Very secure forum / group communication system, looking for feedback

n33m3rz · Jan 10, 2009

Hello I am working on a project and wonder what you think about it. I am new to cryptology but this seems to me to be a very good system to encrypt forums and other sorts of group communication. Please respond even if just to tell me you don't want to read it. Thanks.

The Problem: Secure online communications between members of a given group, where the following needs are met

A. The communications of the group are protected against those not in the group

B. The communications between individuals or sub groups in the main group are secure from all others in the group.

C. There exists substantial anonymity for all members of the group, and for the server where sorting of communications takes place.

D. Anonymous authentication is required for every action. Anonymous authentication meaning member X in the group can be confirmed to be the same member X at a later point as he was at a previous point, with out the verifier having to actually know anything about member X.

E. Plausible deniability offered for all members of the group.

The Solution: An open source software suite that includes the following components:

A control panel: For use by administrators or central figures to create a set of config files which can be plugged into the next two parts. The config files would need to be transferred to members of the group securely, preferably with OTR messaging or something similar. Also for doing administrative things from.

A host program: To be installed on the server which acts as a central hub for encrypted communications between members of the group. Basically prepares the host to work with clients, pointed towards it by the client config file.

A client program: An open source group independent publicly released program that can have config files plugged into it to make it more specific to any given group. The client includes a GUI designed to be similar to an Internet forum, allowing for threads (public to the entire group) and PMs (between individuals, or sub groups).

An installation program: This installs the client program. It will in general ask for a USB drive (although one technically wont be needed for the sake of simplicity we will assume one is used). It will create an encrypted shell file filling up the entire USB drive except for a small area for a decryption program. It will also be made to be similar to u3 where it is plug and play. The encrypted shell file should also have a secondary passphrase that leads to a fake area with user provided fake things they can pretend they wanted to keep secret if they are ever ordered by thugs to turn over their passphrase. It is best to make it so there is an option for this added security rather than it being required as if it is required it will be apparent that it is being used.

The life cycle of the program from Admins perspective:

1. An administrative figure hoping to start a secure group downloads the package. They run the Control Panel program. They are at this point required to insert a USB key (again, this isn't set in stone but we assume it is used). The USB has an encrypted shell file (Aes-serpent-twofish) with a hidden area opened by a second passphrase. The hidden area is filled with pretend files the admin can pretend they were wanting to hide.

2. The remainder of the USB consists of decryption software and u3 type stuff that allows for auto launching.

2. After the USB is prepared (one-two passphrases, admin will need to remember both of them if he chooses for plausible deniability, one if not) a key pair (User-authorized) is generated. I think this public key should us the algorithm HIME(R) and whirlpool as the RNG.

(Please understand I really only have a fundamental grasp of public key encryption so this might not be an appropriate algorithm. I think it is a more secure alternative than RSA though and will work fine for signatures).

3. The public HIME(R) key is saved to the host.config file that will be generated.

4. The private HIME(R) key is stored on the admins USB. It doesn't need further encryption in my opinion as the entire USB is already encrypted with aes-serpent-twofish. If there are advantages to further encryption, I think it should use a keyfile replacing the passphrase, to minimize the amount of passphrases the admin needs to memorize.

5. A 4,096 bit keyfile (group-decrypt) is generated with Whirlpool PRNG and saved to the client.conf file that will be generated individually.

6. The admin sets up the server and gets it running as a Tor hidden service. This should all be very easy to do from the interface of our program, similar to how easy it is to set up a hidden service using Tork.

7. The onion pointer to the hidden service needs to be included in each client.conf file

___

8. Now that everything is essentially set up, the admin needs to invite users. He will do this by generating them a client.conf file from the control panel program. In addition to the (group-decrypt) keyfile and the onion pointer, this file is also signed by the (user-authorized) key pair the program generated earlier. Since each config file is essentially the same, we will need a short random string to be generated and included in each one prior to being signed I believe.

Now we transition to the point of view of a member:

1. You want to join a group so you download the independent open source software. You run the installer program and your USB gets set up as has been explained before.

2. You also have the following things generated (NOTE: admins also need all of these, they should also be generated when creating a new group template with the control panel)

A. Encryption/signature key pair for member to member or sub group messages (specific-privacy-key). The following standard should be used for this key pair: HIME(R) / ACE-KEM (sign/encrypt).

B. Signature key pair for constant authentication (still-me) : HIME(R)

For what B is used I think there is no reason to further encrypt the key. For A however I think a passphrase should be required (no keyfiles allowed), the private key should be encrypted with serpent-256 and require a password to decrypt.

3. After the generating is done and the client.config file inputted into the client program:

A. You connect to the central server from the client. When you first connect, it establishes that you are using appropriate client compatible versions whatever....

B. You are verified that the Admin wanted you to be a part of this group. This is done by your client.config file uploading itself to the host (as always over the tor network, I will stop saying this so much but understand all traffic is over tor). Once the client config is on the host, the authenticity of the signature it is signed with is checked against the public key that the Admin has in the host.config file. If the signature authenticates that is a pretty good sign that you were given the client.config file by the Admin of the group.

C. The public key of (still-me) and (specific-privacy-key) are uploaded to the central hidden service. Both should be signed with (still-me).

D. You are now set as a member of the group. You may need to enter a name in this area so the server has something to identify you by consistently in your postings, similar to a screen name on a forum. Any names should need to be signed with (Still-me).

E. Note that after your (still-me) public key is on the server, every single command you sent to the client needs to be signed with the private key. Since this key made use of a keyfile it will be automated, you wont need to type in a passphrase every single time. This is for user authentication after login. I talk about login more below.

F. When you first establish a connection with the host a randomly generated string will be sent from the host to the client. The client will sign the post with (still-me) key and send it back to the server automatically. This is the act of login, after a user has logged in and can see the main listings, each move they make is authenticated automatically with the (still-me) key.

G. When a user posts a message for the public membership to see, that message is encrypted symmetrically with Serpent-256 using (group-decrypt) as a keyfile.

H. When other members log on to check messages they receive the Serpent-256 encoded messages and they are automatically decrypted client side using the (group-decrypt) keyfile which all members share (as it is part of the client.config file they got signed from the admin)

I. When a member sends a private message to another individual or a group of individuals, first the client connects to the host and finds all the public (specific-privacy-key) keys for everyone the message is intended to go to. The keys should be saved client side as well. When people upload a new key if they for whatever reason change it, it needs to be signed not only with (still-me) but with their old (specific-privacy-key) key (requiring a passphrase and a keyfile to switch keys).

Ok whew getting a bit tired of talking about this but I think that is the general concept pretty well. There are a few other things I want to address though:

1.To protect against keyloggers users should have the option to type their USB passphrases in on a digital keypad with all the letters numbers etc. They should also rotate each time a new one is clicked, so positioning the mouse with out taking a screen cap will be useless.

2. The first thing a user should see when they plug their USB in to any computer is the aforementioned keypad (autostarted similar to U3). They type in their passphrase to decrypt the encrypted volume on the USB holding the more interesting things. One passphrase leads to regular client and all the information so far stored, the other to the bogus area made earlier.

3. Absolutely everything takes place over Tor. Tor is really slow, but since we are only sending chunks of encrypted text, it really shouldn't be noticeable lag even. Tor uses layered encryption from enter node to .onion server when communicating with a .onion server. This removes the need for SSL and also disguises the fact that so much pre-encrypted **** is flying around between this server and clients.

4. Absolute care should be taken to make the entire process as smooth and seamless for the end user as possible. They should need to do nothing that doesn't involve clicking between a few simply worded button commands, and typing in the passphrases when needed. This absolutely must be an easy to use system as it is hard to understand. As far as the user is concerned this should be no more difficult than using hushmail (although significantly more secure ;-) )

n33m3rz · Jan 10, 2009

To put it simple:

Client and server side programming that makes use of encryption and authentication on a lot of different levels, mainly full database encryption with a symmetric key (encrypted data stored and organized server side after being uploaded over the tor network) and encrypted PM system using asymmetric keys, plus all the other stuff I said above this is just the general concept in a nut shell.

Seems pretty secure / anonymous to me, the only way for someone to get into the main area would be to compromise a member or get invited themselves, and all the pms would be totally private end to end between two people. Also the actual server and the members would be pretty difficult to trace down thanks to Tor.

This could work good for like message boards of people in communist china or something? Or are there flaws.

SteveTX · Jan 10, 2009

Two such systems already exist. They are privately designed and maintained, not for the general public. Are you planning on developing an open system?

n33m3rz · Jan 10, 2009

I am not a programmer myself and probably would have a hard time to do this correctly, but I am working closely with people who are developing it, it was mostly my idea I was unaware systems like this existed already but am not too surprised it is nothing ground breaking just a bunch of different systems applied to a whole. What are the two systems you mention I would like to learn more about them, what is the primary reason for them?

But yes eventually this will be released as an open source project it is being developed in C right now but I was wanting to look for feed back before we went to far with it in case there was anything I might have missed.

SteveTX · Jan 10, 2009

The first is a forum called Distributed City which runs on tokens and hashes, all internal messaging is PGP encrypted, transparently. This is a decade old implementation.

There is a next-generation system being developed as a project of an undisclosed group that will be deployed this year. It will far surpass the Distributed City forum and integrate a new type of "mixmaster" system that has not yet been publicized.

n33m3rz · Jan 10, 2009

That (distributed city) is simply GPG encryption implemented in the actual PHP, if I am not mistaken (and I could be hehe). Not very secure really, as hushmail has proven (although not with php there). Sure messages sent are encrypted, but since it is done server side if the server is ever in the possession of the adversary they could sniff messages in the split second that they are unencrypted on the server. It worked to get passphrases for hushmail users, a slightly different implementation would get plain text messages. Messages would only be safe and have meaningful encryption if they were sent before the server is compromised, and in that case why even bother to encrypt at all.

The reason for a client and server side component to the system is so that the encryption and decryption can take place clientside, both for PMs and for symmetric encryption of single posts. The actual server would be nothing other than a frame work for distributing tagged blocks of encrypted code, even if the server was run by the adversary they couldn't compromise the system at all unless they were invited into it or compromised a member who had been, where as distributed city it seems the adversary could easily compromise all the security if they got control of the server (this all assumes that they are just using the php/gpg libraries to do the encryption, I can't really tell there is very little info on it but it seems to me no client side component and really a system like this will never be entirely secure unless it is distributed).

