View
4
Download
0
Category
Preview:
Citation preview
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 1/17
Chat, p2p Email, e*IRC.
8 public/priv. RSA-Keys.
Secure End-to-End-Encryption (AES).
SSL-Connections.
Authentication (optional).
Distant-Chat.
Encrypted FileSharing.
GoldBug V 0.9.07
Secure MessagingCommunicate with strong multi encryption.
Learn more about GoldBug »
What is GoldBug?
GoldBug is a secure Instant Messenger. You
can be sure with using GoldBug (GB), that no
third party can look into your chat
communication. Private user-to-user
communication remains private. GoldBug
therefore uses strong multi-encryption with
different layers of modern encryption
technologies of well known and revised crypto
libraries (like libgcrypt (GnuPG) and OpenSSL).
The app offers as well decentral and encrypted
Email and decentral public E*IRC-Chat.
Tweet Read GoldBug-Whitepaper-PDF.»
Why encryption matters:
Today mostly every WIFI is protected with a
password. In a few years as well every plaintext
message or email to friends over the internet will
be encrypted too. It is not a question to
have something to hide or not, it is a question to
control by yourself the security of your
communications - or having it controled by
others. Strong-Multi-Encryption ensures the
declaration of human rights in broad
constitutional consensi and is a digital self-
defense, everyone needs to learn and utilize.
GoldBug is the easy to use tool for that.
Encypted 1:1 ChatGoldBug encrypts your private chat
to a friend with RSA-Keys, SSL
and end-to-end encryption.
Encrypted GroupchatWith all your friends you can
create a group chat to all your
friends just by selecting all.
StarBeam FileShareShare files over the echo: Transfer
a file using a one time magnet link
to a crypto channel.
IP-less Key:In regard to other web of trusts the
key has no relation to an IP-
Address. WOT 2.0.
Public/Priv. RSA KeysGoldBug uses public/private RSA
keys. The public key must be
exchanged between friends.
Repleo:Either you send your key in
plaintext or you use the Repleo,
which encrypts your key itself.
GeminiThe Gemini is an AES-end-to-end
encryption for chat and an
additional layer of encryption.
GoldBug-PassphraseSecure your GB-Emails with a
passphrase per each email. This is
called a GoldBug-Phrase.
p2p EmailNext to Chat: GoldBug offers you
serverless p2p Email without data
retention. Integrated BitMail.
e*IRCPublic Chat is provided with e*IRC,
which is echo-ed IRC: Groupchat
on AES Channels.
MELODICAThe MELODICA Button provides
instant forward secrecy. Renew
your Gemini in a second!
Instant Fwd SecrecySession AES-keys are inde-
pendent from longterm RSA-keys.
Use MELODICA often!
Opt. AuthenticationGB provides optional use of
signatures, for authenticated Chat
& Emails. Trust, when needed.
Chat over Tor-ProxyYes, GoldBug can be used over
the Tor-Proxy. It is a new TorChat
Application.
Echo Protocol Half Echo Modus
GoldBug Features GoldBug.sf.net
Secure Instant Messenger
Testserver - DNS:
tulip.cloud.tilaa.com
Home Download Project Source SVN
English German Chinese Spanish French Russian
Like Share
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 2/17
Next to encryption & f2f Email:
Echo is a new algorithm, that
makes GB resistant to tracking.
Half Echo sends messages only
directly to one friends IP.Exclude
others to ever get your message.
Simulacra-ScramblerThe simulacra sends out random
fake messages from time to time.
And No, it´s not the Mona Lisa.
WoT-DeniabilityThe Half Echo Modus creates a
deniability for a web-of-trust (f2f) in
a p2p-environment.
Is GoldBug really secure?
How to install ?
Why the Name?
What is StarBeam FileSharing?
FAQ
GoldBug uses modern technology based on open source libgcrypt libraries to encrypt the data. Not
only the communication over the internet is encrypted several times with different methods, as well the
application stores your data in an encrypted database. Even if Online-Banking (HTTPS) would be
regarded not as secure anymore, GoldBug still will be: therefore it uses a mixture of a kind of
public/private-PGP-Key/RSA-encryption - optionally with e.g. AES encryption. So it is additionally
assured with (hash-salted) session keys and AES end-to-end encryption. Instead of AES you can of
course choose some other given ciphers. It is your choice. Last not least, all that multi-encryption is
sent over a secured SSL connection. The SSL connection is not founded on any central certificates of
a server, which could be backdoored, instead SSL is used the p2p way, so that there is no central
instance, which could sell your trusted certificate to third party. The SSL-certs are self-signed.
Furthermore you can sign every message and email. This is an option, as well unsigned messages
can be sent. OpenSSL is used for key derivation and encryption for each socket. The personal keys
that you own (chat, email, url) are made by libgcrypt and are independent of OpenSSL. There are a
total of six pairs of keys that this app generates at the beginning of the initial setup.
(1) Download the zip-Installer and unzip.
(2) Settings Tab: Create a password.
(3) Settings-Tab: Check, if pathes to kernel and GeoIP.dat are green. If not, set the pathes.
(4) Settings-Tab: Activate the kernel.
(5a) Add-Key-Tab: Copy out your key with the big copy-key-button and exchange key with a friend
(e.g. email).
(5b) Add-Key-Tab: Paste the key of your friend and press the add-button.
(6) Connect-Tab: Add IP+Port of your friend or of a chat-server.
(7) Create-Listener-Tab: Choose the IP of your device (or localhost) and press the button "Set" and
then "Go Live"
(8) Status-Bar: See, if all 3 LEDs are green. If the Neihbours LED (middle) will not be green, try to add
another IP or delete the file "neighbors.db" in the subpath ".spoton" and restart adding an IP into a
fresh neighbors-database.
(9) Chat-Tab or E*IRC-Tab: See, if chat friends are online.
" 'The GoldBug' is a short story by Edgar Allan Poe about cryptograms in 1843. The plot follows
William LeGrand, who recently discovered a gold-colored bug. His companion, Jupiter, fears LeGrand
is becomming now obsessed with searching for treasure, knowledge and wisdom after being in
contact with the GoldBug - and goes to LeGrand's friend, an unnamed narrator, who agrees to visit his
old friend. After LeGrand has deciphered a secret message the three start an adventure as a team.
'The Gold-Bug' - as one of the few pieces of literature - incorporates ciphers as part of the story. Poe
took advantage of the popularity of cryptography as he was writing 'The Gold-Bug' in 1843, and the
success of the story centers e.g. on one such cryptogram and the search for the Philosopher's Stone.
'The Gold-Bug' was an instant reviewed story and was the most popular and most widely evaluation of
Poe's works during his lifetime. His ideas also helped to popularize secured writing and cryptograms."
- Wikipedia.
StarBeam is the new FileSharing protocol provided by libspoton and GoldBug Messenger. While other
filesharing applications like Emule (since 2002) with Edonkey-links, ShareAza (since 2004) and Vuze
(since 2003) with Bit-Torrents and Magnets (in the old standard) are well known for their Weblinks to
download files - Ten years later the StarBeam filesharing protocol renews the FileTransfer and the
Magnet-URI Standard. Magnets from StarBeam can be linked on any website, because they are not
6 Milestones of Security(1) Open Source
The GoldBug Messenger is open
source: with BSD-license. Use Open
Source Linux instead of Windows.
(2) Decentral SSLIt uses the echo protocol with de-
central SSL deployed by Qt &
OpenSSL. Read about (half/full)
echo below.
(3) End-to-End EncryptionGoldBug integrated the Gemini,
Email-Passphrase- and MELODICA-
features based on AES-end-to-end-
encryption. Read below.
(4) Multi-Encryption
GoldBug uses (1) the public/private-
Key-Method (asymmetric encryption
with RSA-Key) (2) with e.g. AES-
Cipher (symmetric-end-to-end encryption) over (3)
decentral, self-signed SSL.
(5) Strong Encryption
GoldBug uses 2048-RSA-Keysize
and up with AES-256.
(6) Clientside EncryptionYou cannot log into a central
website, instead you install the
GoldBug client on the local device in
your hand. Define yourself options like: key-sizes,
ciphers, salt-length etc.
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 3/17
Who can set up a server?
Multi-Encryption: What technology do you use?
How to compile myself for windows?
How to compile for Linux, OS X Mac, Raspberry Pi, OS/2, Android?
related to any specific file. Instead, they are links to a crypto channel in the echo p2p-network. Only a
so called "One-Time-Magnet" (OTM) is related and used only one time for the transfer of a specific file.
That means it is fully ok to publish a StarBeam (SB) directory with magnets on your website. SB-
Magnets are deniable: in no case it is guaranteed, that only a specific file or even two files are
transmitted over this channel. No one can proof, is a OTM has ever been used or is used twice.
