DOCSLIB.ORG

Moderne Instant-Messaging-Systeme Als Plattform Für Sicherheitskritische Kollaborative Anwendungen

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Moderne Instant-Messaging-Systeme Als Plattform Für Sicherheitskritische Kollaborative Anwendungen Fachbereich 4: Informatik Moderne Instant-Messaging-Systeme als Plattform für sicherheitskritische kollaborative Anwendungen Dissertation zur Erlangung des akademischen Grades eines Doktors der Naturwissenschaften (Doctor rerum naturalium) vorgelegt von Dipl.-Informatikerin Anastasia Meletiadou Gutachter: Prof. Dr. Rüdiger Grimm und Prof. Dr. J. Felix Hampe Inhaltsverzeichnis 3 Inhaltsverzeichnis Abbildungsverzeichnis ...................................................................................................... 8 Teil I Einleitung und Problemdefinition ....................................................................... 14 1 Einleitung ............................................................................................. 14 2 Motivation ............................................................................................ 15 3 Herausforderungen und Ziele ............................................................ 16 3.1 Problemstellung ................................................................................................ 16 3.2 Fragestellung ..................................................................................................... 17 3.3 Methode ............................................................................................................ 17 4 Eigener Beitrag und Struktur der Arbeit ......................................... 19 Teil II Stand der Forschung und Related Work .......................................................... 22 5 Begriffsklärung .................................................................................... 22 5.1 Computer Supported Cooperative Work ........................................................... 22 5.2 Unified Communication .................................................................................... 24 5.3 Real Time Communication/Collaboration ........................................................ 24 5.4 Instant-Messaging-Systeme .............................................................................. 25 6 Moderne Instant-Messaging-Systeme: Funktionsweise und Charakteristika ................................................................................... 26 6.1 Featuremodell von Instant-Messaging-Systemen .............................................. 28 6.1.1 Architektur ..................................................................................... 31 6.1.1.1 Client-Server-Modell ................................................... 31 6.1.1.2 (Reines) Peer-to-Peer-Modell ...................................... 31 6.1.1.3 Brokered Peer-to-Peer-Modell ..................................... 32 6.1.1.4 Hybrides Peer-to-Peer-Modell ..................................... 32 6.1.2 Protokolle ....................................................................................... 33 6.1.2.1 Open System for Communication in Realtime (OSCAR) ..................................................................................... 33 6.1.2.2 Mobile Status Notification Protocol (MSNP) .............. 34 6.1.2.3 Skype ........................................................................... 35 6.1.2.4 Jabber/ Extensible Messaging and Presence Protocol (XMPP) ....................................................................... 36 6.1.2.5 Session Initiation Protocol (SIP) .................................. 37 6.1.2.6 Jingle ........................................................................... 39 6.1.2.7 Real-time Transport Protocol (RTP) ............................ 39 6.1.2.8 Weitere Protokolle ....................................................... 40 6.1.3 IM-Client ........................................................................................ 40 6.1.3.1 Plattform ...................................................................... 42 Inhaltsverzeichnis 4 6.1.3.2 Funktionalität ............................................................... 42 6.1.4 IM-Server ....................................................................................... 43 6.1.5 IM-Sicherheit ................................................................................. 44 7 Sicherheitsbetrachtungen der IM-Systeme ....................................... 46 7.1 IT-Sicherheit und ihre Anforderungen (Grundlagen der IT-Sicherheit) ............ 46 7.2 Sicherheitsanalyse der Instant-Messaging-Systeme .......................................... 48 7.2.1 Werte/Güter .................................................................................... 48 7.2.2 Bedrohungen und Angriffe ............................................................. 49 7.2.3 Sicherheitsanforderungen ............................................................... 51 7.2.4 Sicherheitsmaßnahmen und -mechanismen .................................... 52 7.2.4.1 Chat-Protokolle (OSCAR, TOC, MSNP) .................... 53 7.2.4.2 Skype ........................................................................... 53 7.2.4.3 XMPP .......................................................................... 54 7.2.4.4 SIP ............................................................................... 56 7.2.4.5 Jingle ........................................................................... 57 7.2.4.6 RTP/SRTP ................................................................... 58 7.2.5 Zusammenfassung .......................................................................... 58 8 Forschung im Bereich der Instant-Messaging-Systeme (Related Work) ................................................................................................... 