I am interested in your project but understand that more details can't be released. Mixmaster huh, isn't that like mixminion? I thought that was for E-mails. Will the new mix master system have anonymity advantages over a clientside program using tor to connect to a predetermined .onion server?

SteveTX · Jan 10, 2009

The new project is superior to mixmaster. We should take this offline. Give me your messenger info over private message.

n33m3rz · Feb 2, 2009

Here is a more detailed blueprint, let me know if any holes are found.

The Four Program Components

The Client

Purpose: To connect the member to the server and allow them to interact with the features.

Functionality: Handles encryption and decryption of all information, encrypts messages and delivers them to the server over the Tor network. Handles authentication with the server and session management. Manages and executes a list of instructions contained on a configuration file generated by the control panel software component. The client side program can handle encryption and decryption of itself Via a portable encryption/decryption component installed to the container (usb or folder). The client can manage Tor and should automatically install and configure Tor and privoxy, and configure itself with them, if selected by the user. Users should also have the option of inputting proxy commands and pointing it towards Tor like other applications allow for. Client ascertains that data sent to the server meets the required standards set by the config file that allows access to the server. Authenticates that the server it is connecting to is running as a Tor hidden service, can do this via Tor interfacing.

Gui Features: The client includes a Gui tool that is designed to serve the same functionality as a forum. Avatar support should be included but from a list of a few hundred preselected client side images included with the program. Graphical abilities should be at a low priority with a focus on clean code and ease of use. The simpler the better, but avatars serve important functions and the data can be transmitted with two bits if the avatars are stored client side.

The Server

purpose: To manage tagged blocks of encrypted code and prepare them for distribution.

Functionality: Handles distribution of encrypted content. Allows for easy configuration of Tor hidden services for it to install itself too, should mostly manage itself. Handles authentication of users, helps handle sessions, helps enforce policy, gets lots of instructions from a configuration file, authenticates administration commands by use of cryptological signatures.

Gui features: The server should require no Gui features, although the administrative control center that generates the config file instructions for the server and the client should.

Administrative Control Center

Purpose: To generate invitations for new members, generate config files.

Functionality: The administrative control center is an interface for generating config files for the Server and the Client. It is the second program needed to be used to set up a community, first the server must be run to generate a hidden service onion pointer. The config files contain information in them including accepted algorithms, a copy of the administrators self signed key which the program generates. The client specific config file also contains a user name for the person the admin has sent it too and is signed by the administrator when it is generated. The config file also includes a 4,096 character long group shared passphrase that will be used for decryption and encryption of symmetrically encrypted group-public information. This 4,096 character long passphrase will function as a sort of keyfile more than it will as a standard passphrase, it will be automated into the system. It is generated by the Administrative control center and included identically in each config file that is generated for a member of the group with the associated encryption scheme. This file is automatically encrypted to the prospective members provided public key when the admin generates them an invitation. The encrypted config file is delivered to the perspective member over some channel then they must decrypt it into the usable file.

The Gui: The GUI should be plain and simple with easy to find and simple commands that serve a clear cut purpose.

The Installation Program

Purpose: To install the client side software to an encrypted shell file and also to include a decryption program in the same directory the program is installed to. Should also include the ability to quickly install to a USB drive. Also to configure servers.

Functionality: First the program creates a shell file filling up a pre determined space on a computer or filling up all of a USB except for some room for a U3 style launched and a decryption program. Should also be able to help set up servers. This program doesn't require a GUI just an installer as normal.
Click to expand...

Key Guidelines

Key One

Type: Symmetrical key
Purpose: Encryption Of client side program and data
Access: Two passphrases, one to client one to throw away file. Not automated.
Supported ciphers: Serpent-256, Serpent-512, AES-256, AES-512, Twofish-256 with a cascade but not alone
Supported PRNG: Whirlpool-512
Stored: Client side only

Key Two:

Type: Asymmetrical key pair
Purpose: Decryption of received private messages, signatures on outgoing messages
Access: See key three for information on access to the private component of this key.
Supported Ciphers: RSA/Elgamal 2048-4096 bit
Supported Hashes: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Stored: Both keys are client side, public key is server side also and on each members machine as required
Key Three:

Type: Symmetrical Key
Purpose: Encryption of private key component of Key Two
Access: Password default, keyfile stored on shell encrypted by key one is possible. Automated is possible but not default.
Supported Ciphers: Serpent-512, Serpent-256, AES-256, CAST5
Supported PRNG: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224, Whirlpool-512
Stored: Client side only

Key Four:

Type: Symmetrical key
Purpose: Encryption of threads and group public information
Access: 4,096 character keyfile included with client config file. Automated is required.
Supported Ciphers: Serpent-256, AES-256
Supported PRNG: Whirlpool-512

Key Five:

Type: Asymmetrical key pair
Purpose: Session management
Access: 4,096 character keyfile generated with whirlpool-512, automated is required
Supported Ciphers: RSA-4,096
Supported Hashes: Whirlpool-512
Click to expand...

Utilization of the Tor network

All communications between the client and server are done over a circuit as explained in step 6. All communications between two clients are explained in step 7.

1. First a hidden service uploads information about itself to an introduction point. This information lets people route information to the hidden service. The connection to the introduction point is made over a full tor circuit

Hidden Server -----> Entry Node ----> Relay Node -----> Exit Node ------> Introduction Point

2. Over a new circuit, the server uploads its public key, introduction points, and onion pointer to a Tor directory. All information is signed with the servers private key.

Hidden Server ---> Entry Node ----> Relay Node ----> Exit Node -----> Tor Directory

3. When the Client wishes to communicate with the server, and downloads the information the server uploaded in the previous step.

Client ---> Entry Node ----> Relay Node ----> Exit Node ---> Tor Directory

4. The Client picks a random Rendezvous node from the available Tor nodes on the network. It uploads its public key and to the rendezvous node over a full Tor circuit.

Client ----> Entry Node ----> Relay Node -----> Exit Node ----> Rendezvous Node

5. The client now communicates a desire to communicate with the server by sending a request to the servers introduction point over a full circuit, and the introduction point sends the request on to the server over a full circuit. The request is encrypted with the servers public key.

Client ----> Entry Node ---> Relay Node ----> Exit Node ----> Introduction Point -----> Entry Node ----> Relay Node ---> Exit node ----> Server

6. After receiving the request to communicate, the server sends its reply to the clients Rendezvous node. The client then connects to the Rendezvous node over a Tor circuit to download the information. The information is encrypted with the clients public key.

Server ---> Entry Node ----> Relay Node ----> Exit Node ---> Rendezvous Node -----> Exit Node -----> Relay Node -----> Entry Node ----> Client

7. When Two clients communicate with each other, they both build connects like the one demonstrated in step six to the server. The server acts as an extra rendezvous point between the two clients, plus a controlled one that is hopefully friendly.

Client 1 -----> Entry Node -----> Relay Node -----> Exit Node ----> Rendezvous Node 1 ---> Exit Node ---->-Relay Node ---->-Entry Node -----> Server ----> Entry Node ----> Relay Node ----> Exit Node ----> Rendezvous Node 2 ----> Exit Node ---> Relay Node ----> Entry Node -----> Client 2
Click to expand...

Encryption of client stored information

When a user activates the installer program it prompts them to provide a USB key. The installer program creates a shell file on the USB which is as large as possible to still provide room for a decryption program and an auto-launch script similar to U3. The user determines the Cipher they will use, the PRNG is set at whirlpool-512. The user will be prompted to provide entropy by randomly moving the mouse for a period of time. Minimum password requirements for this key will be hard coded at a minimum of ten characters including numbers, letters and special characters.

When installing the program, the user will have three options. The first option will be to encypt a random user provided file. The second option will be to encypt a random user provided file, and a second random user provided file. The third option is to encypt a random user provided file as well as create a secondary encypted space with the client software installed to it. This is for plausible deniability that the user is using the software to communicate with a group of people, and also allows the user to give up a safe passphrase if forced to do so.

When a user insets the USB drive into their computer, a screen will automatically pop up prompting them for a passphrase. Depending on what passphrase they input, either the user provided material will pop up on the screen, or the client side software will. All client side things related to this program are stored on the encypted shell, from keys to software program alike.
Click to expand...

Joining a group

Before a user can join a group, they need a signed config file from the administrator of the group. After they have the config file, they need to input the config file to the client. The client will put the config file in the encrypted shell and do a 3 pass DoD wipe on the one that was outside of the secure encryption space. The config file will tell the client the onion pointer of the server, and the client will connect to the server automatically over the Tor network. After connecting to the server, the user will upload a copy of the config file and the server will check it for authenticity, and also will check to see if the users unique string in their copy of the config file is listed as valid and not banned. After the user is authenticated, the client will upload all required public keys to the server. If a key is not provided by the user, the program will take some time now to generate them. The server stores the keys in the appropriate section, and includes the user in the databases / generates tags for them.
Click to expand...

Login procedures and authentication

Every time a user connects to the group a number of things happen. First of all, the config file the admin gave to the user is uploaded to the server and authenticated, plus the users individual number assigned to them by the admin is verified as not banned. Next, the server generates a random string and uploads it to the client. After the client has the string, it signs it with the users private key and uploads it back to the server. The server authenticates the signature compared to the users stored public key, then verifies what is signed versus what was presented. Next, the hash of a hash list of all members public keys is downloaded to the users client. If the hash of the hash list is the same as the hash of the hash list on record, the client does nothing. If the hash of the hash list is different, the hash list is downloaded to the users client and compared against the previous hash list. Each member with a new key will then have their public key downloaded to the users client. The users client will check the new keys by authenticating their signatures against the old keys. When new keys are downloaded they are required to be signed by the old keys so they can be verified by other members clients. After the keys are updated, the users client will scan the server for Pm's tagged to it. This step requires no random string authentication like the other steps do, for reasons made clear in the private messaging section of this presentation. The client also downloads new threads and information based on the tagging system which also is discussed more in depth later on. Every action a user takes requires random string authentication besides for receiving Pms which rely on weak authentication to download (at the advantage of majorly reducing the risk of social network analysis by a malicious entity who takes over the server), but strong encryption to protect contents.
Click to expand...

Encryption and Anonymity of Private Communications Between Members

When one members wishes to communicate privately with another member of the group, the following steps are taken in order. The steps are there to protect against wire tapping (with encryption), tracing (with Tor) and communications pattern analysis by a malicious entity who comes into possession of the server (with a unique SURB system)‏:

1. When person one(p1) wishes to write a message to person 2 (p2), the first thing they have to do is write the actual message on the client side Gui. After writing the message, they hit a send button.