StarBeam-Magnets can be private or public, in case they are public, you should use an account to a
trusted neighbour. In case you don't have an account to a neighbour, even this is not needed, just
transmit an encrypted zip/rar-file and share the password in a different channel or at a later point of
time than you share the magnet. StarBeam Peers are able to record the stream and decrypt it later,
when the Zip-Password is public. A recorded stream is called "mosaic", as you collect the chunks
and puzzle the encrypted pieces thgether like in a mosaic. Once you have a part of a mosaic, you
can play it again back to others. Sattelites of the Source make a StarBeam-Stream sustainable. Even
XORed Files (offsystem) can be sent over the echo. Many potentials for the new filetransfer with
StarBeam. Nothing to be curious about, every Instant Messenger allows to transfer a file, here it is
just done over the echo protocol. Think the echo! A StarBeam-Magnet contains the ciphertype (CT),
an encryption key (ek), a MAC Key (MK) (which secures the encryption key a second time) and the
hash type (ht) and looks e.g. like this: magnet:?
ct=aes256&ek=3BRXu+KofMPEjTLkPLEam1Bv9ndoX4nj&ht=sha512&mk=SLGzOi6HoSgYpdraIR39PAvw2pOhiPaWszfEdW03TYLaciawK1OOLoqApE94RAA6vIB75827mrtD6fb9aNW2E8YYhMs556aPlkf5vDPvzyAnO0+RxPTEFB/B4+aCGAMDCq+x3WDwntm0guweqLyI9aXgLD3/lc3rLPmpziWl61NNURR3dxRogR9XH/WUqV0o89PanNy/HZ94AQcWAPTE/1q9BMhgCSn9kVAzEKec18k+IMk4OU1p9kKU6pZnIZy75If0Br0GWU77iel6BOhDOBjdDWFKpq93yBIH/Zula2it77GWxYMF+YrR8N7rtg1GZ831X1F+wo8bqlAR2EKJyizTu5h10uCsRHoJvWfnrbrKrOo9441NMd+u6FPqVIkUvPfUZ233YZkLWqt8tCNvjFkRwaXtkt36v2r8xdhRU42w29n7GvXa/V3pq4dLU/IziU2SVU9XKphWDgTnMjdZdlmKK41jTR80NAXxlU8U5b1divIAcPmcLks6ICANtZJn
Everyone. Everyone can and should setup a chat server for GoldBug. It is quite easy to create a
Listener (listening port) for your friends, if you can manage to make it acessible on your web (which
means often to forward the chosen port in your router/nat or to set it up not at home, but directly on a
webserver. The installation does not provide currently any server IP, so set up one for your friends to
test. Or find server IPs on boards and forums. Some forums, boards or internet service communities
have an own Echo-Server. Just ask at your board. A E*MPP-Server - a server for the "Echoed
Messaging and Presence Protocol" - short: Echo Protocol - connects to only one or many clients.
And servers of course as well. That all means: there is no central server and everything is decentral
like any Jabber chat server. The difference is that this chat server does not allow any plaintext
communication and: chat servers connected to chat servers announce within a p2p network their
existence. Once you are connected, you should be able to connect to one or several chat
servers/listeners of the decentral p2p-net.
Hence, EMPP chat servers define a new state of the art. For that it is highly recommended to think
about jabber server software (and even jabber clients) being hybrid with the echo-protocol of libspot-on,
which GB deploys too.
The technology is most modern, next to libgcrypt and a the pgp-like-method over SSL with optional
AES end to end encryption the whole client is using a new protocol, the Echo. Echo is currently
deployed by the library libspot-on. Spot-On requires Qt 4.8.5 or Qt 5.1.x, libGeoIP 1.5.1,
libcrypto 0.9.8 or later, libgcrypt 1.5.x, and libssl 0.9.8 or later. Qt 4.6.3 is also supported.
Download the source either from SVN or the download section. It is as well included in the win-
installer zip. It might be good, to get compile experience with the spot-on library fist. For GoldBug
read the compiling wiki.
Easily: 1. Install Qt, 2. Install the needed libraries: GB requires Qt 4.8.5 or Qt 5.1.x, libGeoIP 1.5.1,
libcrypto 0.9.8 or later, libgcrypt 1.5.x, and libssl 0.9.8 or later. Further libsqlite3-dev, libgcrypt11-dev,
libssl-dev, libgeoip-dev. The libGeoIP library is optional and may be circumvented by configuring the
appropriate project file.
3. Choose the referring .pro file and compile with Qt Creator (gui and kernel).
You can report your compiling experiences and scripts in the wiki. Help to create a documentation..
Qt 4.8.5 or higher is highly recommended.
If header (h) or interface (ui) files have changed, please perform a distclean before building Spot-On.
Absolute cleaning:
make distclean or mingw32-make distclean
FreeBSD:
qmake -o Makefile spot-on.freebsd.pro
make
Linux:
qmake -o Makefile spot-on.pro
V0.9
Adaptive Echo Example: Hansel & Gretel.
When node A2, E5 and E2 share the same AE-
token, then E6 will not get any message, which A2
(Hansel) and E2 (Gretel) will exchange. Node E5
learns via the token, not to send to E6 (Wicked
Witch).
Ask the server, you connect to, and your friends to
add your tokens. Server admins can share tokens
with other server admins as well.
An "Adaptive Echo" Network does not reveal any
destination informaton (comp. Ants Routing).
Remember: "Half Echo" sends only one hop to the
connected neighbor and "Full Echo" sends the
message to all connected nodes over infinite hops.
Releases & Info
GoldBug V 0.9.07 has been
released on 2014-07-13 (Adaptive
Echo Release):
Changelog 0.9.07: (1) Adaptive Echo (AE)
Released. A new era begins: Hansel and Gretel
can communicate without letting the Wicked
Witch know. Because your network will learn
from connections: Next to "Full Echo"
(messages are sent to every connected
neighbor and hop on and on to further
neighbors, "P2P") and "Half Echo" (message is
sent only to one connected neighbor for one
dedicated hop/transfer, "F2F") and "Echo-
Accounts" (only defined neighbors are allowed
to connect, "Web-of-Trust") now with "Adaptive
Echo" a learning, smart network will be
established based on AE-Tokens. Adaptive
Echo provides exclusiveness between nodes,
knowing the token. That means, a node/kernel
will send the message not to all connected
neighbors, but only to those, who knwo the
token. As the Wicked Witch does not know the
token, Hansel and Gretel are free. See further
explanation inside the Messenger. Please note
that version 0.9.07 (Adaptive Echo release)
removes compatibility with all previous versions.
Hence, please update yourself and your friends
with a new installation and key-exchange. (2)
The App will now join the default common
developer e*IRC/Buzz channel automatically
after startup. (3) Improved StarBeam
FileSharing. (4) Improved the SCTP
implementation with respect to large data
transfers. Added an SCTP listener to spot-on-
neighbors.txt startup-connection-file. (5) Gui
Improvements and Tooltip-Updates. (6) Compile
Flag for GoldBug is now found in: GUI/spot-on-
defines.h. (just replace in the spot-on.sf.net
source the /ui and .pro files for GB) (7)
Upgraded Libraries: Qt to version 5.3.1 on
Windows and OpenSSL to version 1.0.1h on
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 4/17
What is Key, Repleo? Gemini and GB?
How is p2p Email to Offline Friends working?
What can the echo do to secure an encrypted Web of Trust (WOT)?
make
OS X:
qmake -spec macx-g++ -o Makefile spot-on.osx.pro
make
Windows:
qmake -o Makefile spot-on.win.pro
make or mingw32-make
When you want to connect to a friend, you need to send him or her your key , you find it in the
key-tab. Once your friend has added your key, you need to select your friend in the chat tab
(participants list) and copy the so called "Repleo" (of this dedicated friend, so select him first). The
Repleo needs to be sent back to your friend and once it is added there too, you both will get
connected. Furthermore you should of course connect to an IP of your chat server or a third friend,
which has set up a listener in servermode. As long as chat servers are not connected to other chat
servers, it makes sense, that both friends use the same chat-server-IP. Furthermore: The Gemini
is a feature to add another security layer to the chatroom with an AES Key for end-to-end
encryption. The Gemini is additionally secured by a cryptographic hash key (SHA 512), a so called
MAC (Message authentication code). Third: The GoldBug-feature is used in the integrated email client
to add here as well an end-to-end AES-Encryption layer - the GoldBug , or: just a password,
both users use to encrypt their emails once more. So with the Gemini or GoldBug, you need a kind of
password (e.g. AES-string) to open the email of a friend or to be able to chat with him.
You have a chat partner who is offline? No problem, send him an email with the GoldBug Messenger.
Let´s go to the email-tab. The email system based on the echo-protocol has no central servers and
each email to an offline friend is stored in a cache of your other trusted friends. It is not stored on
the network or any foreign nodes, only your direct chat partner take care for your personally encrypted
envelopes and deliver it to the offline friend, when he is coming online. Currently no p2p Email system
allows to send out email using this kind of security architecture. POP3 and IMAP are outdated in
regard of security, as any post box could be created just by everyone with setting up an EMPP chat
server. Test this email-feature with at least 3-5 friends to get the full impression of emailing with
GoldBug in a secure way. Because of the multi-encryption it is more secure than Gnupg and it needs
no central pop or imap server due to the decentral architecture. Data retention is brought back to
private responsibility with the echo-mail.
