University of St. Thomas
CSIS 560
Project Proposal
Jeff D. Conrad
Security Concerns in Instant Messaging
Instant messaging is a protocol which shares a lot of the same security concerns as email. Corporate use of IM clients is often discouraged or limited. Most commerical IM services require the client to communicate with internet servers in real-time. Some companies are looking to bring the IM server behind the firewall, where communication can be limited, controlled, and less prone to eavesdropping. One of the interesting uses of advanced IM communication is that the entities in a conversation do not both have to be human. What are the security concerns when you want to inquire on data from a 'bot-like entity? How can you insure authentication, non-repudiation? For this project I propose to examine a few of these concerns via the open-source Jabber IM project, an open source Jabber server (either the original, or Jive will be used), which is now formally known as the Extensible Messaging and Presence Protocol (XMPP). The paper will include a current review of related terms and work-in-progress, such as off-the-record messaging. Two to three of security-related JEP and RFC for XMPP will be examined. For the programming portion of my assignment I would modify an existing open-source Java client and/or API to include recommended security enhancements. Due to the time limitations of this assignment, this will focus on a one-to-one conversation (no groupchat implementations).
References
Jabber Home. http://www.jabber.org/
Jabber Studio. http://jabberstudio.org/
Jabber Applet. http://jabberapplet.jabberstudio.org/
JEP List. http://www.jabber.org/jeps/jeplist.shtml
Jabberd Server. http://jabberstudio.org/projects/jabberd2/project/view.php
Jive Server. http://www.jivesoftware.org/messenger/
Jabber Security UI. http://www.yabber.org/design/security.html
Off-the-Record. http://news.com.com/Making+your+IM+secure--and+deniable/2100-7355_3-5576246.html