2. After hitting the send button, p1s client generates a 25 character random string with user mouse entropy and whirlpool-512 PRNG. This string is automatically embedded in the body of the message, and is also stored encrypted on the client.

3. Another 25 character string is generated with the same algorithm. This string is also stored on the client and embedded in the message.

3, Next, the entire message including the random string is encrypted asymmetrically with p2s public key. The message is signed with p1s private key. The asymmetrically encrypted message is then encrypted symmetrically with the group key.

4. The encrypted message has a tag applied to it, the tag of the first message between two people is the KeyID of the recipient. After being tagged the encrypted message has a whirlpool-512 hash taken of it.

5. The encrypted message and the hash are uploaded to the server over two Tor circuits via hidden service functionality. The message is then detected by person 2s client when it scans the database on the server as it is always looking for the persons keyID to be used as a tag. The message and hash are then downloaded from the server to the client of p2, also over two tor circuits.

6. Upon receiving the hash and message, p2s client verifies the signature on both of them against a key on record, if one exists. The client then makes its own hash of the message and after comparing it to the one on record, it also uploads it to the server. If the hash p2s client made of the message matches the hash of the message stored on the server, a 3 pass DoD wipe is done on the hash and message stored on server.

7. The symmetrical encryption is automatically removed with the group shared key on p2s client. The asymmetrical encryption is removed after the user enters a passphrase he is prompted for, or a keyfile is detected if p2 decided to use automated pm decryption.

8. The two twenty five character strings from steps 2 and 3 are stored to p2s client. This is done transparently, the user can't see these strings and they are taken care of by the client. The user reads the message p1 sent him.

9. When p2 wants to reply to p1, he types his reply in and hits send. His client generates two twenty five character strings in the same way as p1s client did.

10. The message back to p2 is encrypted with p2s private key. The asymmetrical encrypted message is then encrypted symmetrically with Serpent-256, using the second twenty five character string person ones client generated as the passphrase. This message is then tagged with the first twenty five character string generated by person one, signed by person two, hashed and uploaded to the server.

11. Person ones client finds the tagged message because it is keeping an eye out for that tag from now on. Once the message is gotten, the tag and passphrase for the symmetric encryption change again, for each new message. It is possible to have several strings for tagging and encryption sent at one time, to allow for multiple anonymous messages. The benefit of this system is that it makes it near impossible for the server to tell who is talking with who by observing tags or encryption keys used.
Click to expand...

Encryption Of group public communications

When a message is posted as a thread, the following steps take place:

1. First of all the user types the message into the client side GUI and hits a submit button.

2. After the user hits the submit button, the message is signed with the users private key.

3. The message is then encrypted symmetrically with the shared passphrase in the client config file. The message is then tagged following the tagging guidelines.

4, The user creates a connection to the server over two Tor circuits via hidden service functionality.

5. The server generates a twenty character random string and uploads it to the client of the user.

6. The client signs the string automatically with the users private authentication key.

7. After signing the string, it is uploaded to the server. The server then determines authenticity of the signature and verifies the string.

8. If properly authenticated, the client takes a hash of the message and uploads the message and the hash to the server.

9. After the message and hash are uploaded to the server, the server gets the hash of the message and compares it to the hash provided by the user to make sure they match. The hash is also uploaded to the client and compared against the users hash to ensure they match.

10. The server logs the addition of the thread to a structure file, if it is a new thread. If it is not a new thread, it adds the post to the appropriate row in the appropriate thread. When a new thread is added, the basic information on its location is included in a forum structure file which is uploaded to each individual client each time they connect to the forum, and each time it changes during the session as determined by a five bit string which goes up in order as new threads are added and is compared to the number the client received when it first connected to determine if new threads have been made during a session.

11. When other users connect to the server, they download the structure file. New changes to the structure are uploaded to the users system at this point, where they are decrypted and authenticated. The users client also takes a hash of the message and compares it to the hash on the server for further authentication and confirmation that the entire message was received properly.
Click to expand...

Tagging Guidelines and Specifications

Delivery of threads and private messages from server to client are handled by a tagging system as well as multiple databases.

Database One

Named: Private_Messages

Rows: Private Message, Hash of Private Message, Delivery Tag, Delivery Timer

Database Two:

Named: post_Storage

Rows: Thread Number, Hash of thread, Server Applied Timestamp of last post, Post #1 ETC....., Three Bytes (Each time a new post is added, the bytes change, starting at AAA and going to AAB ending at !!!, the client checks the bytes and compares them to what they were previously to quickly see if new posts have been added since the last time it looked)

Database Three:
Named: Users_And_Authentication
Rows: User name (created during first login), User Key, Random String generated by server for each action user takes, Signed String after user authenticates, KeyID
Click to expand...

Additional Features

1. All passphrases will have the option of being entered in on screen with a virtual keypad. The keys on said virtual keypad will rotate each time one of them is pressed. This will get around all hardware keyloggers, all software keyloggers, mouse positioning software, and some screencap programs. Screen shot taking trojans that have high FPS will be able to defeat it however, but still better protection against keyloggers than none.

2. PMs sent to the server have a delivery time included. If someone checks for PMs before a message to them is due to be delivered, it wont show up. This can be used to fight against time analysis of PMs being used to determine a probable geographic location for members (from members, but not the server)
Click to expand...

Z32 · Feb 3, 2009

I'll be very interested to see how this turns out; it sounds like an excellent means of private communication.

One thing that I think would be cool (depending on how 007 you want to be with this system)... is to have a 'duress' passphrase which triggers the automatic expiration/revocation of your key (access) to the system.

My reasoning there is, rather than just leading people to a bogus area of a USB or coming up 'denied' if they tried to guess over & over, you could feed your assailant a predetermined "seppuku" passphrase, if you will.

Regarding the server, who technically controls it in this scenario?.. if an administrator, do they play God (all-seeing/all-knowing) or is the system designed to prevent misuse/be autonomous/fail securely.

My apologies if you've covered that stuff in your posts - they're a lengthy read and I don't understand a lot of the mechanisms

n33m3rz · Feb 3, 2009

Double post

n33m3rz · Feb 3, 2009

For the keys to be expired or the hidden data to be wiped, it would need to be mounted, and if it is mounted then the contents can for one be compromised and for two be proven to exist. It is realistic that not telling people about the secondary password doing a wipe could be seen a prosecuted as destroying evidence (as always assume I am talking about a government that oppresses the people, for example China). Also if it is thugs with a Gun to your head, they might not be happy once they find out what you did.

I think for this reason it is best to try and hide the information, rather than confirm it exists by trying to erase it.

The server can be controlled by anyone. There would actually be slight security advantages if the server is maintained by someone who is NOT a member of the group. The most an adversary with the server who is NOT a member of the group can do is ruin the system, they couldn't do a man in the middle attack as far as I can see, as all information stored on the server (including public keys) is encrypted with a symmetric encryption algorithm and they don't have the keyfile for it unless they are a member of the group (so they can't see it, and if they spoof it the spoofing will be immediately detected). They can't even gain information on who is communicating with who thanks to the unique PM system. Even if a member of the group does control the server, it will maintain a large amount of its security, but be slightly more subject to man in the middle attacks if the admin himself is the adversary.

The point of this program is in part to secure a forum so well that even if the adversary has total control of the server it is hosted on, they can't penetrate the security only destroy the system. It does assume that the adversary doesn't START in control of the system though, but even if the adversary starts in control of the system and is a member of the group, there is still a decent amount of protection, it is hard to defend against that scenario though but I think this system still has at least a decent amount of security against that. The main concern if they start as the administrator and server owner of the group is that they could instantly man in the middle public keys between two people and pretend to be both of them to the other. But if a key pair is transmitted once with out being spoofed by a man in the middle, all future communications will be secure as new keys need to be signed with old keys and they wouldn't have the old key. Can anyone think of a way to fight a man in the middle attack against public keys, assuming the adversary is a member of the group and also owns the server? I will need to think of that one, the only thing I can think of is people should distribute and authenticate their initial keys outside the server structure as well as through it.

The admin has no special abilities that others do not have as far as a backdoor or anything.

...Hmmm been thinking about ways to avoid a man in the middle attack during initial key exchange and research has brought me to something called MQV, can anyone explain to me in laymans terms how this works and if it would be effective to help protect against a server administrator who is a member of the group?

n33m3rz · Feb 14, 2009

Too many big posts in a row, looked ugly. See final blueprint below to see how we ended up doing the authentication system, and also how we defend against MIM attacks.

n33m3rz · Feb 14, 2009

Okay sorry to post so much in this thread and everything being so long. This is the final blueprint I think though. Programming has started based off this and we could find no flaws in the final design. This system outlined here will most likely be the one we develop. If anyone can find flaws in it PLEASE let me know, and also if anyone can think of improvements or additional features, now is the time to say so because otherwise we will need to redo stuff as the programming is started. The final product will be released totally free and open source. We are relying on other open source projects to get it done and will respect all their license requirements. Also we decided to call it Hive Mind:

The Four Program Components

Client Installer

Purpose: Create and manage an encrypted shell file on a USB drive, with throw away passwords.

Methodology: Use Truecrypt source code to set this up. Truecrypt allows for their source code to be used for other projects as long as they get credit.

Encryption Algorithms:

Serpent
Aes
Aes-Twofish
Twofish-Serpent
Serpent-twofish-Aes
Aes-twofish-serpent

Twofish is not allowed by itself although it is supported by Truecrypt. The reasoning for this is both Aes and Serpent are stronger than Twofish, but Twofish used in a cascade with either of the others will help defend against certain algebra based attacks.

Hash Algorithms:

Whirlpool
sha-512

Ripmed-160 isnot supported, although it is in truecrypt, because it is of questionable strength, especially compared to Whirlpool and Sha-512.

Other: Seed comes from mouse input, should force minimum entropy. Can accomplish this by requiring mouse to be in motion for at least 30 seconds before encrypting.

Deniability: During initial install, allow users to select from three options. Encrypt a random user provided file with no hidden section, Encrypt a random user provided file with a hidden section containing the client software, encrypt a random user provided file with a hidden section containing another random user provided file. The reasoning for this is, for one possession of the software is not a guarantee a person is using it to access groups, and for two if a hidden section is somehow proven to exist a user can say it was merely random secondary files and they forgot the password, there will be no conclusive proof a hidden section contains client software.