"First: Hide in the network ."
Bruce Schneier
There are three reasons why Web of Trust (WoT) architectures and even Friend-to-Friend (F2F) so
called "Turtle-Hopping" Networks might be considered insecure.
As trackers are regarded to map everything and analyse a hopping at least of three hops to friends, it
is quite easy to know, who is trusting whom. This can be analysed from outside of a WoT, but also
inside the WoT, as a Web of Trust shows, who is trusting whom by nature. So, if data retention (VDS)
is tracking every social network connection, then a WoT does not provide anonymity on the one hand.
With the echo-protocol everyone has every message - not only your WoT members - and it is highly
complex to map that network. Though - at the same time - you can use a so called "half echo"
modus, which creates a F2F network within the P2P network. Every Node decides, if one or in general
all connections should be full or half echoed. In case a half echo is utilized, your message will be sent
only to the direct connection and stops there. You have created a WoT within the general network.
Deniability: With 'half echo' you cannot determine a private communication within the general echo
network. So second, within a p2p network you have created a plausible deniability of a Web of Trust.
While other networks discuss the pro and cons of p2p and f2f networks, GoldBug deploys both and
creates an individual option to set as slider between two ends: choose either detachement towards
network-mappers or build non-determineable direct trust-connections. YOU define, how to
communicate over the echo with your friends in the GoldBug Messenger.
Third, GoldBug introduces a kind of Distant Chat. With GoldBug you can message as well to friends,
which are outside of your WoT, which are not directly connected to you - but still with the same trust
and signature, as you have exchanged keys (Repleo). Ever tried to disconnect a trusted friend while
keeping the secure communication and trust?
OS X and Windows.
GoldBug V 0.9.05 has been released on 2014-
05-31 (Added Example Project Chat Server
Release):
Changelog 0.9.05: (1) Implemented Project
Chat Server. GlodBug now connects
automatically to a chat server. For that, the file
"spot-on-neighbors.txt" has been added with
server-information of the project test server. The
application will process the contents of the file
after a new installation. Neighbor connections
will be set to connected directly after the login.
Please restart your application after initial key
creation. Please note that the file "spot-on-
neighbors.txt" is expected to reside within the
directory that houses the GB executable. (2)
Added a default E*IRC/Buzz developer's
channel, so you can join and find other users
and developers on the default project chat
server. (3) For E*IRC/Buzz-Channels now salt
values are - next to hash keys - mandatory, in
case you create an own IRC room. In case you
send a magnet to friends for your IRC-room/-
channel, then the hash and salt will be
automatically included. (4) Optimized GUI-
Layout for Windows 8.1. Tablets (e.g. 7"-8").
GoldBug V 0.9.04 has been released on 2014-
04-22 (SCTP & Institution Release):
Changelog 0.9.04: (0) Updated OpenSSL library
to latest. GB had no heartbleed, as the lib was
already the latest and not affected. (1)
Improved, more simplified Gui, which is default
at startup. (2) Added e-mail C/O institutions:
Institutions will now be able to house 3rd-party
e-mail without needing to distribute their public
keys. (Please remove your old email.db.) With
enabling C/O service you create a post office for
your friends. Two methods exist: Define a
common neighbor (e.g Alice and Bob connect
to a common webserver as node, and all three
have email keys shared), then the webserver
stores the emails, even if Alice or Bob are
offline. Second: Create an Institution and add
the email key of a friend to your node. In case
your friend adds the magnet link for the
institution as well to his node, the institution will
save all emails for him (as well from senders,
which are not registered at the virtual
institution). A Magnet Link allows to share the
Institution easily. (3) SCTP implementation and
support for Windows. (4) Public keys of other
participants will now be encrypted. Please
remove friends_public_keys.db. (5) Corrected a
Bug in Rosetta CryptoPad Decryption.
GoldBug V 0.9.02 has been released on 2014-
03-13 (StarBeam Analyzer Release):
Changelog 0.9.02: (1) Added the StarBeam
Analyzer to the tools menu for discovering
missing chunks in the FileSharing function. (2)
Ability to change friends names permanently in
Chat and E-Mail tabs.
(3) Corrected an error with Rosetta text:
Newline characters are now not lost just
because of toPlainText usage. (4) Upgraded Qt
products to version 5.2.1 on Windows..
GoldBug V 0.9.00 has been released on 2014-
02-07 (Tablet Gui Release) :
Changelog 0.9.00: (1) Launch of the public
project server for test purposes: DNS:
tulip.cloud.tilaa.com (2) Massive Kernel and
further improvements. (3) Use a separate key
for computing local keyed hashes: Generating
now more than 8 Keys. (4) Ability to copy e-
mail key pairs of friends. (5) Import and export
of Keys (tools menu). (6) Added menu buttons
for to be build tablet modi. (7) Pop-up Chat
Windows malfunctioning has been corrected:
Sound available. (8) Introduced authentication
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 5/17
How strong are the Encryption-Keys?
Can I run GoldBug over Tor or a Proxy?
GoldBug is Open Source BSD License?
Will GoldBug be released on mobile devices?
Does GoldBug save every message on a server?
You see, a WoT is easily mappable, it is not anoynmous as you cannot disconnect a trusted friend
while keeping the signed trust and communication and third you cannot create a plausible deniability
of having utilized a WoT, if you use a WoT. Adding echo to a WoT brings real added value to the IT
architecture. The future will bring a lot of research to the comparison of web of trust models for chat
based on security, detachment, signatures and encryption.
Fourth: GoldBug has the option for authentication and non-authentication, in case you choose not to
sign your messages, you also have no need for deniability. The wish for "plausible deniability"
(compare analogy of: a-theism) has turn into a "conscious state for no need of deniability" (compare
analogy of: a-gnosticism). In case you combine e.g. authentication within e.g. direct connections
("signatures" as an option with "half echo" as an option and "super echo" as an option) - then you
have a web of trust hidden in the network. This "conscious state for no need of deniability" could be
called "agnostic deniability".
Some serverbased messengers, which are originally not made for a secured connection and
communication, need Addons to encrypt the communication. In a surveilled environment the
connection pathes are still very easy to map: Alice sends to the server and Bob receives it from the
server. It is possible to encrypt the communication with some provided addons, but the graph will not
be hidden. Network analysts know at every time it is: A(lice, plaintext) -> S(server, plaintext) -> B(ob,
plaintext), even if encrypting tools are deployed: A(lice, ciphertext) -> S(server, ciphertext) -> B(ob,
ciphertext).
GoldBug and its underlaying libraries use strong encryption. Public/Private-RSA-Key less than 2048
are regared as insecure and weak. Passphrases should have 16 digits and End-to-End Encryption
keys need at least 32 digits with real random generated charakters like the AES-256 standard.
Of course, that is possible. You can use any proxy of the web or Tor to connect from your GoldBug to
any neighbor or chat server. Due to the fact that the chat protocol uses HTTP, you should be even
able to create a chat server and listener for GoldBug using a so called TOR hidden service. But this
has not yet been tested and would be a task for the Tor-community to run the chat and echo over Tor.
As well firewalled environments are not a problem, as long as you are able to do online banking and
have an accessible chat server within your IT-environment/country.
Yes, GoldBug is open source with the BSD license (for the deployed Libraries see here). That means
you can revise the code and use it to create your own application. In a time in which you cannot be
sure if operating systems, communication applications or drivers of hardware like network switches
and keyboards, who knows, or even anti-virus-software updates might send you backdoors onto your
machine or send out private data or email passwords, open source code has become a milestone in
security. Dont trust closed source operating systems, applications, drivers or updates. It is highly
appreciated that GB source code is revised and used for the development of your own client. Y0u find
the source as an own Zip in the download section, as a subpath in the installer-Zip of the Application
or in the SVN repository libspoton. LibSpotOn uses libgcrypt and OpenSSL as is without modification.
The deployed crypto-libs might not use a BSD license, e.g. libgcrypt is LGPL, but as these are not
modified and there is no "derived code", it is possible to deploy these libs in the BSD licensed App
(with BSD license for for Gui and Kernel).
Currently GoldBug is provided as a release version for the Windows 7 operating system. The source
code provides as well Mac OS X and several Linux compiling settings. A mobile compile is intended,
hence the drafted(!) sketches for a mobile design at this site, but not yet released. Android should be
possible, as well as linux operating systems like sailfish or ubuntu mobile. Developers with dedicated
devices and compiling skills are requested to provide binaries for GoldBug and join the project or set
up a mod-project on their own. however, the encrpytion will alwayse be done on your device -
clientsided. There is no browserbased webservice which offers that for you, as this is regarded as
compromisable. You have to install a client, the app.
GoldBug has no central sever, so nothing is saved on a corporate server. Everything is userbased and
decentral. In case you email to an offline friend, the message is stored in your trusted chat friend,
which are currently online. So have a few friends in your GoldBug: The decentral approach requires of
course that you maintain at least a small network of users, you are connected with. If you do not want
to use these decentral approach, you can set up your own dedicated server or use the 'half echo' -
modus, so that your message is sent only to one participant over one dedicated connection.
