• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Design plans for encrypted secure online chat. Review needed

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Software and Hardware

View previous topic :: View next topic  
Author Message
rasmusbergpalm
Just Arrived
Just Arrived


Joined: 29 Oct 2010
Posts: 0


Offline

PostPosted: Fri Oct 29, 2010 1:11 pm    Post subject: Design plans for encrypted secure online chat. Review needed Reply with quote

UPDATE 2/12/2010: It's released! Check it out at https://aespad.com and give me some feedback

Hi. I'm currently putting together a secure use-and-dispose chat, inspired by sites such as piratepad.net. Let's call it OBSCURA for now (working name)

An online alpha can be found at: http://bergpalm.dk/obscura/
Please do not missuse, i'll close it down if it recieves to much traffic.

Usecase:
Alice goes to obscura.tld and presses create secure chat
Alice inputs her name and the password for the chat
Alice enters the chat, and is given an url to share with Bob
Bob goes to url, enters name and same password as alice
Alice and Bob shares a private conversation.
When both log out the chat is destroyed.

Design considderations:
The encryption scheme used is AES in Counter mode of operation as implemented here http://www.movable-type.co.uk/scripts/aes.html
All encryption/decryption is performed in javascript to keep keys clientside.
When a chat is created, a salt is generated based on microtime + some pseudorandom numbers
The salt is sent to the clients
All encryption/decryption is performed against the password+salt
When Alice (chat owner) enters the chat, she sends a SHA1 hash (computed locally in javascript) of her password+salt to obscura. This is saved to the chat
When Bob tries to enter chat he sends a SHA1 hash of his password+salt. If this matches the one supplied by Alice he's allowed in, else he is denied.

Why i think this is secure:
The keys never leave the clients
The only thing kept in the central DB are encrypted messages and a SHA1 of the password+salt for any given chat
Even if someone got access to the messages circumventing the authentication, they'd need the password to read them.

But don't trust my word for it. Setup your network analysers, check out the source code etc. to make sure that your password never leaves your machine.

I'll release the source code under a GNU v.3 when time comes.
What have i missed here? What are the security pitfalls? Do i need ssl/https? (since everything that leaves/enters the client are already encrypted)

Cheers, Rasmus.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Software and Hardware All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register