Further Details: The installer program should choose the size to make the encrypted shell file based off a size scan of the provided USB. The shell file should take up the majority of space on the USB, saving room for only a decryption program, an auto-launcher similar to U3, and a Ram wiper. Also, passphrases should be hard-coded at ten characters long including numbers, letters and special characters.

Possible Attack One: The key could be written to a page file. It could also be written to the drive from memory during a system hibernation or unclean shutdown. Protections against this include only running the program on a computer that is full drive encrypted. Other protections that don't involve encryption are turning off page files and disabling hibernation. This threat should be clearly explained, but defending against it is outside of the scope of our program.

Possible Attack Two: A seized computer, even with the drive not mounted but recently dismounted, could have the key extracted from RAM if the RAM is flash frozen and examined under an electron microscope. To defend against this, when the drive is unmounted random data should be loaded to ram. There are two ways to do this. One, when the software is shut down but the USB is still plugged in, random data could be written to the ram for a few minutes using the ram wipe program on the USB. Secondly, when first plugged in, a temporary file could be made that checks to see if the USB is plugged in. If the USB is suddenly removed, the temporary file will immediately start writing random Data to the ram. This way, if a door is kicked in by well educated thugs thugs, the simple action of quickly pulling out the USB could prevent a forensics team from recovering the key from flash frozen memory.
Click to expand...

Server + Server Installer

Purpose: Manage tagged blocks of pre-encrypted text, authenticate users

Defensive mechanisms: The server should be run on a Tor Hidden Service. This should be very easy to set up for the host, requiring them to only fill in a few variables, like how it is easy to set up hidden services with Tork. The server itself should be very easy to install and run.

Possible Attacks: The attacks against the server will involve tracing down Tor hidden services. Also will involve authentication spoofing. The burden of defending the anonymity offered by Tor Hidden Services falls on the Tor developers and is outside the scope of our project, although we believe Tor to be "adequately anonymous" for our purposes. Authentication methods are discussed further later on, and have an extremely low mathematically proven chance of being spoofed.
Click to expand...

Administrative Control Panel

Purpose: Handle administrative tasks

Task one: Create Client Config Files

Client config File specifications

1. Client config files are signed by an administrative key, generated by the Administrative Control Panel during the initial stage of starting a group.

2. Client config files contain a self signed copy of the public key of the administrator of the group.

3. Client config files contain the .onion address of the server. For this reason, the server must be set up before the configuration is complete. This address is inputted by the administrator after he has the server running.

4. Client config files contain a 4,096 character randomly generated string that is equal in all config files. This string is used for group encryption and decryption of symmetrically encrypted data, and should accordingly be kept private only to members of the group. The PRNG used to generate this string is either Whirlpool or Sha-512, with the entropy coming from mouse movement with a minimum period of thirty seconds of mouse movement required to ensure strong entropy. This is also done by the administrator.

5. Client Config Files contain either a whirlpool or a sha-512 hash of the 4,096 character string. This is used for group authentication, so clients can prove to the server that they are members of the group with out further identifying themselves. This is used in the Anti-MIM system discussed later on. The length of a 512 bit hash should be adequate that it will not be brute forcible.

6. Client Config Files contain a fifty character randomly generated string that is unique to each client config file. The PRNG is either whirlpool or sha-512, with the seed from mouse input. This string is to identify clients as individual members of the group, and to check their status.

7. Client config files are distributed to everyone the admin wants to be a member of the group. Public key encryption should be used to transfer Client Config Files, as they contain sensitive information that should only be viewable to members of the group.

Task Two: Create Server Config Files

Server Config File Specifications:

1. Server config files are signed by an administrative key, generated by the administrative control panel during the initial stage of starting a group.

2. Server config files contain a self signed copy of the public key of the administrator of the group.

3. Server config files contain the .onion address of the server. For this reason, the server must be set up before the configuration is complete. This address is inputted by the administrator after he has the server running.

4. Server config files include the symmetric encryption algorithm to be used for group public communications. This is determined by the administrator. Serpent-256 is the default, also supported is aes-256.

(NOTE: 1-4 are generated once and do not change for the entire existence of the group. Clients will periodically check the server config file to ensure that it is the same as always.)
Click to expand...

5. Seperately signed in the server config file is a forum layout, including forum titles, sub-forums, etc. This can be replaced with another forum layout provided it is also signed by the administrators key.
Click to expand...

The Client

Purpose: Protect against tracing, Handle encryption, Handle Authentication, Protect against MIM, handle tagging, manage private communications, fight keylogging,
Click to expand...

Protect against MIM

The primary way a MIM attack will be launched on this system is by spoofing of public keys. This can only be carried out if the owner of the server is a member of the group, or has access to the group shared decryption passphrase. In most, but not all cases, the owner of the server will be the administrator of the group. Protecting against MIM attacks is quite difficult, so instead we rely upon the following integrity testing system for transmission of public keys. MIM defenses do not need to be utilized for the PM system, as PMs are signed with keys which have their integrity checked.

1. Prior to connecting to a group for the first time, Alice generates and self signs a public key. A hash of the key is also kept on record.

Supported Ciphers: RSA/Elgamal 2048-4096 bit :::: Hashes: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 ::: SHA-512 being the default. This is GPG compliant and the key can either be generated by the client or can be generated by another program that creates GPG compliant keys and inputted into the system
Click to expand...

2. Alices client encrypts her public key symmetrically using the shared 4,096 character group-public string from the client config file as the passphrase.

3. Alices client connects to the server. Alices client is required to authenticate to upload a key to the server (see authentication section).

4. After authentication, Alices symmetrically encrypted public key is uploaded to the server and tagged with her name.

5. The server makes a hash of Alices symmetrically encrypted public key and keeps it on record.

6. After uploading her symmetrically encrypted public key to the server, Alices client will switch Tor identities and download the key back to itself. When downloading keys, Authentication is not necessary, although group membership must be proven. Group membership is proven by uploading a hash of the 4,096 character shared string to the server (the server doesn't have the 4,096 character string, but does have a hash of it. This should be safe)This is the initial integrity check. If the downloaded key does not match the uploaded key, a MIM alert is sounded.

7. Every time alice connects to the server, the first thing that happens is her client proves group membership with the hash of the shared 4,096 character encryption string. Before she further authenticates or identifies herself, her client downloads hashes of all public keys on the server. If the hash of alices key does not match the hash of the key on record on her client, a MIM alert will sound.

8. If new hashes exist that alice does not have on record, her client will download their corresponding symmetrically encrypted text blocks. She will then hash the text blocks and ensure that the hashes match the hashes the server had on display. If they do not, a MIM alert will display.

9. Alices client then will use the shared 4,096 character encryption string to decrypt the symmetrically encrypted text blocks into the public keys.

10. After Alices client has keys on record, every time she connects to the server and proves group membership (but prior to identifying herself or further authentication), alices client will check for new hashes of keys on record. If a new hash is found, alice will download the key. If the new key is not signed by the old key on record, a "possible MIM" alert will pop up, telling Alice that this is possibly a sign of a MIM attack. The client will keep this event on record, and double check the key on the server the next time alice connects. If the key on the server the second time she connects matches her old key on record, a MIM alert will go off. If it does not, a Possible MIM alert will go off asking Alice if she wants to download the new key or not.

11. Alice can choose to do in depth integrity checks, where all members public keys are downloaded and compared, rather than just hashes of the keys. Even if the server lies about hashes and their corresponding keys, it will get busted once the key is downloaded and the hash does not match the hash the server has on record.

12. If Alices client detects a MIM attack, alices client will generate PMs explaining the situation and tag them for all group members Alice has on record. To understand how this is very difficult or impossible for the server to stop, read the PM section.

Strength of Protection: This system does not 100% protect against a MIM attack. It does however offer fairly good odds that a MIM attack will not go unnoticed for a long period of time, and also essentially guarantees that a massive MIM attack will be identified.

Possible Attack: If the server can trace back the Tor network in a few minutes time, it can figure out who is who and know not to send them spoofed keys. This attack is theoretically possible, but is extremely unlikely to be successfully executed.
Click to expand...

Protection against tracing

The client and server use an automated version of Tor, similar to Tor Portable and Operator. That way we don't need to redesign the client, but can make using them very easy for users.

All communications between the client and server are done over a circuit as explained in step 6. All communications between two clients are explained in step 7.

1. First a hidden service uploads information about itself to an introduction point. This information lets people route information to the hidden service. The connection to the introduction point is made over a full tor circuit

Hidden Server -----> Entry Node ----> Relay Node -----> Exit Node ------> Introduction Point

2. Over a new circuit, the server uploads its public key, introduction points, and onion pointer to a Tor directory. All information is signed with the servers private key.

Hidden Server ---> Entry Node ----> Relay Node ----> Exit Node -----> Tor Directory

3. When the Client wishes to communicate with the server, and downloads the information the server uploaded in the previous step.

Client ---> Entry Node ----> Relay Node ----> Exit Node ---> Tor Directory

4. The Client picks a random Rendezvous node from the available Tor nodes on the network. It uploads its public key and to the rendezvous node over a full Tor circuit.

Client ----> Entry Node ----> Relay Node -----> Exit Node ----> Rendezvous Node

5. The client now communicates a desire to communicate with the server by sending a request to the servers introduction point over a full circuit, and the introduction point sends the request on to the server over a full circuit. The request is encrypted with the servers public key.

Client ----> Entry Node ---> Relay Node ----> Exit Node ----> Introduction Point -----> Entry Node ----> Relay Node ---> Exit node ----> Server

6. After receiving the request to communicate, the server sends its reply to the clients Rendezvous node. The client then connects to the Rendezvous node over a Tor circuit to download the information. The information is encrypted with the clients public key.

Server ---> Entry Node ----> Relay Node ----> Exit Node ---> Rendezvous Node -----> Exit Node -----> Relay Node -----> Entry Node ----> Client

7. When Two clients communicate with each other, they both build connects like the one demonstrated in step six to the server. The server acts as an extra rendezvous point between the two clients, plus a controlled one that is hopefully friendly.

Client 1 -----> Entry Node -----> Relay Node -----> Exit Node ----> Rendezvous Node 1 ---> Exit Node ---->-Relay Node ---->-Entry Node -----> Server ----> Entry Node ----> Relay Node ----> Exit Node ----> Rendezvous Node 2 ----> Exit Node ---> Relay Node ----> Entry Node -----> Client 2

Possible Attacks: The reliability of this system depends on the anonymity provided by the Tor network. This is outside the hands of the developers of this project, although we generally believe Tor should offer sufficient anonymity. It should be noted that common attacks against Tor, which rely upon scripting, rouge applets, malicious exit nodes and other things, are not feasible against our system.
Click to expand...