V0.8
V0.7
V0.6
...
V0.1
timers (15 seconds) to secure D/H exchanges.
(9) Upgraded to Qt 5.2.0 and OpenSSL 1.0.1f
on Windows.
GoldBug V 0.8. (Rosetta CryptoPad
Release) has been released:
Changelog 0.8: (1) Release of the
Rosetta CryptoPad Tool.
GoldBug V 0.7 (StarBeam
Filesharing Release) has been
released on 2013-12-19:
Changelog 0.7: (1) Added FileSharing:
Introduced the StarBeam Transfer Protocol.
Magnet Links are related to Crypto-Channels in
the network, and are not related to files. One-
Time-Magnets ("OTM' s") are a Crypto-Channel
to one dedicated file-transfer. Magnets of
StarBeam are linkable on any homepage, as
they are not associated to a file. The "Rewind"
function starts the seed again. Seeders within
these kind of "Crypto-Torrent"-like Magnets as
trackers keep anonymous. Chunks are
Encrypted. Keep Magnets private or use
Accounts for Neighbours you trust or provide
the file-rar/zip-encryption key after the Transmit.
(2) e*IRC: Added hash keys and types to Buzz
channels. (3) Transport: Added UDP transport
as Option next to regular TCP transport. (4)
GoldBug now deploys 6 RSA keys for
Scrambler with faked Impersonator chat
Messages (install fresh; in case you upgrade:
please delete ./spoton path and generate a new
profile). (5) Added support for TLS 1.1 and TLS
1.2, where available. (6) Introduced sequence
numbers and UTC times to chat protocol (in
regard of UDP commmunications). (7) Gui
Improvements.
GoldBug V 0.6 (El-Gamal Release)
has been released on 2013-10-24:
Changelog 0.6: (1) Introduction of
ElGamal encryption key pairs (as alternative to
RSA-Keys). (2) Signature key pairs are
extended to a choice of: DSA and RSA. (3)
Added Accounts for chat-servers/neighbors-
connections: Create a dedicated connection on
your EMPP-Chat-Server for friends only with a
password. (4) Added pop-up windows per 1:1-
friend-chat (doubleclick on a friend to open it).
(5) Allow neighbors to be defined such that
(non-ssl)-plaintext connections are prohibited
(HTTPS-Only-Connections, Default: enabled -
For that reason, please remove neighbors.db. in
case you overtake your ".spoton"-datapath). (6)
Introduced threaded peers: Go parallel with your
processes! (7) Added Magnet-Uri Scheme for
e*IRC/Buzz-Chat Channels as kind of
Booksmarks for your echoed IRC-like-
Chatrooms!
V0.5: Signature-Keys Release on
2013-09-16 / V0.4: Kernel-
Improvement Release on 2013-09-03
/ V.03: Geo-IP-Release on 2013-08-26 / V0.2:
SSL-Release on 2013-08-22.
GoldBug V 0.1 has been released
on 2013-07-27 based on same day
release of Spot-on.sf.net, ascending
from the research project Ne.R.D.D. (
https://sf.net/projects/nerdd/ , registered on
06/27/2010)
The echo protocol library and compiling source
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 6/17
Does the network scale?
What about authentication and forward secrecy?
What is the Echo Protocol of LibSpot-On?
GB has a new encrypted IRC Chat implemented?
End-to-End-Encryption: What is the MELODICA Function?
Yes. There is no need to think theoretically. Set up a chat-server for your university or community and
you see, you will be able to handle any chat like any other chat server. In case you want to join
several neighbors, while you are not knowing to which neighbor your friend is connected to, there have
been good tests so far with other p2p applications. Every email uses several servers, so can you do
the messaging as well with the echo protocol. In case we speak of several hundred-thousands of
users there are of course some fast machines needed and your friends should use some
countrybased or institutional-based chat severs. The small world phenomen has the paradigm, that
you are connected to everyone over seven hops. So just test it out in practice.
GB guarantees with the implemented signature for authentication that the sender is who you think it
is. If you receive a message from a contact whose fingerprint you verified, you are sure it can not have
been sent by someone else. Furthermore GB offers a way to additionally encrypt all messages using
a instant-shared symmetric-key (the “Gemini”). The MELODICA feature guarantees a proper
management of these keys (changing them often) with instant forward secrecy. Obtaining someone’s
private RSA-key is not enough to decrypt their past conversations.
The echo protocol means in simple words, you send only encrypted messages, but you send the one
message to all of your connected friends. They do the same. You maintain your own network,
everyone has every message and you try to decrypt every message. In case you can read and unwrap
it, it is a message for you. Otherwise you share the message with all your friends and the message
remains encrypted. If you use the modus "half echo", then your message is not shared with other
participants. Echo is very simple and the principle is over 30 years old - nothing new. As echo uses
HTTP as a protocol, there is no forwarding or routing of messages, as you send your message e.g.
from your home laptop to your webserver. That is similar as if you send an encrypted zip from your
home to your own webserver. The process starts at each destination new - as you define it. With
echo, you start not only a new protocol, but also a new dimension of networking and thinking. Echo is
not p2p nor is it f2f, it adds a third category into the net world, which of course can bridge p2p to f2f
and create not-determined WoTs connections with the half echo. The super-echo is an option to
forward a message even in that case, that you could have read it. This will make analysis (in a simple
environment, so called "triangulation of the destination") senseless, in which two nodes as an anylizer
are connecting to one other node and a forth node is sending a message: With the GB- option "Super-
Echo" every analyzing node is getting the message in every case (readable messages are as well
processed to neighbors).
Next to the implemented private chat and implemented offline email, GoldBug Messenger integrates
as well an IRC chat for public channels and IRC rooms. The IRC protocol has been defined new with
the echo, as the chat is not based on the irc protocol, the poper name would be E*IRC = Echo*IRC.
GoldBug has currently implemented only one channel - how could it be, it is: goldbug (in small
letters). All people, connected to one IP, just need to enter the room name, e.g. "goldbug" and they
are connected within the room. The advantage is, that this channel is created based on an AES-key.
Every connection to this room is encrypted and cannot be read by any ISP - as long as the channel
name is not known. Example: Two friends at a party or at the online chat can agree to find a common
word as a channel name, they only both know. Ask your girlfriend: "What is the pet we both like
most?" - She thinks: "Dalmatian". And you connect now within this room. Qt-IRC clients (like Quassel
or KVIRC) are kindly requested to implement the echoed IRC. One client, which already declared to
add E*IRC functionality will be http://netsplit.sf.net - Qt-Developers are appreciated to join. Netsplit is
in oldstyle IRC a well known phenomen: if several IRC servers are disconnected, the room members
are splitted. Which means on the opposite: When different server IPs have the same room name
hosted, and both servers connect - all the members of the same room behind the milky way will join
the same named channel. With GolbBug E*IRC servers, which connect as well to E*IRC servers, the
netsplit is transcended: two rooms are bridged into one. For the 'goldbug' channel-room you get more
users, when you add several chat servers to your messenger.
With the MELODICA button or (right mouse click) context menu you call your friend and send
him a new Gemini (AES-256-Key). The Key is sent over your asymmetric encryption of the RSA key.
This is a secure way like the sneakernet to transfer end-to-end keys, as all other plaintext transferals
like email, spoken over phone or in other messengers have to be regarded as unsafe and recorded.
MELODICA stands for: Multi Encrypted LOng DIstance CAlling. You call your friend even over a long
distance of the echo protocol and exchange over secure asymmetric encryption a Gemini (AES-256
key) to establish an end-to-end encryted channel. As the Gemini is a shared secret, how will your
transfer it over the insecure internet? How to transfer a symmetric key safe and secure? Just use
MELODICA, which provides a key transport based on public key encryption. You can press the button
Echois downloadable here:
Qt-COMPILING:
1. Use source of http://spot-on.sf.net
:
https://sf.net/p/spot-on/code/HEAD/tree/
2. replace:
- path /UI with /UI files of GB,
- use .pro-files of GB
https://sf.net/p/goldbug/code/HEAD/tree/
3. GUI/spot-on-defines.h: set GB = 1 and Name
= GoldBug
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 7/17
What are de-magnetized e*IRC-Chat rooms?
Can I join the development or contribute ?
Has the code been revised?
How can John see, what is transferring?
at any time when your friend is online and quickly generate a new Gemini unique at both sides.
MELODICA has been introduced with GoldBug libspoton version V02 (which is not backwards
compatible with kernel and gui of V01 - please update).
A public e*IRC-Chat room can be linked on a website with a Magnet-Link. These rooms are encrypted
with an AES key, only those participants can join and decode the chat, who know the key. This
keeps your ISP out of public chat. The rooms are defined by the roomname, by a salted hash and a
frequency value. These values are summarized in the Magnet-Uri. These Magnet-Links in GoldBug
follow the Magnet-URI standard. That means, you can add a GoldBug IRC Room on your website with
the Magnet Link. Users can copy the Magnet, add it in GB and de-magnetize the Link and join the
room. Some similar function like "irc//:". The magnet has the following structure:
magnet:?dn=goldbug&xf=10000&xs=&ct=aes256
DN = roomname / xf = exact frequency / xs = exact salt / ct = ciphertype. Changing one value
creates a new (private) room you can share with one person or the public.
