Hey guys,
I've came up with an idea for a secure decentralized chat application, but I don't have the time to build it from scratch all on my own.
General Idea
There are many secure chat services available right now. For example the Android and iOS App Whatsapp is considerable as safe. But all of these services are centralized organized. All the messages get transmitted and handled by a central server (or some cloud network but for simplicity lets assume there is one big server).
Therefore, even so the contents of a message might be safely encrypted, the meta data (e.g. Source, Destination, length, etc.) are still available. The progress on neuronal networks has shown them to be capable of gathering a lot of informations from just meta data. E.g. neural networks have been used to identify hidden services of the TOR network by only feeding them the packet frequency with an astonishing high accuracy (>75%).
The idea now behind Paranoid (working titel) is too not use such a centralistic approach, but rather to make every user of the network be server and client at the same time. Messages will be directly sent to the chat partner without an central server. This does not only add security to the chat, but has some more advantages:
1. Cheap & self sustaining: As the computational power is going to be distributed over the users and no central server is required, there is no need to invest in some kind of infrastructure to keep it running. As long as someone is using the network it will work.
2. Higher throughput and shorter delay: As no central server can be a bottle neck, every connection will be as fast as the underlying routing protocol is capable to provide. Therefore, if the underlying protocol always finds the best route, the delay should be max as high as using a central server. For the throughput, as a centralized network with N nodes has always N paths, but a decentralized network can have up to N(N-1)/2 Paths the possible throughput for N>2 can be exceed the throughput of an centralized network by far
3. Robustness: Any local breakdown does not effect the system as a whole
Implementation
To realize this idea the two main problems are first of all the encryption and second of all the routing. Using IPv4 this is completely impossible, as this would require every user to have a unique id, which would get way to complicated considering NAS systems which are sometimes stacked more than just once. The naive idea would be to use IPv6, as with the large amount of address' this fixes the problem and also enables integrated transfer encryption. Sadly the IPv6 support is pretty low. I.e. most of the mobile network providers still, even 20 years after its standardization, don't enable it, making it totally infeasable for the mobile market.
Also the usage of firewalls would block the services on most common households.
To target this problem I've thought about using the TOR network. For those of you who dont know, the TOR network is an anonymous routing protocol enabling hidden services within this network. A hidden service is going to be adressed by a 16 letter base32 string, therefore enabling 2 to the power of 80 different addreses, enough to cover any possible user count. Also TOR provides a high standard of transfer security which is scaleable per user to any degree of paranoia the user desires.
Also TOR deals with the firewall problem:
Quote:
Originally Posted by torproject.org
Tor allows clients and relays to offer hidden services. That is, you can offer a web server, SSH server, etc., without revealing your IP address to its users. In fact, because you don't use any public address, you can run a hidden service from behind your firewall.
|
For ensuring a high degree of security all the data will be saved on the users device encrypted using a state of the art software. Currently im thinking about a veracrypt volume. Also besides the TOR transmission encryption the every chat shall be encrypted on its own using a special password generated using a signed key excange and all messages will be signed using a PGP (or any comparable alternative) Public/Private key pair.
Features
This is a small list of features I though of the messenger should include:
1. Pair chat: Simple as that, two people chatting with each other
2. Chatrooms. Like using Teamspeak or IRC there shall be a distributed server software any user can setup to host a chat room on their private servers.
3. Eventually VoIP. This is just a crazy idea at the moment, but wen chatrooms are getting implemented a voice chat could be also possible. But as tor has an unusual high delay this might be infeasable using tor. There might be a possibility to include non TOR services for this, but basically i like the idea but have no idea if this is possible.
4. User register servers. To get known to different users (i.e. getting onion address, getting public key, and so on) the user should either be able to provide this data physically for any person you might know(e.g. QR code scaning), but for the less paranoid ones, users should be also able to register on a central database to make their information public (for example for anyone searching for a special username or email)
5. Messaging backup servers. In case a users device is not online at the time of sending the user can register a backup server where all the messages get stored during this period. Like a telephone answering machine.
6. Availability. Most importantly this program should run on at least 32 & 64 Bit Linux, Windows, 64 Bit Cocoa mac, iOS and Android.
Project management
So with the requirements established, let's talk about how I thought about realizing this.
The basic chat protocoll should be written in a system independend way. I thought about using C as this is pretty straight forward under Unix and only some porting is required for windows.
This core protocol shall be released under the terms of the lgpl license, so in case anyone forks it, changes to the core protocol has to be made open source, which makes it possible to adept all forks to be able to communicate with each others.
The Userinterface will be than build on top using a language fitted well for the target Platform (e.g. C# for Windows, Swift for iOS and OSX, etc.). These Projects can be released under any license.
Personal requirements
Even though I have already planned this a little bit, all of the points are open for discussion. Nothing of this is written to stone and if you think you have any better idea for any of those points feel free to contribute.
But from what i can estimate right now this project will not be that trivial.
I personally am confident in protocol development with C (or any other low level language like C++, Ada or Pascal), also I know a little bit about Swift and C#, but I'm also open to learn new languages for this project. But because I'm right in my bachelors thesis my time is pretty limited. Also im pretty shitty at planing.
Therefore I will not be able to take any project management position, but would rather like to just do the low level implementing.
That means this requiers at least one more low level developer who should be confident on developing on a Unix device (as this is the common ground for any platform exept windows) with at least one of these Languages: C, C++, Ada, Pascal (or is confident in beeing able to learn this in a short amount of time)
Than this project requires Developers being confident in at least one of the following fields (the more the better):
Android development
iOS development
Windows development (GUI)
Windows development (Service)
Encryption libs/frameworks (e.g. PGP)
Network security (e.g. OpenSSL)
And also someone to manage the project and taking care of the repository
Also a basic understanding of decentralized networks and especially TOR
Language used will be either german or english.
If you are interested in this idea send me a personal message.