Authentication Of Name

For all actions other than downloading keys and uploading PMs, Alice needs to authenticate herself to the server. This authentication is done according to the Feige-Fiat-Shamir Identification Scheme protocol. 10 rounds are played three times.

1. When Alice connects to the group for the first time her F-F-S public key is uploaded to it, signed with her asymmetric key.

Below, the steps of the Feige-Fiat-Shamir Identification Scheme are explained:

Start Up

1. Alice generates the following variables:

P = A 512 bit prime number

Q = A 512 bit prime number

N = P * Q

K = 10 (because we play ten rounds of the game)

Sk = A 512 bit prime number. There are to be ten Sk numbers, S1-S10.

Vk = Any number congruent with Sk^2 (mod N). V can be determined algebriacly by generating a large whole number and solving for V.

Example: Assuming Sk = 5, N = 221, and the whole number 100 is randomly generated. This is to show an example, these numbers are too small to be safely used.

(V - 5^2) / 221 = 100
V = (100 + 5^2) * 221
V = (100 + 25) * 221
V = 27625
Click to expand...

2. Alices client uploads N to the server, but keeps P and Q secret. Alice keeps Sk (s1-s10) as her private key and gives the server Vk (v1-v10) as her public key.

Authentication

1. Alices client generates the following variables:

R = A random 512 bit integer. The same R can never be used twice, so after R is generated a hash of it is kept on record. If the hash of R matches a hash of R already on record, a new R is generated.

S = Either a -1 or a 1

X = A number congruent with S * R^2 (mod N). This number can be determined the same way that Vk was chosen.

2. The server generates the following

Ak (A1-A10) = either a 0 or a 1 for each K.

3. The server sends these numbers to Alices Client.

4. Alices client generates the following variables

Y = Any number congruent with R*S1^A1 * R*S2^A2 * .... R*S10^A10 (mod N). This number can be found in the same way as V.

5. Alices Client sends Y to the server.

6. The server verifies that Y^2 is congruent with +/1 x*V1^A1 * V2^A2 * .... V10^A10 (mod N)

7. If the number is congruent, alices client passes that game. The game is played 3 times with 10 rounds each.

8. If alices client passes 10 rounds 3 times, she is authenticated. There is a 1 / 1,073,741,824 chance that someone with out alices private key can spoof alices identity.
Click to expand...

Authentication of Server

Authentication of the server is handled in a few ways. For one, only a server with the Tor Private Key of the onion pointer the server is using can represent that Onion Pointer. This is decent authentication in itself. Secondly, when a user first connects to the group, the Server Config file is downloaded to their client. Since the Server Config file should never change for a given group, if it changes (or the client notices it doesn't follow its own protocols) then the user can figure out something is up.
Click to expand...

Manage Private Communications

1. Bob composes a private message to alice on his client side GUI, and hits the send key.

2. two 110 character strings are generated by Bobs client, using Whirlpool-512 as the PRNG and mouse input for the seed.

3. A 30 character safe-delete string is also generated by Bobs client, using whirlpool-512 as the PRNG and mouse input for the seed.

4. The first 110 character string is compressed with LZMA and then encrypted with Alices public key that Bob has on record. The compression is to both decrease bandwidth requirements, and also to protect against cryptanalysis. This message is then encrypted with the group-public key.

5. The message Bob wrote, along with the second 110 character string and the 30 character string, are first compressed with the LMZA compression algorithm.

6. The compressed message Bob wrote, as well as the second 110 character string and the 30 character string, are first hashed, and then the hashes are signed with bobs asymmetric key and then symmetrically encrypted, using serpent-256 by default, with the passphrase being the first 110 character string.

7. The symmetric and asymmetric messages are tagged with alices KeyID, as well as a date and time determined by Bob.

8. The messages are uploaded to the server from Bobs client either immediately, or the next time bob logs in to the server, prior to him identifying himself or authenticating. We want to separate Bobs being online from the message being uploaded to the server.

9. Bob also uploads hashes of the cipher text messages, along with a hash of his 30 character safe-delete string to the server. These strings are not publicly viewable.

10. The server hashes bobs cipher text, and compares it to the hashes bob uploaded to the server. If they match, the server tells Bob that his message was sent. If they do not match, it tells Bob delivery failed, and tries again.

11. When the date and time specified by Bob are reached, the server will add the messages to a database publicly viewable by anyone who can prove they are part of the group (done by uploading a hash of the 4,096 character string to the server). Authentication or individual identification are not required to upload or download private messages.

12. Alices client checks the PM database on the server for messages tagged to her KeyID every time she logs in, prior to authentication or identification. Her client also checks during idle time. This is to separate alices being online from the message being downloaded.

Note: Even if a rouge client downloads a message intended for Alice, it will be of little consequence as it will not be able to decrypt the message, or see who it is from.
Click to expand...

13. After alices client finds messages tagged to her KeyID, it downloads them.

14. Alices client decrypts the asymmetrically encrypted data with Alices private key. It then uses the 110 bit string included in this message to decrypt the symmetrically encrypted message. The signature on the data inside the symmetrical encryption is verified, and Alice finds the message was sent from Bob.

15. Alices client hashes the cipher text messages and uploads the hashes to the server. Alice also uploads a hash of the safe-delete string to the server.

16. If the hashes of the messages alice sends the server match the hashes stored on the server, PLUS the hash of the safe-delete string alice sends to the server matches the hash stored on the server, the server wipes the messages and hashes with a 3 pass DoD wipe.

17. If the message hashes match, but the safe-delete string does not match, the server will tag a "One Failed Attempt" on the message, so when the real alice downloads it she can see someone else got the cipher text. Only the real Alice can download the message and have it wiped off the server, because only the real Alice can find the hash of the safe-delete string. If someone else downloads the message, Alice will be warned when she gets it that someone else got it, plus the person who got it can't decrypt the cipher text to get the safe-delete string.

18. If the message hashes don't match, the server will attempt to resend the messages until they do.

19. When Alice responds to bobs message, it is encrypted with the whirlpool-512 hash of the first 110 character string generated by bob. The message is tagged with the first 110 character string that Bob generated. All measures taken by bobs client as also taken by Alices client, although a new pass phrase isn't generated for the symmetrical data because hashes of old pass phrases are used instead. A new reply tag is generated however, so when Bob responds he can tag the message for Alice. Hashes wont work in this case.

20. Bobs client frequently checks for new messages tagged to strings Bob has generated (in its idle time, or possibly only before authentication during login). Bob does NOT need to authenticate to check for messages tagged to him, the server should have no idea it is Bob that is looking for messages with those strings unless it can trace back the Tor network to Bob.

21. All PMs with all their tags are present and viewable to every member of the group. If a member of the group uses a rouge client to download a message from the list not intended for them, it is of little consequence, as they will not be able to decrypt the message and they will not be able to see who the message is to or from. Also, the person the message was intended for will be warned as the rouge client will be unable to find the safe-delete string in the cipher text.

22. This system is to protect against a corrupt server attempting MIM attacks, and also to protect against communication pattern analysis by someone who can observe the server (the server has no idea what identification strings are used for who, plus can't see who is downloading what tagged messages unless it traces them back down the Tor network)

23. New PMs have new keys generated for them which are transfered with asymmetric encryption. Replies to old pms use a new hash of the password used for the last reply. Members can keep the pass phrases stored encrypted with the PMs client side if they wish to read them later, or they can delete the message which will securely erase the cipher text as well as the hash for perfect forward secrecy.

Special Feature: Clients that choose to do so will in their idle time randomly and transparently generate rubbish PMs tagged to themselves, with delayed delivery times. This is to confuse the server, help real timed messages blend in better, increase the work load of anyone trying to crack messages, and also help messages NOT tagged to a persons client be uploaded with out giving the persons identity away.

Note: If you remember when I said that the server can not easily delete a MIM warning from being broadcast, it is because the only way for the server to remove all warning PMs is to remove all PMs. the server can't tell who wrote a PM, who the PM is for or what the PM says.
Click to expand...

Click to expand...

Handle Group Encryption

1. Alice writes a message on her Client Gui, and hits Submit.

2. The message is compressed with LMZA, then hashed. The hash is signed with Alices Asymmetrical key.

3. The message is encrypted symmetrically with the group shared 4,096 character string as the passphrase. The Title is encrypted separately.

4. Alice Authenticates with the server to prove her identity.

5. The message is tagged with a thread # and a Post # and uploaded to the server.

6. The server keeps a directory structure file that users clients download.

7. After the message is uploaded to the server, the server adds the encrypted title of the message to the directory structure file in the appropriate place. The title of the thread is linked to the threads location on the server database.

8. When a user logs in, the directory structure file for the forum (sub forums can have separate ones) is downloaded to their client. The GUI of the client is designed to look similar to a Forum. The user can browse the thread titles (which their client automatically decrypts) and when they click on one, their client sends a request to the server to download the encrypted posts that make up the thread. These posts are then decrypted and displayed in order they are tagged on the users client.

9. Users should have the option to "purge threads" where they can do a secure 3 pass DoD wipe on all threads stored on their client. If they don't do a DoD wipe threads should be kept in tact stored on the client, to help with loading times.

10. Hashes of posts in threads can be used to determine is a post has been editted and the thread needs redownloaded. This will reduce load times and not cripple the system.

11. The client compares signatures of hashes to keys on record to determine who wrote the thread.

12. The client also compares signed hashes to messages.
Click to expand...

fight keylogging

Virtual keypads with rotating keys should be present that users can use to type passphrases in, and also compose messages if they desire. They should also be able to disable the rotating. This will help protect against some sorts of key loggers.
Click to expand...

Aesthetic considerations

1. All graphics should be stored client side. This will significantly increase speeds.

2. Avatars should be allowed, but should all be included client side with the program. People can select the avatar they want to use, and it can be communicated to the client with two bytes (aa = avatar one, ab = avatar two, etc). This will allow for just under ten thousand avatars to be included with the program, but we should probably keep it to two or three hundred.
Click to expand...

Click to expand...

SteveTX · Feb 15, 2009

Some notes:

Client Installer

1. If the system has an onboard RNG, dual RNGs, or onboard AES hardware, like the C7-M processor, you should use them. This will significantly increase the speed of the processing of all the crypto, reducing the crypto overhead to near zero.