Of course you can: spread the word, add a notice to your blog, test the software, download the source
code, invite friends, add translations, evaluate the code, contribute code to the given echo projets or
create your own client based on the echo or implement it hybrid or as a plugin into given applications
referring to communication, which should be secured. Most important: create a listener, which is
reachable from the web on your webserver or at home, by proper forwarding your chosen port in your
router/nat. Or write a RFC. Since the libspot-on release echo is open for research and GB-Messenger
added a cool userinterface (ui) to it: Either research echo as is or its way of thinking as added value
for other applications and protocols. As well in the given echo-apps like GoldBug some features might
be of interest: Email currently has no attachement and you might ask about echo beeing a webproxy
between two nodes (á la psiphon) or you think of echo-torrents?! Learn to understand what echo is
and rethink given protocols based on the echo. GoldBug is just a simple design study of the user
interface for the spot-on library, which deploys the echo. Jabber, Torrent, Pop3/IMAP, IRC and are not
up to date anymore in case you consider the echo. Please update.
The code and implementation is under a very high level quality control by the professional development
and it is an open source contribution of several communities for the used and revised libs included. Be
part of this contribution. External evaluations have proven it clean: e.g. "FreewareFiles tested GoldBug
Instant Messenger 0.4 on 2013-09-03 using leading antivirus scanners and found it 100% Clean. It
does not contain any form of malware, spyware, viruses, trojans, etc. We will re-test each updated
version." Or: "This product was last tested in the Softpedia Labs on
19th of September 2013 by Andreea Matei. Softpedia guarantees that GoldBug Instant Messenger
0.5.1903 is 100% Free, which means it does not contain any form of malware. This software product
was tested thoroughly and was found absolutely clean. GoldBug Instant Messenger V 0.5 -
SOFTPEDIA "100% CLEAN" AWARD: We are impressed with the quality of your product and
encourage you to keep these high standards in the future. To let your users know about this
certification, you may display this award on your website!"
Either use Whireshark or you just set up a non-ssl Listener on 127.0.0.1 and connect your browser to
http://127.0.0.1:4710/ and you will see all transferred http code like this:
POST HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 5098
content=WDV5a2Q2RTFvS0lhcE5LKzJrMXpjWmxMMTdycVFZbzE5eVhxdXBLdE5LdFNlNFZ6RFd
BSzVoYjNqQWFRcEJ4SHNqeEVEb3hKcHg4OG1aUG5BZnBHcEx0WGFDT3BOM2VDL0RMTXI1
c5VitoWm9EOUt1NkEwY082byt6QjkrZzdrYWVrVkdjUVR4RVNLWnhFSTQwdjAzUEN2YktNaGNZ
UJkMGhvQ2RPZ056cy9x@Soxcheckxoutxmyxmessagextoxyou@UVBQnBzZDZISE1LbzBIenV
NUJZdmkvQit2ODg0S1AxRWxVcq@Asxaxmatterxofxfact@kwRjNadE1Ib28zbVd3WXd5Y1VYNW
1MU4wQTBrU3RVQXZra1@Don'txletxnothingxholdxyouxback@2RVpVSVBqZEJHanNuZm8qwgEWc
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 8/17
Is there a graphic-scheme for the encryption model ?
I want to subscribe to the mailinglist-forum
AES
Authentication
Algorithm
ZyRUN0QTR5QVZReHNOQTNiMV@Ifxthexscatmanxcanxdoxit@Z2djFReGUxblhObGtYZi9kNUt0
UZEeXpUako0eGxub0U4OGNLbkpReXVjN@Soxcanxyou@0gweTRVbHE3RXJYbVVjK3pwRnZr
YTNscEhKNWlyQWRqcnlpellCOU9tdkJ5TFQwU3c3VWt4UGNLL3Z3N2tqU2FXSHpLZ2hQMDJ6W
sK010RtKMGZPzNL@https://www.youtube.com/watch?v=Geiq0FP13uQ@tMWMkRZQlq4gfDS
43QlcrOVFGcGVlOEtVblY2MFNtMks3ZjZuTCtmdUFvQy8yYzduY0tqbmo4Wjlrdm9nZGlXM3hwR
DJSaCsvVmU1bEpJU1dFRjFNRnlTZFk3TEFrTGJBdVZoZUpFY1Ntb1lrRHc1bFVFRWZNN21SUn
ckhTKzFnWnVGVVJZSVRKM3hod0R4RFdZbVZlU0pjQWVvN045enVaR0w5ckNMaXg2OFhuMj...
Subscribe https://lists.sourceforge.net/lists/listinfo/goldbug-forum for new updates.
66 Terms about the Tool
The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data. It is
based on the Rijndael cipher[5] developed by two Belgian cryptographers, Joan Daemen and Vincent
Rijmen. AES has been adopted by the U.S. government and is now used worldwide. It superseded the
Data Encryption Standard (DES) in 2001. Bruteforcing 256-bit keys is simply beyond the capability of
classical computing, and potentially still impossible even after the advent of efficient quantum
computers. To get how long it takes, you divide half the number of total keys by the number of keys
you try per-year, which gives you about 10 2̂2 years, which is pretty much forever since the universe
is only about 10 1̂0 years old. In GoldBug the AES key is deployed by the MELODICA function or set
manually with the Gemini and Email Passphrase-Option.
http://embeddedsw.net/Cipher_Reference_Home.html#AES
Authentication (from Greek: αὐθεντικός; real or genuine, from αὐθέντης authentes; author) is the act of
confirming the truth of an attribute of a datum or entity. This might involve confirming the identity of a
person or software program. Various systems have been invented to allow authors to provide a means
for readers to reliably authenticate that a given message originated from or was relayed by them.
These involve authentication factors like:
- A difficult-to-reproduce physical artifact, such as a seal, signature, watermark, special stationery, or
fingerprint.
- A shared secret, such as a passphrase, in the content of the message.
- An electronic signature; public-key infrastructure is often used to cryptographically guarantee that a
message has been signed by the holder of a particular private key.
In mathematics and computer science, an algorithm is a step-by-step procedure for calculations.
In computer systems, an algorithm is basically an instance of logic to produce output from given input
(perhaps null).
Modern cryptography is heavily based on mathematical theory and computer science practice;
cryptographic algorithms are designed around computational hardness assumptions, making such
algorithms hard to break in practice by any adversary. It is theoretically possible to break such a
More Screenshots
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 9/17
Base-64
BitMail
Buzz
c/o
Call
Congestion Control
Decentral
Deniability
system but it is infeasible to do so by any known practical means. These schemes are therefore
termed computationally secure; theoretical advances, e.g., improvements in integer factorization
algorithms, and faster computing technology require these solutions to be continually adapted. There
exist information-theoretically secure schemes that provably cannot be broken even with unlimited
computing power—an example is the one-time pad.
Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII
string format by translating it into a radix-64 representation. The term Base64 originates from a
specific MIME content transfer encoding.
Base64 encoding schemes are commonly used when there is a need to encode binary data that
needs to be stored and transferred over media that are designed to deal with textual data. This is to
ensure that the data remains intact without modification during transport. Base64 is commonly used
in a number of applications including email via MIME, and storing complex data in XML.
BitMail is the name used in GoldBug for the Email client.
Buzz is the name of the libspoton to provide echoed IRC (e*IRC). So Buzz is another word for IRC,
respective e*IRC, used by the library.
"Care of", used to address a letter when the letter must pass through an intermediary (also written
c/o). Neighbors are often asked to care of your postal letters, in case you live with them in one house
or have a relationship to them. As well parcel stations, letter boxes or just persons e.g. at you home
or in the neighborhood provide a local delay of your envelopes and parcels, in case you are at work
and want to receive the parcel or letter in the evening. The included Email Function of GoldBug
provides such a feature.
A call is new defined by the library libspoton. A "Call" with the MELODICA feature of GoldBug means,
to transfer over a public/private key encrypted environment a symmetric key (e.g. AES) - a password
for the session talk, only the two participants know. With one click on the MELODICA button you can
instantly renew the end-to-end encryption password for your talk.
Congestion Control provides a cache, so that messages, you already are aware of, are not processed
to neighbors anymore. This helps especially for mobile devices and webservers running GoldBug to
reduce redundancy and process messages faster.
Decentralized computing is the allocation of resources, both hardware and software, to each individual
workstation, or office location. Decentral means, there is no central server nor a webinterface, you can
lof into a service. A client needs to be installed and adjusted locally on your device. Another term is:
Distributed computing. Distributed computing is a field of computer science that studies distributed
systems. A distributed system is a software system in which components located on networked
computers communicate and coordinate their actions by passing messages. Based on a “grid model”
a peer-to-peer system, or P2P system, is a collection of applications run on several local computers,
which connect remotely to each other to complete a function or a task. There is no main operating
system to which satellite systems are subordinate. This approach to software development (and
distribution) affords developers great savings, as they don’t have to create a central control point. An
example application is LAN messaging which allows users to communicate without a central server.
