll mention below (just for the sake of completeness).

  2. Generate a certificate yourself. This is probably the most work, but is the next best option. See the next section for details on how to do this. To be fair, this option should be just as (if not more) secure as option (1). At least for me, the main advantage option (1) holds over this one is that my buddies won't have to deal with the unsigned certificate warning. Perhaps you're thinking now, wait, doesn't a certificate signed by a CA have the additional benefit of verifying my identity? Well, the only thing Thawte and Comodo can realistically confirm about me is that I can read mail at the email address I signed up under (they could do better if they sent me an IM instead, but their certificates are supposed to be for email, after all). Since I like to use a semi-anonymous webmail address for this purpose, a buddy might have trouble verifying that the email address I used actually belongs to me. (I don't use a real email address because when someone IM's you and clicks on the lock icon, that shows the information in the certificate, including the email address. Sometimes I get IM's from random people who I wouldn't necessarily want to know my real email address.)

  3. Get a certificate from another non-CA, like AIMEncrypt.com or this guy. The AIMEncrypt certificates are, security-wise, probably the worst choice possible, since they only offer one certificate that's shared by everyone. Basically, your IM's will be encrypted (this will be enough to stop a casual, technically-unsophisticated eavesdropper), but since all the information necessary to decrypt messages is publicly known, a more dedicated eavesdropper will not have too much of a problem. As for the other option, getting someone to make your certificate for you obviously means you have to trust the guy (and the certificate he gives you would not be any more secure than one you could generate yourself).

How can I generate my own certificate?

This method is not for the totally clueless user, so I won't do much handholding at all. The way I know of to do it, you'll need to have OpenSSL installed. If you have access to a Unix-like machine (or Mac OS X), it may already be installed there. If you use Windows, you can get the Cygwin version of OpenSSL. Open a terminal or command prompt, and do something like what's shown below. (The bolded text is stuff you'll probably be typing. Note that some of the responses should be customized for your particular situation.) 
$ ./CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
.................................+++
................................................................+++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:1234
Verifying - Enter PEM pass phrase:1234
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:YourSN
Email Address []:.


$ ./CA.pl -newreq
Generating a 2048 bit RSA private key
.....................................................................+++
..........+++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:1234
Verifying - Enter PEM pass phrase:1234
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:YourSN
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
Request (and private key) is in newreq.pem


$ ./CA.pl -sign
Using configuration from /opt/local/packages/openssl-0.9.7c/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec 25 11:10:56 2003 GMT
            Not After : Dec 24 11:10:56 2004 GMT
        Subject:
            commonName                = YourSN
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                EB:A1:29:7C:AE:82:99:F1:03:A0:53:F6:5D:66:37:05:77:B3:CB:A8
            X509v3 Authority Key Identifier: 
                keyid:92:1E:FF:93:92:BF:3B:FA:65:EC:7A:32:2B:46:04:4E:CE:61:27:FD
                DirName:/CN=YourSN
                serial:00

Certificate is to be certified until Dec 24 11:10:56 2004 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem


$ openssl pkcs12 -in newcert.pem -inkey newreq.pem -out newcert.p12 \
  -export -certfile demoCA/cacert.pem -name "YourSN"
Enter pass phrase for newreq.pem:1234
Enter Export Password:1234
Verifying - Enter Export Password:1234
Here, newcert.p12 will be the certificate you import into AIM.
Jeremy Lin  [email]