2. For the logon to the system, use random #s of asterisks for each character typed so that an attacker cannot know the password length if they happen to shoulder surf.

3. Deniability: Also add a fourth options SSH FileSystem for remotely stored profiles/containers. That way there is no onboard system to lose or destroy, it can be in the cloud on any network.

4. Don't limit the maximum length of the password, and allow more than the standard 93 characters. This will greatly enhance your entropy. Also allow the entry system to accept a paste from the clipboard, otherwise you limit it to printable characters.

5. To avoid these attacks you listed, employ Secret Sharing, requiring multiple people to log on to edit the system or set it up. That way one login won't compromise the system, and can be revoked if they are key based.

SteveTX · Feb 15, 2009

Server & Server Installer

1. Secret Sharing again.

2. Consider not making it a tor hidden service. These are discoverable by many methods. Instead consider making it run distributed in a secure environment with a dynamic address, like VMs. Hiding the machine will not be possible. Instead focus on making the machine fail-secure, and tamper proof so that it is self-destructed if compromised, and has backups elsewhere that can take it's place live.

SteveTX · Feb 15, 2009

Administrative Control Panel

1. Secret Sharing

2. Key authentication with revokation certificates.

3. .onion is unimportant. Instead consider using your own darknet or making it publicly accessible. You cannot rely on tor hidden services, and it will *drastically* slow down your services, and may even render them unusable.

SteveTX · Feb 15, 2009

If your clients or server run tor, they will be compromised. It's only a matter of time. To properly run tor with protection will require cordoning off of the tor process inside it's own virtual machine, and not allowing it to look at or speak to anything it doesn't need access to. It must be an internal system of least-privileges.

SteveTX · Feb 15, 2009

The Client

1. All hashes must be salted, otherwise you are open to rainbow table attacks.

2. All of the encryption you've used will require time division access. If you require so much hashes and crypto this will be very processor intensive on systems, and authentication may take many seconds per transaction. This means that an attacker can DOS your system by throwing lots of hashes at it and requiring it to perform lookups or recryption to match the hash.

3. An attacker can start to kill your system by registering lots of keys to overflow your buffers and tables and memory.

4. All inputs must be sanitized against breakouts, server and client side. Fuzzing will be required.

SteveTX · Feb 16, 2009

Protection against tracing

1. Let the user choose what network they want to use, if at all. People have different threat models, and putting it all in one network is centralizing your risk in a leaky basket. Consider letting clients advertise as gateway nodes between networks.

2. You cannot use PortableTor or Operator or similar. This will 100% compromise your system. I can take these softwares and turn them into remote rootkits to do network scanning and execute arbitrary code. We can even hijack your network and perform quiet traffic analysis of all your communications without you noticing. Tor processes must be run inside a virtual machine. Use TorVM or JanusVM if you must use Tor.

If you want a superior network design, you have the opportunity to make one here. You could use the system proposed by Magnus Brading at Defcon 16. This would be well-suited for you.

2. You cannot fight keylogging. Any such claim is voodoo. That includes onscreen keyboards too. If the system the user is using is compromised, it cannot be uncompromised. This is something you cannot defend against using the host operating system. An OS with a rootkit or keylogger can be hidden and defeat even virtual keyboards by capturing the emulated output instead of the input at a certain register. This is because you are relying on the OS to tell you if it has integrity, which it can't do as that is circular logic. What you can do is prevent against software keylogging only. To do that you will need your own bootable operating system that does not use the host system at all, except for it's hardware. Suitably, you can use the xB Machine, which can be booted off of on any system with intel architecture or similar, and is open source. Even then you are still subject to hardware based keyloggers.

n33m3rz · Mar 16, 2009

Here is a still in development blueprint by the way. We decided to go with Java as the programming language, also the Feige-fiat-Shamir system has already been programmed I will throw up the source code soon. We are estimating that an Alpha Release could be out in three or so months and will probably do a public test.

http://www.sendspace.com/file/v59ptl

n33m3rz · Apr 9, 2009

So this project is still being developed. Some of the people who looked at the blue print didn't understand some of it so I wrote up a more informative explanation in regards to the cryptographic techniques we are using. This would be an interesting read to anyone who wants to learn more about encryption and related technologies, although it is focused on this specific project I tried to give as much information as possible.

Speak easy forums make use of a variety of cryptographic algorithms (and algorithms related to cryptography in general, such as compression). The types of algorithms used include: Key distribution (asymmetric encryption), symmetric encryption, zero knowledge authentication, cryptographic signatures, one way functions (hashing), pseudo random number generation, steganography and compression.

Asymmetric encryption works by using a public and private key. The public key is used to encrypt information which is then decrypted with the private key. A good way to visualize this process is to think of an open padlock and a metal case. If you wish to communicate with someone privately, you send them your open padlock (public key). They can then write a message to you, put it inside the metal case and lock it with your open padlock. Once they have locked the case even they can not extract the message from it, unless they can break the case (break the encryption algorithm). They can then send you the metal case, and you can use your key (private key) to open the padlock. You can rest assured that as long as the metal case (encryption) is strong enough that no one besides you (or someone with your key) can read the communications. Symmetric encryption can be seen as a giant combination safe. Usually asymmetric systems have the private key inside of the combination safe, and only someone with the combination (pass phrase) can open the safe. After you get the metal box with a message for you in it, you open the combination safe (type in your pass phrase, aka enter your combination into the safe) to take your private key out, which you then use to open the metal box and extract your message (decrypt the message).

Asymmetric encryption has several weaknesses that symmetric encryption does not have. For one, asymmetric encryption requires more bits for the same security as symmetric encryption, resulting in bigger cipher texts and slower computation. This is because asymmetric encryption relies on mathematical problems which are hard to solve with out extra information (the extra information being your private key), and although there are a great many possible answers to the mathematical question, there are not as many answers as there are possible keys of a large bit length. For example, RSA asymmetric encryption relies on factoring a large number that is the sum of two primes. Although there are a huge amount of primes that multiply to equal a 256 bit number, there are tremendously more numbers that are 256 bits in length. It is estimated that a 1,024 bit key based on prime numbers is roughly equivalent to an 80 bit symmetric key where all combinations are taken into consideration.

Asymmetric encryption has various other flaws. Cryptanalysis can be used to attempt to break asymmetric key encryption, as it can with symmetric key encryption, but asymmetric keys typically are used to encrypt far more plain texts per key than symmetric key encryption. This gives an adversary the possibility of possessing more cipher texts, and even plain texts, for cryptanalysis. Asymmetric encryption also relies on a single key to encrypt a great deal of information, making a compromised asymmetric key potentially more damaging than a compromised symmetric key.

Yet another disadvantage of the vast majority of asymmetric encryption algorithms is that they are incredibly weak to certain attacks from quantum computers. Where as a symmetric encryption algorithm will have its bit strength cut approximately in half when faced with a quantum computer, an asymmetric encryption algorithm will usually be trivially broken. This is true of the overwhelming majority of asymmetric encryption algorithms, but not all of them.

Asymmetric encryption has one huge advantage over symmetric encryption, its use of a public key which can be freely distributed for encryption allows for it to be used to encrypt communications. Symmetric encryption can be used to encrypt communications, but this gives rise to the problem of how the correspondents will know the key (combination) for decrypting the encrypted message. This is especially true when the correspondents have no means of communicating in a secure environment, or a trusted channel.

Asymmetric encryption is for the aforementioned reason incredibly well suited to symmetric key distribution. The actual message will be encrypted symmetrically, and the combination to the symmetric “safe” will be encrypted asymmetrically. This is the concept that speak easy forums base their non public (private message) communication systems on; asymmetrical key distribution with symmetric encryption.

Speak easy forums use asymmetric key distribution as part of the private communications system. A cascade of two cryptosystems are used for asymmetric encryption, the McEliece cryptosystem and elliptic curve Diffie-Hellman. Keys are first encrypted with ECDH and then the ECDH cipher text is encrypted with the McEliece cryptosystem. Elliptic curve Diffie-Hellman uses the difficulty of finding the discrete logarithm of an element as the fundamental mathematical problem it bases its security on, as compared to older systems which used the difficulty of factoring a large composite number into two primes. This allows for stronger security with a key of a smaller bit length, and results in smaller cipher text. This reduction in key size is convenient for bandwidth, although cascading with the McEliece cryptosystem greatly reduces the relative impact of this benefit it is arguable that the reduced size of elliptic curve cryptography relative to RSA style cryptography is greatly beneficial when use of the McEliece cryptosystem already results in cipher text of inconvenient size. The McEliece cryptosystem is fairly unique as an asymmetric algorithm in that it is immune to the quantum computer based Shors algorithm, an algorithm that trivially breaks the majority of other asymmetric encryption systems. The McEliece cryptosystem is a fairly advanced cryptological algorithm which draws its security from disguising Goppa codes. Although the McEliece cryptosystem is immune from Shores algorithm, thus quantum computer resistant, it has a variety of set backs. The McEliece cryptosystem has been cracked with traditional computers when it makes use of the originally suggested bit parameters, which were actually quite large to begin with. The more recently suggested parameters call for a public key size of roughly one and a half megabytes for a symmetric equivalent strength of 128 bits. This is an extremely large key size, especially when one takes into consideration that speak easy forums will generally be hosted as Tor hidden services and bandwidth is very limited. Cipher text produced by the McEliece cryptosystem is also greatly larger than the plain text. Regardless of these very serious disadvantages, we believe that a quantum computer resistant key distribution system is of great importance. The way the private messaging systems key distribution is structured requires minimal use of the asymmetric keys, so large cipher texts will need to be sent sporadically. The anti man in the middle system does not need to do in depth integrity tests on the asymmetric keys, only on the signature key, so there will be no inconvenience from the tremendous public key size from the perspective of integrity checking. Also, it is unlikely that every member of the forum will need to exchange private message keys with every other member of the forum, so key distribution will be relatively sporadic and on an as needed basis. We believe that the advantages of such a unique asymmetric encryption system out weigh the disadvantages, especially considering that the disadvantages will only present themselves relatively sporadically.

