Introducing Cloakcast
0 likes927 views
This document introduces Cloakcast, a suite of tools for encrypted chatting. Cloakcast aims to hide who users are communicating with, the contents of their conversations, and when they are chatting, even if a malicious third party is sniffing traffic. It works by having clients encrypt messages using the recipient's PGP key and the server's PGP key before sending. The encrypted message is then decrypted and re-encrypted by the server before being sent to the recipient. Future versions may route traffic through Tor for additional anonymity. The document also provides background on Go, the programming language used to build Cloakcast, and shares code samples.
!["Which connected user are you
chatting with?"
● ...only it's better than this
● I've been talking about this like it's a
conversation happening in real-time
● It doesn't have to be
● Messages stay in a user's inbox until read
○ [EDIT: this will likely change in an upcoming version]
● Malicious parties only see data encrypted
with the Server's key or recipient's key
○ ...assuming you're using an uncompromised server,
in which case they know who's chatting, but not
when nor what about](https://image.slidesharecdn.com/stevephillips-introducing-cloakcast-v0-1-7-121213172313-phpapp01/85/Introducing-Cloakcast-7-320.jpg)
Introducing Cloakcast
- 1. Introducing Cloakcast Steve Phillips @ SB Hackerspace's WebTech Wednesday (hosted by Eucalyptus) 2012.07.25
- 2. Agenda ● Cloakcast ○ What it is ○ How it works ○ Which problem(s) it solves ● Go ○ What it is ○ Why I used Go to build Cloakcast ○ The codez
- 3. Cloakcast
- 4. What is Cloakcast? Why use it? Cloakcast is a suite of tools for chatting encrypted-ly. Using (a soon-to-be-released version of) Cloakcast means that a malicious, totalitarian third party can't tell... ● Who you're communicating with ● What you're saying to them, nor ● When you're communicating <-- the unique part ...even if they're sniffing the traffic of whoever you're talking to. In a future iteration, they may not even be able to tell you're using Cloakcast at all.
- 5. Who cares if They know when I'm chatting, and with whom? ● Trivial to correlate web traffic with chat traffic, encrypted or not ○ Creepy! ● With no encryption over GTalk... ○ I visit URL gov't considers suspicious (e.g. Wikileaks) ○ I send URL to $friend over GTalk ○ $friend visits URL ● With Pidgin + OTR over GTalk... ○ I visit URL gov't considers suspicious ○ I send URL to $friend over GTalk but it's encrypted ○ $friend visits URL ○ ...still pretty damn obvious who's talking with who about what! Cloakcast solves this.
- 6. How does/will Cloakcast work? 1. Client Sending 2. Server 3. Client Receiving ● Original text (from ● Decrypts outer- ● Decrypts outer-most user, or random most layer layer (from Server) garbage/decoy) ● Re-encrypts with ● Decrypts inner layer ● Encrypts using recipient's PGP (encrypted by recipient's PGP key key original sender) ● Encrypts using ● Original text Server's PGP key Cloakcast Server Uniqueness: Client sends message to Server once per second. If the user types a message that second, that's what gets encrypted and My sent. If the user doesn't type Your anything, a "garbage", Client decoy message gets sent Client instead.
- 7. "Which connected user are you chatting with?" ● ...only it's better than this ● I've been talking about this like it's a conversation happening in real-time ● It doesn't have to be ● Messages stay in a user's inbox until read ○ [EDIT: this will likely change in an upcoming version] ● Malicious parties only see data encrypted with the Server's key or recipient's key ○ ...assuming you're using an uncompromised server, in which case they know who's chatting, but not when nor what about
- 8. Chat Demo
- 9. Cloakcast Release Schedule ● Conceived, started July 9 ● v0.1 ○ Finished July 15 ○ Basic PGP-encrypted chatting in terminal ● v0.2 ○ Expected out in late July or August ○ WebSocket chat in browser ● v0.3 ○ Connect through Tor? ■ Cloakcast and Tor don't compose super nicely due to the 1-second pulse...
- 10. Future Feature Ideas ● Multi-server support ● Public key swapping within ○ No server sees entire Cloakcast? conversation ● Use OTR (instead of ● Request data from server at PGP/GPG)? adjustable rate ○ Maybe use mpOTR? ● Use HTTPS on port 443 ● Multiple concurrent 2-person ○ Extra encryption layer chats ○ Hides destination url ● Group chat + PGP sucks ● Can your ISP even tell ○ O(n^2) keys :- you're using Cloakcast? ● Platform??? ○ Maybe, using DPI, ○ Distributed system :-) maybe not (HTTPS) ○ Compute, scrape, etc ● Tor tunneling ● Legit auth ○ Cloakcast will help ○ "Client: prove you can against timing attacks decrypt $this to check 'your' inbox"
- 11. Go
- 12. What is Go? ● Programming language open sourced by Google in 2009 ● Reached stable v1.0 in late March 2012 ● Qualities ○ Fast and Concurrent ○ Compiled ○ Statically typed (in a good way!) ○ Simple and Powerful ○ Avoids typical trade-offs ■ Fast, static typing, painful v. Slow, dynamic, fun ● My favorite programming language ○ That's right: Python is #2
- 13. Cloakcast Code Samples (Emacs time...)
- 14. SOON: Run Cloakcast on your Android device Screenshot taken 2012.07.03 (3 weeks ago)
- 15. Go Resources ● Start here: http://tour.golang.org/ ● Articles: http://golang.org/doc/#articles ○ Also see http://blog.golang.org/ ● Then read http://golang.org/doc/effective_go.html ● My Go snippets (in go/ and go-r60/ dirs): https://github.com/sbhackerspace/sbhx-snippets/ ● More at Go homepage: http://golang.org/