59 8.1 Wirtschaftliche und soziale Aspekte ................................................................. 59 8.2 Technische Aspekte .......................................................................................... 60 8.2.1 ZRTP .............................................................................................. 60 8.2.2 Instant Messaging Key Exchange Protokoll (IMKE) ..................... 61 8.2.3 Off-the-Record (OTR) .................................................................... 63 8.2.4 Weitere Arbeiten zum Thema sichere IM-Kommunikation ........... 64 8.3 Zusammenfassung ............................................................................................. 65 9 Forschung im Bereich kollaborativer sicherheitskritischer Anwendungen (Related Work) .......................................................... 66 Teil III Integration sicherheitskritischer Anwendungen in einer IM-Umgebung .... 71 10 Überblick über das Forschungsvorhaben ......................................... 71 11 Algorithmische/Konzeptuelle Lösungsansätze ................................. 72 11.1 Authentizität der Gesprächspartner, Vertraulichkeit der Kommunikation ........ 73 11.1.1 Erste Phase der Zugangsberechtigung ............................................ 73 11.1.2 Zweite Phase der Zugangsberechtigung ......................................... 74 11.1.3 Zugangsberechtigung bei zwei Teilnehmern .................................. 75 11.2 Mögliche Ansätze für die Gewährleistung der Authentizität und Vertraulichkeit in einer Gruppe ................................................................................................. 78 11.2.1 Vertrauensmodell ........................................................................... 81 11.2.2 Variante „Jeder mit jedem“ ............................................................ 85 11.2.3 Variante „Jeder mit jedem nach Aufforderung“ ............................. 88 11.2.4 Variante „Zentrale Instanz“ ............................................................ 91 11.2.5 Variante „Zentrale Instanz nach Aufforderung“ ............................. 96 Inhaltsverzeichnis 5 11.2.6 Variante „Jeder mit jedem nach Aufforderung und zentraler Pflicht- Überprüfung“ ................................................................................. 98 11.2.7 Variante „Web-of-Trust“ .............................................................. 101 11.2.8 Variante „Web-of-Trust nach Aufforderung“ ............................... 103 11.2.9 Zusammenfassung ........................................................................ 105 11.3 Ausgewählter Ansatz für die Gewährleistung der Authentizität und Vertraulichkeit in einer Gruppe....................................................................... 105 11.4 Bedrohungen der Authentizität der Teilnehmer für die ausgewählte Variante 107 11.4.1 Unehrlicher Initiator ..................................................................... 108 11.4.2 Unehrlicher Teilnehmer ............................................................... 109 11.4.3 Externer Angreifer und ehrliche Teilnehmer ................................ 109 11.4.4 Vertrauensmodell der Authentizität .............................................. 110 11.5 Bedrohungen der Vertraulichkeit der Kommunikation für die ausgewählte Variante ........................................................................................................... 111 11.5.1 Unehrlicher Teilnehmer ............................................................... 111 11.5.2 Externer Angreifer und ehrliche Teilnehmer ................................ 112 11.5.3 Vertrauensmodell der Vertraulichkeit .......................................... 112 11.6 Integrität der Nachrichten ............................................................................... 112 11.7 Mögliche Ansätze zur Überprüfung der Integrität in einer Gruppe ................. 114 11.7.1 Message Detection Codes............................................................
Load more

Recommended publications
  • Webrtc and XMPP
    webRTC and XMPP Philipp Hancke, XMPP Summit 2013 What is this webRTC thing … …and why should XMPP developers care? . I assume you know what XMPP is… . … you might have heard of Jingle . the XMPP framework for establishing P2P sessions . used for VoIP, filesharing, … . … you might have also heard about this webRTC thing . doing VoIP in the browser . without plugins . „no more flash“ . Do you want to know how it relates to XMPP ? Philipp Hancke © ESTOS GmbH 2013 2 What is webRTC? . P2P sessions between browsers . no servers involved in media transfer . using open standards . Javascript API in the browser . also an BSD-licensed C++ library from Google . Want to know more? . Listen to the evangelists! . Justin Uberti http://www.youtube.com/watch?v=E8C8ouiXHHk . Jose de Castro http://vimeo.com/52510068 . Cullen Jennings http://vimeo.com/cullenfluffyjennings/rtcwebexplained Philipp Hancke © ESTOS GmbH 2013 3 Initiating P2P sessions . initiate a P2P session between two browsers . negotiate media codecs, NAT traversal, etc . media is sent P2P . you need a session initiation protocol . SIP? . JSEP? . H.323? . Jingle! . webRTC does not mandate a signalling protocol . WG decision Philipp Hancke © ESTOS GmbH 2013 4 Call Flow - JSEP Philipp Hancke © ESTOS GmbH 2013 5 Jingle . You can use Jingle as signalling protocol . together with BOSH or XMPP over websockets in the browser . Demo later . But… . webRTC uses the Session Description Protocol as an API . Jingle does not use SDP . You need a mapping SDP -> Jingle -> SDP . Complicated, but doable . Topic for breakout Philipp Hancke © ESTOS GmbH 2013 6 Call Flow - Jingle Philipp Hancke © ESTOS GmbH 2013 7 webRTC-Jingle usecases .