In computer networks, deniability often refers to a situation where a person can deny transmitting a
file, even when it is proven to come from his computer. Normally, this is done by setting the computer
to relay certain types of broadcasts automatically, in such a way that the original transmitter of a file
is indistinguishable from those who are merely relaying it. In this way, the person who first transmitted
the file can claim that his computer had merely relayed it from elsewhere, and this claim cannot be
dis-proven without a complete decrypted log of all network connections to and from that person's
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 10/17
DNS
e*IRC
Echo
Echo, Full
Echo, Half
Encryption, asymmetric
computer.
In cryptography, deniable encryption may be used to describe steganographic techniques, where the
very existence of an encrypted file or message is deniable in the sense that an adversary cannot prove
that an encrypted message exists. In this case the system is said to be Fully Undetectable, FUD.
Some systems take this further, such as MaruTukku, FreeOTFE and (to a much lesser extent)
TrueCrypt, which nest encrypted data. The owner of the encrypted data may reveal one or more keys
to decrypt certain information from it, and then deny that more keys exist, a statement which cannot
be disproven without knowledge of all encryption keys involved. The existence of "hidden" data within
the overtly encrypted data is then deniable in the sense that it cannot be proven to exist.
The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services,
or any resource connected to the Internet or a private network. It associates various information with
domain names assigned to each of the participating entities. Most prominently, it translates easily
memorized domain names to the numerical IP addresses needed for the purpose of locating computer
services and devices worldwide.
Dyn (aka DynDNS) is an infrastructure as a service company (like many others) that provides Internet
DNS and email delivery services for commercial and private users.
It originally provided a free dynamic DNS service, which allowed users to have a subdomain that points
to a computer with regularly changing IP addresses, such as those served by many consumer-level
Internet service providers.
The IRC protocol has been defined new with the echo protocol, as the chat is not based on the irc
protocol, the poper name would be E*IRC = Echo*IRC. GoldBug has currently implemented only one
channel - how could it be, it is: goldbug (in small letters). All people, connected to one IP, just need to
enter the room name, e.g. "goldbug" and they are connected within this group chat room. The
advantage is, that this channel is created based on an AES-key. Every connection to this room is
encrypted and cannot be read by any ISP - as long as the channel name is not known.
The echo protocol means from an operational view: you send only encrypted messages, but you send
your to-be-send-message to all of your connected friends. They do the same. You maintain your own
network, everyone has every message and you try to decrypt every message. In case you can read
and unwrap it, it is a message for you. Otherwise you share the message with all your friends and the
message remains encrypted. Echo is very simple and the principle is over 30 years old - nothing new.
As echo uses HTTP as a protocol, there is no forwarding or routing of messages: no IPs are
forwarded, e.g. like it is if you send your message e.g. from your home laptop to your webserver. The
process starts at each destination new - as you define it. The echo protocol provided by libspoton has
nothing to do with RFC 862. The new echo protocol RFC has to be written new. With or without that
number.
With the modus "full echo" your message is forwarded from friend to friend and so on, until the
recipient could decrypt the envelope and read the message. It requires a few connections to neighbors
in a p2p network.
If you use the modus "half echo", then your message is not shared with other, third participants
(Model: A -> B -> C) . Only direct connections are used (Model A -> B). It requires only one direct
connection to one friend.
Public-key cryptography refers to a cryptographic system requiring two separate keys, one of which is
secret and one of which is public. Although different, the two parts of the key pair are mathematically
linked. One key locks or encrypts the plaintext, and the other unlocks or decrypts the ciphertext.
Neither key can perform both functions by itself. The public key may be published without
compromising security, while the private key must not be revealed to anyone not authorized to read
the messages.
Public-key cryptography uses asymmetric key algorithms. A public key algorithm does not require a
secure initial exchange of one (or more) secret keys between the sender and receiver. Public-key
cryptography is widely used. It is an approach used by many cryptographic algorithms and
cryptosystems. This method underpins such Internet standards as Transport Layer Security (TLS),
PGP, G(nu)PG and libspoton, which is used for GoldBug. Diffie–Hellman key exchange is the most
widely used public key distribution system.
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 11/17
Encryption, clientside
Encryption, Multi-
Encryption, strong
Encryption, symmetric
End-to-End
Client-side encryption is the cryptographic technique of encrypting data before it is transmitted to a
server in a computer network. Usually, encryption is performed with a key that is not known to the
server. Consequently, the service provider is unable to decrypt the hosted data. In order to access the
data, it must always be decrypted by the client. Client-side encryption allows for the creation of zero-
knowledge applications whose providers cannot access the data its users have stored, thus offering a
high level of privacy.
Multiple encryption is the process of encrypting an already encrypted message one or more times,
either using the same or a different algorithm. Multiple encryption (Cascade Ciphers) reduces the
consequences in the case that our favorite cipher is already broken and is continuously exposing our
data without our knowledge. When a cipher is broken (something we will not know), the use of other
ciphers may represent the only security in the system. Since we cannot scientifically prove that any
particular cipher is strong, the question is not whether subsequent ciphers are strong, but instead,
what would make us believe that any particular cipher is so strong as to need no added
protection. Folk Theorem: A cascade of ciphers is at least as diffcult to break as any of its component
ciphers. When a cipher is broken (something we will not know), the use of other ciphers may
represent the only security in the system. Since we cannot scientifically prove that any particular
cipher is strong, the question is not whether subsequent ciphers are strong, but instead, what would
make us believe that any particular cipher is so strong as to need no added protection.
Strong cryptography or cryptographically strong are general terms applied cryptographic systems or
components that are considered highly resistant to cryptanalysis. An encryption algorithm is intended
to be unbreakable (in which case it is as strong as it can ever be), but might be breakable (in which
case it is as weak as it can ever be) so there is not, in principle, a continuum of strength as the idiom
would seem to imply: Algorithm A is stronger than Algorithm B which is stronger than Algorithm C,
and so on. Examples: PGP is generally considered an example of strong cryptography, with versions
running under most popular operating systems and on various hardware platforms. The open source
standard for PGP operations is OpenPGP, and GnuPG is an implementation of that standard from the
FSF.
The AES algorithm is considered strong after being selected in a lengthy selection process that was
open and involved numerous tests. The SSL protocol, used to secure Internet transactions, is
generally considered strong. Standards of today.
There are two basic types of encryption schemes: Symmetric-key and public-key (asymmetric)
encryption. Symmetric-key encryption is often as well called end-to-end-encryption. In symmetric-key
schemes, the encryption and decryption keys are the same. Thus communicating parties must agree
on a secret key before they wish to communicate. Symmetric-key encryption can use either stream
ciphers or block ciphers. Stream ciphers encrypt the digits (typically bytes) of a message one at a
time. Block ciphers take a number of bits and encrypt them as a single unit, padding the plaintext so
that it is a multiple of the block size. Blocks of 64 bits have been commonly used. The Advanced
Encryption Standard (AES) algorithm approved in December 2001 uses 128-bit blocks. A symmetric
structure used in the construction of block ciphers is in cryptography a Feistel cipher, named after the
German-born physicist and cryptographer Horst Feistel who did pioneering research; it is also
commonly known as a Feistel network.
The end-to-end principle is a classic design principle of computer networking,[nb 1] first explicitly
articulated in a 1981 conference paper by Saltzer, Reed, and Clark.
The end-to-end principle states that application-specific functions ought to reside in the end hosts of a
network rather than in intermediary nodes – provided they can be implemented "completely and
correctly" in the end hosts. In debates about network neutrality, a common interpretation of the end-
to-end principle is that it implies a neutral or "dumb" network. End-to-end encryption (E2EE) is an
uninterrupted protection of the confidentiality and integrity of transmitted data by encoding it at its
starting point and decoding it at its destination. It involves encrypting clear (red) data at source with
knowledge of the intended recipient, allowing the encrypted (black) data to travel safely through
vulnerable channels (e.g. public networks) to its recipient where it can be decrypted (assuming the
destination shares the necessary key-variables and algorithms). An end-to-end encryption is often
reached by providing an encryption with the AES Passphrase.
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 12/17
Forward Secrecy
Friend
Gemini
Get
GoldBug
GUI
Hash
Https
In public key cryptography, perfect forward secrecy (PFS) is a property of the key-agreement protocol
that ensures that a session key derived from a set of long-term public and private keys will not be
compromised if one of the (long-term) private keys is compromised in the future. The key used to
protect transmission of data must not be used to derive any additional keys, and if the key used to
protect transmission of data was derived from some other keying material, that material must not be
used to derive any more keys. Thus, compromise of a single key will permit access to only data
protected by a single key. Forward secrecy has been used as a synonym for perfect forward secrecy,
[1] since the term perfect has been controversial in this context. FS has also been used to describe
the analogous property of password-authenticated key agreement protocols where the long-term
secret is a (shared) password.