For symmetric encryption (of private communications, group public communications and client side software), speak easy forums use the algorithm Serpent with 256 bit keys.. Some background information is required to explain why we chose serpent over Rijndael (AES). The advanced encryption standard (Rijndael) was a selected out of fifteen other algorithms in a competition to find a next generation encryption algorithm to replace DES, serpent came in second place. Although Rijndael won the competition, it lost to Serpent in terms of security. The algorithms were tested for many attributes, including security and speed. Rijndael is a faster algorithm than Serpent, but not as conservative in terms of security. Rijndael winning the title of AES caused it to be adopted on a large scale, business and many military organizations traditionally use AES. AES has been approved by the NSA for encryption of top secret documents. It is worth noting that the NSA most likely had a large amount of influence in the selection of the AES title holder, and they have a rather dubious track record in regard to their suggestions. For example the NSA published and released a PRNG by the name of Dual_EC_DRBG which included a back door. NSA pushed this PRNG and got it published as a NIST recognized standard, despite it being much less efficient in general than the other standards published (and of course including a back door!). The fact that Rijndael was selected over Serpent despite Serpents significant security advantages (Even taking Rijndaels speed advantages into consideration) combined with the NSAs influence in the competition and their history of dishonesty leads us to believe that Serpent is a better choice of algorithm than AES. It should also be noted that serpent stands up better to XSL attacks than AES does, although XSL is said by some to be a dream rather than an attack.

Speak easy forums use a zero knowledge authentication protocol called Feige-Fiat-Shamir for secure logins. A zero knowledge protocol works by letting you prove beyond a reasonable doubt that you posses a piece of information, with out revealing anything that can be used to determine the content of the information. These systems work with a public and private key, and have mathematically guaranteed probabilities of not being spoofed. Zero knowledge authentication has many advantages over traditional password systems. One advantage is that each time possession of information is proven a different proof is presented (in contrast to a password which remains static). This prevents a single compromised session from compromising future sessions, each time knowledge of information is proven an adversary will need to over come highly unfavorable mathematical odds to spoof having possession of the information. Zero knowledge proof systems also have an advantage over automated signature based authentication systems (which are often described as naïve authentication systems) in that there is no risk of signing arbitrary content (that could possibly be malicious, or structured to weaken the signature algorithm). Zero knowledge proof systems have some disadvantages; they are more bandwidth intensive than traditional password systems (requiring multiple rounds of lengthy bit transfers) and they are weak to malicious verifier man in the middle attacks. The bandwidth issue is particularly troublesome considering the majority of speak easy forums will be on the Tor network, limiting bandwidth availability. We believe however that the added security benefits of a zero knowledge proof system are worth the inconvenient bandwidth consumption. As to the threat of a malicious verifier attempting to spoof the provers identity to a third party verifier, this threat is easily over come by not using the same FFS key pair for more than one verifier. This security requirement is taken into consideration in the group / key generation system of speak easy forums.

The actual Feige-Fiat-Shamir authentication system has a rather bizarre history. After filing for a patent the developers of the system were instead presented with an order of secrecy by the United States military, who claimed that public use of the system would be detrimental to national security. The secrecy order was quickly retracted as news of the order leaked to the media and academic circles.. We believe that the United States military wanting to keep this algorithm classified speaks more about its strength than anything else, and believe it to be an excellent choice of login authentication for speak easy forums.

Cryptographic signatures use a public / private key system and allow someone with a private key to sign something so that someone with their public key can prove the signature is theres. An analogy can be made similar to the previous analogy of asymmetric and symmetric encryption with the open locks and safes. Imagine that someone has your asymmetric encryption key (open lock) and writes you a message, then places it in a metal box and locks it shut. They then send a messenger to deliver the box to you so that you can open the lock after retrieving your private key from its combination safe. Although the deliverer can not read the message in the box, nothing is stopping them from simply writing a new message to you, putting it in a new box, shutting it with another one of your open locks, and pretending that the new message is the original message from the sender you are expecting the message from. A cryptographic signature is a sort of wax emblem which can be applied to the message inside of the box, the private key is the wax press and the public key is the emblem. Now when someone wants to send a message to you, they write it on a piece of paper, fold the paper over and shut it with their wax seal. They put the sealed message inside a metal box and lock it with your open lock, then instruct a messenger to deliver it to you. The messenger can not open the box, and if they attempt to impersonate the sender they will not be able to with out his wax press (which the sender is probably keeping in a combination safe along with his private key!). When you get the metal box from the messenger, you can open your combination safe and retrieve your private key to open the box. After opening the box and taking the message out, you can compare the impressions on the wax stamp to a copy of the senders impression you keep drawn on paper. If the stamp matches, you know that the message is really from the sender and not a malicious messenger. Cryptography allows for a perplexingly large number number of “wax presses” so it is highly unlikely that any two people will ever have the same one (just as it is highly unlikely that any two people will ever have the same private key).

For its cryptographic signature scheme a speak easy forum uses an algorithm called CMSS, which is an improved variant of the Merkle signature scheme. This is an extremely strong signature scheme. Most signature schemes are based on either RSA or El-gamal (such as GPGs algorithms), but these signature schemes are very weak against a quantum computer running Shors algorithm. CMSS on the other hand is very resistant to attacks, even from an adversary with a quantum computer capable of running Shors algorithm. CMSS has a number of disadvantages. Although the public keys (wax impressions) are quite small, the private key (was press) is very large and fairly slow to generate. A CMSS key can also only be used to sign a limited amount of messages, so new keys must be generated periodically. Speak easy forums attempt to ameliorate the possible security disadvantage of frequent and possibly confusing key changes by having clients generate two CMSS keys at a time, one for signing messages and one for signing future generated keys. CMSS keys of the size we plan to use are capable of signing approximately nine hundred messages, so a total of almost one million messages can be signed before the “issuer” key needs to be replaced. Key generation of the message signing key will take several minutes, but will only need to be done every nine hundred messages. We believe that the slight inconvenience of this is far outweighed by the advantages of having n extremely secure and quantum computer resistant signature scheme.

A cryptographic one way functions (hashing) is a mathematical function that allows for f(x) = y , were y can not be used to determine x. It is worth noting that it has never been proven that such a thing as an actual one way function exists, but in colloquial speech a hashing function that attempts to be a one way function is sometimes referred to as a one way function. It is worth noting that f(x) = y will result in an equal y for x no matter what, meaning that no matter how many times one (or many) run x through a specific hashing function, the resulting y will always be the same. It is also worth noting that y is a fixed length, often extremely smaller than x. This allows hashing to be used to limit bandwidth and still allow data transfer integrity checks. For example, if someone uploads a five gigabyte file to a server and wants to assure themselves that the file was uploaded fully with no lost packets or corrupted data, they could simply get the hash value of the file and compare it to a hash value the server makes of the file. If the hashes match, the files match. With out hashing the person would most likely have to download the file after uploading it to assure themselves that the file was uploaded correctly. Speak easy forums take heavy advantage of this property of hash functions to assure data transfer integrity between the clients and the server. This is particularly useful considering most speak easy forums will be on the Tor network, where bandwidth is very limited. For data transfer integrity, speak easy forums use the Sha-1 hash function. Sha-1 is a relatively weak hash that should not be relied on for strong security, but it generates a very small y compared to most hashing algorithms. We believe that as data integrity checking is of minimal importance from a security perspective, but of high importance from a bandwidth minimization perspective, that this is the preferential hashing function to use. It is worth a mention that there is no need to salt hashes for our implementation as only cipher text will be hashed for data integrity purposes. A traditional hash can be broken by brute force, or using a rainbow table, unless it is salted (which greatly reduces these threats). Due to the size of the text we are hashing, and due to the fact that it is only encrypted cipher text in the first place, there is no reason to use salting in our system.

Another utilization for hash functions is to deskew and distill randomness for use in a pseudo random number generator. This will go a bit into the functionality of pseudo random number generators, although these will be covered more in depth in the next paragraph. Essentially a PRNG is fed randomness and uses it to generate numbers. The cryptographic strength of the generated numbers depends greatly on the strength of the random data fed to it. Imagine an algorithm that generates ten strings of bytes based off some input, but only the final byte out of each ten is random. This creates a pattern (skewed randomness) and as the strings grow in size the amount of randomness to non-randomness will result in a very large collection of bytes for a relatively small amount of randomness. When a collection of bytes (with only the last byte being random) are fed through a hash function [f(string) = y] the resulting y contains all the randomness of the string evenly distributed through out it. For example, when our ten byte string is plugged as x using the whirlpool algorithm (which creates a y of 128 characters regardless of the size of x) the resulting y will have one byte of randomness distributed through out the string (each of the 128 characters will have .0625 bits of randomness in it). This is called deskewing of randomness, as it takes concentrated randomness and spreads it out. Lets imagine now that we have a string of twenty thousand characters with ten bytes of randomness in it. When we plug this as X using the whirlpool hash function, we get a 128 character string that contains the same amount of randomness as the twenty thousand character string. This removal of non-randomness is called distilling. The PRNG used by speak easy forums is called whirlpool, this hashing function is much stronger than Sha-1, and even more importantly results in longer Y's (so more randomness can fit in a hash sum).

It is perhaps worth mentioning that hashes can also be used for storing passwords. A server may have the hash of the phrase “password” on it as a users password, and when the user logs in they will send the string “password” to the server where it is hashed and compared to the stored hash. This allows servers to not store plain text passwords where they are likely vulnerable. This is only mentioned in passing as speak easy forums use a zero knowledge protocol for the login system, not a traditional password system.

A pseudo random number generator takes randomness (such as from mouse input) and converts it into a number. Random numbers are extremely important for most aspects of cryptography. Many crypto systems require two very large prime numbers to be generated. As the strength of a prime based key is drawn from the number of possible primes that can be multiplied together, it is essential that the primes used are taken from a set of all possible primes of however many bits. If a pseudo random number does not have the possibility to generate all primes of however many bits, it is flawed. It is also flawed if it is more likely to generate one prime from the set of possible primes than another prime from the same set. Pseudo random number generators do not specifically generate primes, they generate numbers of a certain bit length. Another component of a PRNG checks the number to see if it is an industrial prime. An industrial prime is a number that is prime with very high certainty, although it is not proven to be prime. It is possible to ensure that a number is prime, but is extremely time consuming and computationally intensive to do on numbers that are very large. A number that is an industrial prime is adequate for use in a crypto system. Speak easy forums use the Fortuna PRNG to generate numbers which are then put to the Miller-Rabin test to see if they are industrial primes. Fortuna is a PRNG designed by Bruce Scheiner, one of the brightest minds in the field of cryptology. It is considered to be an improvement on the Yarrow PRNG, also designed by Bruce Scheiner. The input fed to the Fortuna algorithm is discussed in more detail in the appropriate section, but it is appropriate to say here that the input is run through a whirlpool hash to deskew and distill it. The Miller-Rabin probable prime test is a mathematical algorithm that can determine with a high degree of accuracy (but again, not certainty) if a number is prime or not.

