TFC: Pidgin + OTP + end point security

Discussion in 'privacy technology' started by Splosh, Jan 18, 2014.

Thread Status:
Not open for further replies.
  1. Splosh

    Splosh Registered Member

    Nov 19, 2012
    Abstract / Introduction
    TFC is a proof-of-concept set of tools for Pidgin; a low cost solution that enables truly private conversations and a possibility to opt out of the dragnet surveillance. TFC aims to address major vulnerabilities present in current IM applications.

    1. Weak encryption algorithms: messages are one-time-pad encrypted. OTP is the only algorithm proven to provide perfect secrecy; messages are unbreakable without the key.

    2. Weak entropy of encryption keys: TFC utilizes hardware random number generator. This ensures all bits used to generate encryption keys are truly random.

    3. Compromise of end point security: TFC uses data diodes that prevent exfiltration (theft) of plain-texts and encryption keys on hardware level.

    To put the concept of TFC to practice, a prototype setup was built and simple programs were written in Python. The security of the platform was audited by analyzing the attack vectors remaining. TFC appears to be the only system that protects message confidentiality against the advanced attacks the Snowden leaks revealed NSA to utilize on massive scale; TFC if not unbreakable but it succeeds in making ubiquitous, unethical monitoring with implied presumption of guilt very expensive and by enforcing targeted surveillance, helps preserve the balance between individual privacy and collective security.
    Unconvenient operation makes mainstream use difficult. The goal of TFC is to act as a proof-of-concept: a road sign for future high security IM applications.

    Draft paper available at
    Last edited by a moderator: Jan 18, 2014
Thread Status:
Not open for further replies.