A friend-to-friend (or F2F) computer network is a type of peer-to-peer network in which users only
make direct connections with people they know. Passwords or digital signatures can be used for
authentication.
Unlike other kinds of private P2P, users in a friend-to-friend network cannot find out who else is
participating beyond their own circle of friends.
The Gemini is a feature in GoldBug Secure Instant Messenger to add another security layer to the
chatroom with an AES Key for end-to-end encryption.
The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative,
hypermedia information systems. HTTP is the foundation of data communication for the World Wide
Web. The first version of the protocol had only one method, namely GET, which would request a page
from a server. The response from the server was always an HTML page. GET requests a
representation of the specified resource. Requests using GET should only retrieve data and should
have no other effect.
The GoldBug-feature is used in the integrated email client to add here as well an end-to-end AES-
Encryption layer - the GoldBug, or: just a password, both users use to encrypt their emails once
more. So with the GoldBug, you need a kind of password (e.g. AES-string) to open the email of a
friend or to be able to chat with him.
In computing, graphical user interface (GUI, sometimes pronounced 'gooey') is a type of user interface
that allows users to interact with electronic devices through graphical icons and visual indicators such
as secondary notation, as opposed to text-based interfaces, typed command labels or text navigation.
Qt (/kjuːt/ "cute", or unofficially as Q-T cue-tee) is a cross-platform application framework that is
widely used for developing application software with a graphical user interface (GUI) (in which cases
Qt is classified as a widget toolkit). Qt uses standard C++.
A hash function is any algorithm that maps data of variable length to data of a fixed length. The values
returned by a hash function are called hash values, hash codes, hash sums, checksums or simply
hashes. A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary
block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that any
(accidental or intentional) change to the data will (with very high probability) change the hash value.
The data to be encoded are often called the "message," and the hash value is sometimes called the
message digest or simply digest. Cryptographic hash functions have many information security
applications, notably in digital signatures, message authentication codes (MACs), and other forms of
authentication. They can also be used as ordinary hash functions, to index data in hash tables, for
fingerprinting, to detect duplicate data or uniquely identify files.
Hypertext Transfer Protocol Secure (HTTPS) is a communications protocol for secure communication
over a computer network, with especially wide deployment on the Internet. Technically, it is not a
protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer Protocol
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 13/17
Iteration Count
Kernel
Key, Public
Key, Pivate
Key-Exchange
Key-Size
(HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard
HTTP communications.
In mathematics, an iterated function is a function which is composed with itself, possibly ad infinitum,
in a process called iteration. In this process, starting from some initial number, the result of applying a
given function is fed again in the function as input, and this process is repeated.
In computing, the kernel is a computer program that manages input/output requests from software and
translates them into data processing instructions for the central processing unit and other electronic
components of a computer like the graphical user interface (GUI). Kernels are a fundamental part of a
modern computer systems.
Public-key cryptography, also known as asymmetric cryptography, refers to a cryptographic algorithm
which requires two separate keys one of which is secret (or private) and one of which is public.
Although different, the two parts of this key pair are mathematically linked. The public key is used to
encrypt plaintext or to verify a digital signature; whereas the private key is used to decrypt ciphertext
or to create a digital signature. The term "asymmetric" stems from the use of different keys to perform
these opposite functions, each the inverse of the other – as contrasted with conventional
("symmetric") cryptography which relies on the same key to perform both. Public-key algorithms are
based on mathematical problems which currently admit no efficient solution that are inherent in certain
integer factorization, discrete logarithm, and elliptic curve relationships. It is computationally easy for
a user to generate their public and private key-pair and to use them for encryption and decryption. The
strength lies in the fact that it is "impossible" (computationally infeasible) for a properly generated
private key to be determined from its corresponding public key. Thus the public key may be published
without compromising security, whereas the private key must not be revealed to anyone not
authorized to read messages or perform digital signatures. Public key algorithms, unlike symmetric
key algorithms, do not require a secure initial exchange of one (or more) secret keys between the
parties.
In cryptography, a key is a piece of information (a parameter) that determines the functional output of
a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In
encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa
during decryption. Keys are also used in other cryptographic algorithms, such as digital signature
schemes and message authentication codes. Encryption algorithms which use the same key for both
encryption and decryption are known as symmetric key algorithms. A newer class of "public key"
cryptographic algorithms was invented in the 1970s which uses a pair of keys, one to encrypt and one
to decrypt. These asymmetric key algorithms allow one key to be made public while retaining the
private key in only one location. They are designed so that finding out the private key is extremely
difficult, even if the corresponding public key is known. A user of public key technology can publish
their public key, while keeping their private key secret, allowing anyone to send them an encrypted
message.
Key exchange (also known as "key establishment") is any method in cryptography by which
cryptographic keys are exchanged between users, allowing use of a cryptographic algorithm. If sender
and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to
be sent and decrypt messages received. The nature of the equipping they require depends on the
encryption technique they might use. If they use a code, both will require a copy of the same
codebook. If they use a cipher, they will need appropriate keys. If the cipher is a symmetric key
cipher, both will need a copy of the same key. If an asymmetric key cipher with the public/private key
property, both will need the other's public key. The key exchange problem is how to exchange
whatever keys or other information are needed so that no one else can obtain a copy. Historically, this
required trusted couriers, diplomatic bags, or some other secure channel. With the advent of public
key / private key cipher algorithms, the encrypting key (aka public key) could be made public, since
(at least for high quality algorithms) no one without the decrypting key (aka, the private key) could
decrypt the message. Diffie–Hellman key exchange: In 1976, Whitfield Diffie and Martin Hellman
published a cryptographic protocol, (Diffie–Hellman key exchange), which allows users to establish
'secure channels' on which to exchange keys, even if an Opponent is monitoring that communication
channel. However, D–H key exchange did not address the problem of being sure of the actual identity
of the person (or 'entity').
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 14/17
libgcrypt
libSpot-On
Listener
MAC: Message authentication code
MELODICA
Status, online
Neighbor
OpenSource
In cryptography, key size or key length is the size measured in bits[1] of the key used in a
cryptographic algorithm (such as a cipher). An algorithm's key length is distinct from its cryptographic
security, which is a logarithmic measure of the fastest known computational attack on the algorithm,
also measured in bits. The security of an algorithm cannot exceed its key length (since any algorithm
can be cracked by brute force), but it can be smaller. An RSA key length of 3072 bits should be used
if security is required . NIST key management further suggest that 15360-bit RSA keys are equivalent
in strength to 256-bit symmetric keys.
libgcrypt is a cryptographic library developed as a separated module of GnuPG. It can also be used
independently. It provides functions for all cryptographic building blocks: symmetric ciphers (IDEA,
AES, DES, 3DES, Blowfish, CAST5, Twofish, Arcfour, Serpent, Camellia, SEED a.k.a. RFC4269,
RFC2268), hash algorithms (MD4, MD5, RIPEMD-160, SHA-1, SHA-224, SHA-256, SHA-384, SHA-
512, HAVAL, Tiger-192 as used by GnuPG <= 1.3.2, Tiger, and TIGER2), MACs (HMAC for all hash
algorithms), and public key algorithms (RSA, ElGamal, DSA, Elliptic Curve DSA).
Spot-On is an anonymous and encrypted distributed, confidential messaging library in the forms of e-
mail and near-instant communications.
In computer networking, a port is an application-specific or process-specific software construct serving
as a communications endpoint in a computer's host operating system. A port is associated with an IP
address of the host, as well as the type of protocol used for communication. The purpose of ports is to
uniquely identify different applications. Applications implementing common services often use
specifically reserved, well-known port numbers for receiving service requests from client hosts. This
process is known as listening and involves the receipt of a request on the well-known port and
establishing a one-to-one server-client connection, using the same local port number; other clients
may continue to connect to the listening port. This works because a TCP connection is identified by
the tuple {local address, local port, remote address, remote port}.
In cryptography, a message authentication code (often MAC) is a short piece of information used to
authenticate a message and to provide integrity and authenticity assurances on the message.
Integrity assurances detect accidental and intentional message changes, while authenticity
assurances affirm the message's origin. A MAC algorithm, sometimes called a keyed (cryptographic)
hash function (however, cryptographic hash function is only one of the possible ways to generate
MACs), accepts as input a secret key and an arbitrary-length message to be authenticated, and
outputs a MAC (sometimes known as a tag). The MAC value protects both a message's data integrity
as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any
changes to the message content.
With the MELODICA feature in GoldBug Secure Messenger you call your friend and send him a new
Gemini (AES-256-Key). The Key is sent over your asymmetric encryption of the RSA key. This is a
secure way, as all other plaintext transferals like email, spoken over phone or in other messengers
have to be regarded as unsafe and recorded. MELODICA stands for: Multi Encrypted LOng DIstance
CAlling. You call your friend even over a long distance of the echo protocol and exchange over secure
asymmetric encryption a Gemini (AES-256 key) to establish an end-to-end encryted channel.
Description will follow.
Description will follow.
