These keys cannot be reconstructed even with the knowledge of the second layers decrypted network traffic and the secret passwords. Shared ECDH keys are combined with the provided channel passwords, which results in unique and one-time encryption keys between the parties. Once the server connection is secured, it joins the given channel and starts building up end-to-end encrypted layers with each individual member (using ECDH for key exchange and ChaCha20- Poly1305 for ciphering). This second layer also prevents transparent proxies (with their own CA certificates installed on the client) from inspecting their communication. During key exchange, messages from the server are RSA-signed and verified by the client to make sure it is not connecting to a forged destination. Then they create an additional encrypted layer, using ECDH for key exchange and AES-256 for ciphering. The client application establishes a WebSocket (over TLS) connection with the chat server. Real-time messaging - Each piece of data is exchanged immediately between the parties nothing is queued or stored, even for a single second. Outstanding privacy - Conversations can happen without providing any personal detail or account. Triple encryption - Two additional security layers protect messages, on top of the standard TLS protocol. We have created a unique solution which does not require any sort of data storage and makes sure that messages cannot be decrypted even with the complete knowledge of the server contents, network traffic, and provided secret passwords. Our goal was to create an anonymous chat platform which can be used safely over inspected infrastructures so that conversations cannot be recovered even if the server has been seized or one of the participants has been questioned. It does not try to replace popular messaging applications, but instead to provide an alternate, secure channel for confidential discussions. No databases, no accounts, no chat logs.Īimed for anyone who wants to be sure that their conversations are kept private and prefers more security over fancy features. As an alternative, nongovernmental organizations could set up their own Cryptocat servers, Kobeissi said.CHATCRYPT The Secure Channel Welcome to ChatCryptĪn end-to-end encrypted group chat that doesn't store anything in the cloud. Tiny packages containing Raspberry Pis and the Cryptocat server software could also be sent to regions in need. He’s also planning to purchase some of the US$25-$35 Raspberry Pi mini-computers under development by the Raspberry Pi Foundation. There already is an add-on application for Google’s Chrome browser, and Kobeissi expects to release native applications for iOS and Android later this year. Kobeissi has plans for quite a few Cryptocat improvements. By using a “.onion” URL for Cryptocat, the Cryptocat server will not know the users’ true IP addresses, Kobeissi said. A user creates a chat session, picks a nickname and then types a random string of characters in order to generate the 256-bit AES encryption keys for the public key cryptography system it uses.Ĭryptocat’s code is open source, and Kobeissi has published details on how its encryption works in order to get feedback from other cryptology specialists.Īs an added security measure, Cryptocat is compatible with TOR (The Onion Router), a worldwide network that make web surfing more anonymous by randomly routing traffic through its servers. First, one of its versions is web-based, so no application has to be downloaded. The beauty of Cryptocat is its simplicity. OTR must be downloaded, installed and configured, and both parties having a conversation must have it enabled in order for the messages to be encrypted. There are proven encryption technologies for instant messaging, such as PGP (Pretty Good Privacy) and OTR (Off The Record), an add-on encryption program for IM applications such as Pidgin and Adium.īut PGP can be “difficult to use for people who aren’t computer geeks,” Kobeissi said. Messages are encrypted when transmitted, but those conversations are decrypted on the servers running those services, potentially allowing interlopers to record them. Many of those applications implement SSL (Secure Sockets Layer), an encryption protocol that underpins e-commerce transactions.
0 Comments
Leave a Reply. |