Steganography is the practice of hiding information inside other information. It is not the same as cryptography, which has the goal of making it impossible to read information that is in plain view. Steganography is often combined with cryptology to hide data that could not be read even if found. Steganography is not as developed of a field as cryptology and is not as secure, but when combined with cryptography it offers the powerful attribute of plausible deniability. Pictures, music files and videos are the primary media in which steganography hides information. The most basic method a steganography system uses is called LSB substitution. For example, and image file consists of various pixels of different colors. The colors are determined by binary bits, the amount of bits per pixel depends on the color scheme used. Usually a pixel will be 24 bits (16.8 million possible colors), so a pixel in an image consists of a string of 24 1's and 0's.. The human eye can not perceive anywhere near this many colors, so by changing the least significant bit of a picture (LSB) you can encode information into the picture with out changing the way the picture looks to the human eye (although some computer programs and algorithms can be used to try and detect hidden information in images). Using an 8 bit example, the difference between the color represented by 10101100 and 10101101 will not be noticeable to the human eye, but can be detected by a computer (especially if it knows where to look, which it figures out based on your key). A single image can not hold too much information as it has a limited number of bits and only a limited number of those bits can be modified and allow the picture to look identical to a human eye. Movies consist of a huge amount of still images compressed together. A movie can be decompressed into many many thousands of still images, each of which can have information hidden it, and then be re-compressed back into a video.

Speak easy forums use a steganographic algorithm called Mirage to hide the symmetrically encrypted client side program (and all posts, private messages, keys, etc) into a video. The launcher program for speak easy forums can be pointed at said video, decompress it, pull the appropriate bits from it, and decrypt them into the forum members client side program (with all their keys etc). The actual launcher itself can unfortunately not be hidden, or it would need another launcher to reveal it. It is there for suggested that the actual launcher program be placed in a hidden section of a Truecrypt encrypted file container, giving an adversary who seizes the computer the impression that the owner of the computer has no ties to any speak easy forums. The mirage algorithm uses LSB along with other more advanced techniques to hide data inside of images (images will be provided by a movie file being decompressed, as a single image does not offer adequate room to hide something the size of the client program component. Mirage is immune to many attacks that can reveal hidden information, and is resistant to most others. It should again be noted that steganography is not a very developed field and this should not be relied upon for security in and of itself, but rather be seen as a plausible deniability feature.

Compression is similar to cryptography in many ways and different in many ways. It is essentially f(x) = y where y is smaller than x and can be run through another function f(y) = x to return the original x. This is quite similar to a hash function, but reversible. Data is compressed mainly for bandwidth and storage requirements. As we imagine most speak easy forums will be on the Tor network it is very important that we try and minimize bandwidth requirements as much as possible. Another advantage of compressing data prior to encryption is that it makes it more difficult for someone who is trying to cryptanalyze cipher text. Data must be compressed prior to encryption, as cipher text should be extremely random and it is impossible to compress random data to any beneficial extent. Speak easy forums compress all information with the LMZA algorithm prior to encryption. This algorithm was selected because it has a very good compression ratio, and although it is fairly processor intensive we are more worried about minimizing bandwidth requirements than we are with processor requirements.
Click to expand...

Justin Troutman · Apr 10, 2009

On the NSA and the AES.

Here are some things I know about the NSA, along with other comments that have been taken, almost verbatim, from previous threads of mine; this is meant as a counter-argument for your decision to not use the AES, and the reasoning behind it.

Consider that we have two groups of cryptographic communities, if you will: The NSA and the academic community. The NSA has access to their own internal cryptanalysis, as well as the academic community's published cryptanalysis. The academic community has access to their own published analysis, but not the NSA's internal analysis. That's advantage number one.

The NSA, being a cohesive organization, can easily target their resources; if they want everyone working on a particular problem, they can make that happen. Needless to say, this can be quite impractical for the academic community, with cryptographers spread all over, at various academic institutions, organizations, companies, et cetera. That's advantage number two.

While they certainly have an edge, I believe that we've closed the gap significantly over the last few decades, so I'm not incredibly worried about their cryptanalytical abilities. I'm more worried about their other information-harvesting capabilities. Cryptography is arguably the strongest layer of the proverbial security onion, so to speak, and its track record certainly reinforces that. That, and there are almost always easier ways to get at data. Given that, and the fact that the NSA is in the business of getting data, where my concerns lie should be no mystery. For the record, I don't believe that the NSA can mount a practical attack on the AES, nor do I think there is any conspiracy surrounding it. Despite my lack of confidence in the NSA to do many things right, they've contributed positively to the field of cryptography before. That, and, as you've mentioned, they've deemed it suitable for SECRET and TOP SECRET information (i.e., Suite B, CNSSP-15).

There's no doubt that Serpent was built like a tank, and was the frontrunner, when "security margin" was taken into account. However, there's an important thing to take into account, when looking at distinctly designed primitives under this model. Consider that Rijndael, Twofish, and Serpent all have different round functions; in other words, each block cipher's design team decided what they felt should happen during each round, respectively. Needless to say, "what they felt," being subjective, differed between the teams. While "security margin" is a useful, generic model for juxtaposing cryptographic primitives, it has its limitations. Let's look at an example that demonstrates this by putting "security margin" into perspective.

Assume we have two block ciphers, A and B. A is a Feistel, while B is an SPN. There's a truncated differential attack on A that covers 7 of its 10 rounds and a higher-order differential-linear attack on B that covers 20 of its 40 rounds. On the surface, we can say B is stronger than A, because it still has 20 rounds left untouched, whereas A is only 3 rounds shy of a full break. On the other hand, this starts to lose value, when you consider that we're talking about two block ciphers based on different structural designs, using two different round functions, and analyzed using two different attack models. It could very well be the case that extending the attack on B's remaining 20 rounds is easier than extending the attack on A's remaining 3 rounds. It all depends on what's going on inside the round function.

To show how much it matters as to what's going on inside the round function, consider that Rijndael achieves full diffusion after 2 rounds, followed by Serpent at 3 rounds, and Twofish at 4 rounds; this is an example of how Rijndael is more conservative in regards to diffusion. While there are valuable design philosophies tucked within Twofish and Serpent, there's a good reason to use the AES; as I mentioned in a previous thread, it's receiving more cryptanalytical attention than any other block cipher - Twofish and Serpent included. This reasoning should be compelling enough for anyone, and you'll find that it's supported throughout much of the cryptographic community. Unless environmental constraints prevent it, for whatever reason, I strongly advise developers and consumers, both, to use the AES, when at all possible -- whenever and wherever.

From a security perspective, there's no need to implement Serpent or Twofish, "just in case." It boils down to the fact that the AES receives more cryptanalytical attention than any other block cipher, which is how a cryptographic primitive "earns its bones," so to speak. If you want even more reassurance, Ross Anderson (co-designer of Serpent) and David Wagner (co-designer of Twofish) recommend using the AES over Serpent and Twofish. Read Ross's thoughts on this on page 94, in Chapter 5 of his book, Security Engineering: A Guide To Building Dependable Distributed Systems (To all the security engineers in here: Do yourselves a big favor and download the first edition of this book). Read David's thoughts on this in a sci.crypt post of his. I highly recommend reading anything that David Wagner writes; it's always thought-provoking.

n33m3rz · Apr 10, 2009

Re: On the NSA and the AES.

Dual_EC_DRBG has me sketched out from anything NSA supports really. I do have two main questions for you though.

1. Do you believe that our project will be significantly more secure if we use AES instead of serpent? We use symmetric encryption to encrypt the client side program, to encrypt posts on the forum with a shared key (passive adversary will be defended from, so many people sharing a key will make it limited protection obviously), and more importantly to encrypt messages after an initial asymmetric key exchange (this key can be used to symmetrically exchange more keys symmetrically)

2. Do you think that ECDH used to encrypt McEliece cryptosystem cipher text is a good idea? ECDH is very nice by itself, but I like the fact that the McEliece cryptosystem is quantum resistant. Key exchanges are done sporadically so the huge cipher text of McEliece cryptosystem isn't too bad of a disadvantage, only one key needs to be exchanged asymmetrically then keys can be exchanged symmetrically using that key.

thanks for the advice. We will seriously consider using AES instead of serpent if you think AES will provide us with more security. If you think they will both provide roughly equal security however we will go with serpent as I don't trust NSA to promote stuff they can't get around. I wouldn't be surprised if serpent is suite A.

LockBox · Apr 10, 2009

It all sounds very interesting. Good luck with the project.

I think Justin always makes this point about the AES well. It's kind of the same principle of why Triple-DES is still considered pretty secure. Look at what all has been thrown at it and it's held up, for the most part and with certain limitations, to be a solid algorithm. If one were to have used certain other algorithms from that generation, there would be no way to really know how secure it is because it wasn't the focus of attention and study.

Log in or Sign up

Very secure forum / group communication system, looking for feedback

n33m3rz Registered Member

n33m3rz Registered Member

SteveTX Registered Member

n33m3rz Registered Member

SteveTX Registered Member

n33m3rz Registered Member

SteveTX Registered Member

n33m3rz Registered Member

Z32 Registered Member

n33m3rz Registered Member

n33m3rz Registered Member

n33m3rz Registered Member

n33m3rz Registered Member

SteveTX Registered Member

SteveTX Registered Member

SteveTX Registered Member

SteveTX Registered Member

SteveTX Registered Member

SteveTX Registered Member

n33m3rz Registered Member

n33m3rz Registered Member

Justin Troutman Cryptography Expert

n33m3rz Registered Member

LockBox Registered Member

Log in or Sign up

Very secure forum / group communication system, looking for feedback

n33m3rz Registered Member

n33m3rz Registered Member

SteveTX Registered Member

n33m3rz Registered Member

SteveTX Registered Member

n33m3rz Registered Member

SteveTX Registered Member

n33m3rz Registered Member

Z32 Registered Member

n33m3rz Registered Member

n33m3rz Registered Member

n33m3rz Registered Member

n33m3rz Registered Member

SteveTX Registered Member

SteveTX Registered Member

SteveTX Registered Member

SteveTX Registered Member

SteveTX Registered Member

SteveTX Registered Member

n33m3rz Registered Member

n33m3rz Registered Member

Justin Troutman Cryptography Expert

n33m3rz Registered Member

LockBox Registered Member

Useful Searches