In production and development, open source as a development model promotes a universal access via
free license to a product's design or blueprint, and b) universal redistribution of that design or blueprint,
including subsequent improvements to it by anyone. Generally, open source refers to a computer
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 15/17
OpenSSL
Padding
Participant/User
Passphrase
PGP-Method
Port
program in which the source code is available to the general public for use and/or modification from its
original design.
OpenSSL is an open-source implementation of the SSL and TLS protocols. The core library, written in
the C programming language, implements the basic cryptographic functions and provides various
utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages
are available. OpenSSL is based on SSLeay by Eric A. Young and Tim Hudson.
In cryptography, padding refers to a number of distinct practices. Official messages often start and
end in predictable ways: My dear ambassador, Weather report, Sincerely yours, etc. The primary use
of padding with classical ciphers is to prevent the cryptanalyst from using that predictability to find
cribs[1] that aid in breaking the encryption. Random length padding also prevents an attacker from
knowing the exact length of the plaintext message. Many classical ciphers arrange the plaintext into
particular patterns (e.g., squares, rectangles, etc.) and if the plaintext doesn't exactly fit, it is often
necessary to supply additional letters to fill out the pattern. Using nonsense letters for this purpose
has a side benefit of making some kinds of cryptanalysis more difficult. Most modern cryptographic
hash functions process messages in fixed-length blocks; all but the earliest hash functions include
some sort of padding scheme. It is critical for cryptographic hash functions to employ termination
schemes that prevent a hash from being vulnerable to length extension attacks. Many padding
schemes are based on appending predictable data to the final block. For example, the pad could be
derived from the total length of the message. This kind of padding scheme is commonly applied to
hash algorithms that use the Merkle-Damgård construction. In public key cryptography, padding is the
process of preparing a message for encryption or signing using a specification or scheme such as
PKCS#1 v1.5, OAEP, PSS, PSSR, IEEE P1363 EMSA2 and EMSA5. A modern form of padding for
asymmetric primitives is OAEP applied to the RSA algorithm, when it is used to encrypt a limited
number of bytes.
Description will follow.
A passphrase is a sequence of words or other text used to control access to a computer system,
program or data. A passphrase is similar to a password in usage, but is generally longer for added
security. Passphrases are often used to control both access to, and operation of, cryptographic
programs and systems. Passphrases are particularly applicable to systems that use the passphrase
as an encryption key. The origin of the term is by analogy with password. The passphrase in GoldBug
must be at least 16 characters long, this is used to create a cryptographic hash, which is longer and
stronger.
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides
cryptographic privacy and authentication for data communication. PGP is often used for signing,
encrypting and decrypting texts, e-mails, files, directories and whole disk partitions to increase the
security of e-mail communications. PGP encryption uses a serial combination of hashing, data
compression, symmetric-key cryptography and finally public-key cryptography; each step uses one of
several supported algorithms.
The Free Software Foundation has developed its own OpenPGP-compliant program called GNU
Privacy Guard (abbreviated GnuPG or GPG). GnuPG is freely available together with all source code
under the GNU General Public License (GPL).
In computer networking, a port is an application-specific or process-specific software construct serving
as a communications endpoint in a computer's host operating system. A port is associated with an IP
address of the host, as well as the type of protocol used for communication. The purpose of ports is to
uniquely identify different applications
Applications implementing common services often use specifically reserved, well-known port numbers
for receiving service requests from client hosts. This process is known as listening and involves the
receipt of a request on the well-known port and establishing a one-to-one server-client connection,
using the same local port number; other clients may continue to connect to the listening port. This
works because a TCP connection is identified by the tuple {local address, local port, remote address,
remote port}.
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 16/17
Post
Proxy
Qt
Repleo
RSA
Scrambler
Salt
Signature
The Hypertext Transfer Protocol (HTTP) is the foundation of data communication for the World Wide
Web. The first version of the protocol had only one method, namely GET, which would request a page
from a server. POST requests are defined like this: Requests that the server accept the entity
enclosed in the request as a new subordinate of the web resource identified by the URI. The data
POSTed might be, as examples, an annotation for existing resources; a message for a bulletin board,
newsgroup, mailing list, or comment thread; a block of data that is the result of submitting a web form
to a data-handling process; or an item to add to a database.
In computer networks, a proxy server is a server (a computer system or an application) that acts as
an intermediary for requests from clients seeking resources from other servers. A client connects to
the proxy server, requesting some service, such as a file, connection, web page, or other resource
available from a different server and the proxy server evaluates the request as a way to simplify and
control its complexity. Today, most proxies are web proxies, facilitating access to content on the
World Wide Web.
Qt (/ˈkjuːt/ "cute", or unofficially as Q-T cue-tee[6][7]) is a cross-platform application framework that is
widely used for developing application software with a graphical user interface (GUI) (in which cases
Qt is classified as a widget toolkit), and also used for developing non-GUI programs such as
command-line tools and consoles for servers. Qt uses standard C++ but makes extensive use of a
special code generator (called the Meta Object Compiler, or moc) together with several macros to
enrich the language. Qt can also be used in several other programming languages via language
bindings. It runs on the major desktop platforms and some of the mobile platforms. It has extensive
internationalization support. Non-GUI features include SQL database access, XML parsing, thread
management, network support, and a unified cross-platform application programming interface (API)
for file handling.
Description will follow.
RSA is an algorithm for public-key cryptography that is based on the presumed difficulty of factoring
large integers, the factoring problem. RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman,
who first publicly described the algorithm in 1977. Clifford Cocks, an English mathematician, had
developed an equivalent system in 1973, but it wasn't declassified until 1997.[1] A user of RSA
creates and then publishes the product of two large prime numbers, along with an auxiliary value, as
their public key. The prime factors must be kept secret. Anyone can use the public key to encrypt a
message, but with currently published methods, if the public key is large enough, only someone with
knowledge of the prime factors can feasibly decode the message.[2] The RSA algorithm involves three
steps: key generation, encryption and decryption. RSA involves a public key and a private key. The
public key can be known by everyone and is used for encrypting messages. Messages encrypted with
the public key can only be decrypted in a reasonable amount of time using the private key.
Description will follow.
In cryptography, a salt is random data that are used as an additional input to a one-way function that
hashes a password or passphrase.[1] The primary function of salts is to defend against dictionary
attacks and pre-computed rainbow table attacks. A new salt is randomly generated for each
password. In a typical setting, the salt and the password are concatenated and processed with a
cryptographic hash function, and the resulting output (but not the original password) is stored with the
salt in a database. Hashing allows for later authentication while defending against compromise of the
plaintext password in the event that the database is somehow compromised. Cryptographic salts are
broadly used in many modern computer systems.
The use of these (public key) algorithms also allows the authenticity of a message to be checked by
creating a digital signature of the message using the private key, which can then be verified by using
11.8.2014 GoldBug: Secure Instant Messenger
http://goldbug.sourceforge.net/ 17/17
Source
SSL
Super Echo
Tor
Web-Of-Trust
the public key. In practice, only a hash of the message is typically encrypted for signature verification
purposes. The Digital Signature Algorithm is the most widely used digital signature system.
Description will follow.
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic
protocols that provide communication security over the Internet. They use asymmetric cryptography
for authentication of key exchange, symmetric encryption for confidentiality and message
authentication codes for message integrity. Several versions of the protocols are in widespread use in
applications such as web browsing, electronic mail, Internet faxing and instant messaging.
Description will follow.
Description will follow.
In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible
systems to establish the authenticity of the binding between a public key and its owner. Its
decentralized trust model is an alternative to the centralized trust model of a public key infrastructure
(PKI), which relies exclusively on a certificate authority (or a hierarchy of such). As with computer
networks, there are many independent webs of trust, and any user (through their identity certificate)
can be a part of, and a link between, multiple webs. The web of trust concept was first put forth by
PGP creator Phil Zimmermann in 1992 in the manual for PGP version 2.0: As time goes on, you will
accumulate keys from other people that you may want to designate as trusted introducers. Everyone
else will each choose their own trusted introducers. And everyone will gradually accumulate and
distribute with their key a collection of certifying signatures from other people, with the expectation
that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence
of a decentralized fault-tolerant web of confidence for all public keys. In simpler terms, you have 2
keys: a public key that you let the people you trust know; and a private key that only you know. Your
private key will decrypt any information encrypted with your public key. In the web of trust you have a
key ring with a group of people's public keys. You encrypt your information with the recipients public
key, and only their private key will decrypt it. You then digitally sign the information with your private
key, so when they verify it with your public key, they can confirm that it is you. Doing this will ensure
that the information came from you and has not been tampered with, and only the person you are
sending it to can read the information (because only they know their private key).
GoldBug source code is open source
and uses LibSpot-On. This w ebsite
w ith content and layout is licensed
under a Creative Commons
Attribution 3.0 License, unless
otherw ise noted.
About GoldBug
Goldbug Project
Dow nload
Contact Us
User Manual
Download &
Get Involved
Donate
Source
GB-Links
Manuals
Installation Guides
Wiki
Recommended