Posted by: DeepDotWeb
February 13, 2015
From time to time every one of us is faced with a situation where we have to tell someone something very important and intimate that no one else should know. In our age of total surveillance (remember Prism project?), transferring information without the presence of third parties has become a very difficult task. In this article I summarize all I know about privacy protection and secure information transfer and give a short description of 5 apps and programs that I use every day to send messages.
TextSecure is a free and open-source encrypted messaging application for Android. Open Whisper Systems improved Off-the-Record Messaging (OTR) protocol in some secrecy aspects, and added a mechanism to allow the ephemeral key negotiation to work asynchronously. The TextSecure protocol uses Curve25519, AES-256, and HMAC-SHA256 as primitives.
The TextSecure application allows people to send text and audio messages, photos, videos, contact information. Messages sent to other TextSecure users can only be read by the recipient due to automatic end-to-end encryption.
The keys that are used to encrypt messages are stored on the user’s device, but they are protected by an additional layer of encryption. Also, TextSecure has a built-in function for verifying that the user is communicating with the right person and that no man-in-the-middle attack has occurred. This is done with key fingerprints that can be verified out-of-band.
Telegram is a cross-platform instant messaging system whose clients are open source and servers are proprietary software. Telegram users can exchange encrypted and self-destructing messages and transfer all types of audio and video files up to 1 gigabyte in size.
Telegram was launched in 2013 by the brothers Nikolai and Pavel Durov, the founders of VK, Russia’s largest social network.
Telegram accounts are tied to the phone number of the user and the phone number associated with an account can be changed without losing messages.
The application features two types of chats. Ordinary chats use client-server encryption and can be accessed from multiple devices. Secret chats use end-to-end encryption and can only be accessed from the two participating devices. While using secret chats in official clients, messages deleted on one device are deleted on the other device too, a special message is displayed when a screenshot is taken, and messages can be set to be deleted automatically (self-destruct) at preset time intervals.
On December 1st, 2014, Telegram implemented Perfect Forward Secrecy in secret chats. This enables periodically changing the encryption keys utilized, keeping past communications safe. Official Telegram clients initiate re-keying once a key has been used to decrypt and encrypt more than 100 messages, or has been in use for more than one week, provided the key has been used to encrypt at least one message. Old keys are then discarded and cannot be reconstructed, even with access to the new keys currently in use.
On January 5th, 2015, Telegram’s standard messages were scored 3 out of 7 points on the Electronic Frontier Foundation’s secure messaging scorecard, while Telegram’s secret chats scored 6 out of 7 points. It lost one point because there has not been a recent independent code audit.
Desktop Telegram is available for Windows and Apple Mac OS.
Pidgin (formerly named Gaim) + Off-the-Record plugin
Pidgin is an open-source multi-platform instant messaging client, based on a library, that allows the user to log into various services from one application. Pidgin is an easy to use, popular and free. It supports a lot of different chat networks such as AIM, MSN, Yahoo, Bonjour, Google Talk, ICQ and XMPP.
Off-the-Record (OTR) messaging is a plugin developed specifically for Pidgin. It uses a combination of AES symmetric-key algorithm with 128 bits key length, the Diffie–Hellman key exchange with 1536 bits group size, and the SHA-1 hash function.
The main features of using Pidgin+OTR combination are: privacy (no one else can read your instant messages), protectiveness (you are assured the correspondent is who you think it is) and deniability (the messages you send do not have digital signatures that are checkable by a third party).
However, users’ passwords are stored in a plaintext file. This password file is readable by anyone who has physical access to the computer, access to the user or administrative accounts, or (potentially) to anyone who is able to exploit security vulnerabilities on that computer. I hope that the developers will improve this omission one day.
Bitmessage is a decentralized, encrypted, P2P communications protocol that can be used to send a message not only to one person, but to multiple subscribers too. Bitmessage encrypts each users’ message inbox using public-key cryptography (256-bit ECC keys and OpenSSL for cryptographic functions).
Bitmessage replicates all the messages inside its own network. So, the encrypted messages of a user is mixed with all the encrypted messages of all other users of the network, which makes it difficult to track which particular computer is the actual sender or recipient.
The original sender knows whether the recipient received the message or not (through an acknowledgement system), but the sender cannot discover which network participant is the actual recipient since all the network participants will have this encrypted message stored on their computer.
The system’s nodes store the encrypted messages for only two days before erasing them; therefore, messages are not archived in the network. And new participants of the network can only download and broadcast messages from the last two days.
All users of Bitmessage have cryptographically generated addresses (for example, BM-cbRqcFFSQUUmXFKsPJgVQPSiFA3Xash). PyBitmessage is the official instant messaging client designed for Bitmessage.
DarkNote is in fact an open-source anonymous decentralized cryptocurrency, which enables privacy protected payments and encrypted data transfer to all its users. Its encrypted messaging system is based on DarkNote blockchain (a blockchain is a transaction database shared by all participants of a system). With the state-of-the-art end-to-end cryptography, even the fact that a DarkNote message was sent remains unknown.
DarkNote XDN blockchain was first launched on 30th May 2014. Then, in mid-September 2014 XDN went to the next level: it received encrypted messages feature, encrypted transaction comments and lots of source code and network improvements, so now it is perfectly scaled to be a fast, near-zero cost privacy protected payment system and encrypted messenger all at once.
DarkNote can be used for private communication, as well as for secure money transfers, due to implemented ring-signatures and one-time keys technologies. Ring signatures work not by mixing up various users’ transfers, but by signing each transaction with multiple keys. When transactions take place using this, the sender’s and recipient’s public key is mixed with a group of other users’ keys. The other keys serve no function other than to mask which key sent the message. “It is a little like giving a five-man firing squad one bullet. Only one person actually shot the condemned, but no one knows exactly who. Here, only one wallet was on each end of a transaction, but it is impossible to figure out which one,” experts said.
To use all these features the user should download DarkNote GUI wallet from the official currency website and synchronize it with the network.
All applications and programs are easy and convenient to use, and you should try all of them before choosing the one that suits you most and don’t forget to use PGP. If you know other ways to keep your information and personal messages protected, please let me know by leaving a comment on this article!
Article contributed to DeepDotWeb by its author: Li Taurus