    [Show full text]
  • World of Warcraft Online Manual
    Game Experience May Change During Online Play WOWz 9/11/04 4:02 PM Page 2 Copyright ©2004 by Blizzard Entertainment. All rights reserved. The use of this software product is subject to the terms of the enclosed End User License Agreement. You must accept the End User License Agreement before you can use the product. Use of World of Warcraft, is subject to your acceptance of the World of Warcraft® Terms of Use Agreement. World of Warcraft, Warcraft and Blizzard Entertainment are trademarks or registered trademarks of Blizzard Entertainment in the U.S. and/or other countries.Windows and DirectX are trademarks or registered trademarks of Microsoft Corporation in the U.S. and/or other countries. Pentium is a registered trademark of Intel Corporation. Power Macintosh is a registered trademark of Apple Computer, Inc. Dolby and the double-D symbol are trademarks of Dolby Laboratory. Monotype is a trademark of Agfa Monotype Limited registered in the U.S. Patent and Trademark ® Office and certain other jurisdictions. Arial is a trademark of The Monotype Corporation registered in the U.S. Patent and Trademark Office and certain other jurisdictions. ITC Friz Quadrata is a trademark of The International Typeface Corporation which may be registered in certain jurisdictions. All other trademarks are the property of their respective owners. Uses high-quality DivX® Video. DivX® and the DivX® Video logo are trademarks of DivXNetworks, Inc. and are used under license. All rights reserved. AMD, the AMD logo, and combinations thereof are trademarks of Advanced Micro Devices, Inc All ATI product and product feature names and logos, including ATI, the ATI Logo, and RADEON are trademarks and / or registered trademarks of ATI Technologies Inc.
    [Show full text]
  • Rock in the Reservation: Songs from the Leningrad Rock Club 1981-86 (1St Edition)
    R O C K i n t h e R E S E R V A T I O N Songs from the Leningrad Rock Club 1981-86 Yngvar Bordewich Steinholt Rock in the Reservation: Songs from the Leningrad Rock Club 1981-86 (1st edition). (text, 2004) Yngvar B. Steinholt. New York and Bergen, Mass Media Music Scholars’ Press, Inc. viii + 230 pages + 14 photo pages. Delivered in pdf format for printing in March 2005. ISBN 0-9701684-3-8 Yngvar Bordewich Steinholt (b. 1969) currently teaches Russian Cultural History at the Department of Russian Studies, Bergen University (http://www.hf.uib.no/i/russisk/steinholt). The text is a revised and corrected version of the identically entitled doctoral thesis, publicly defended on 12. November 2004 at the Humanistics Faculty, Bergen University, in partial fulfilment of the Doctor Artium degree. Opponents were Associate Professor Finn Sivert Nielsen, Institute of Anthropology, Copenhagen University, and Professor Stan Hawkins, Institute of Musicology, Oslo University. The pagination, numbering, format, size, and page layout of the original thesis do not correspond to the present edition. Photographs by Andrei ‘Villi’ Usov ( A. Usov) are used with kind permission. Cover illustrations by Nikolai Kopeikin were made exclusively for RiR. Published by Mass Media Music Scholars’ Press, Inc. 401 West End Avenue # 3B New York, NY 10024 USA Preface i Acknowledgements This study has been completed with the generous financial support of The Research Council of Norway (Norges Forskningsråd). It was conducted at the Department of Russian Studies in the friendly atmosphere of the Institute of Classical Philology, Religion and Russian Studies (IKRR), Bergen University.
    [Show full text]
  • AOL Offers Video Chat with No Log-In, Download 13 May 2011, by RACHEL METZ , AP Technology Writer
    AOL offers video chat with no log-in, download 13 May 2011, By RACHEL METZ , AP Technology Writer In a move to become more competitive in the fast- AV's release comes two days after Microsoft Corp. growing field of video chat, the team behind AOL said it would pay $8.5 billion for popular Internet Inc.'s AIM instant messenger rolled out the first phone service Skype, which allows people to make version of a free video chat service on Thursday free and cheap voice and video calls. that doesn't require users to log in or download any software. ©2011 The Associated Press. All rights reserved. This material may not be published, broadcast, Called AV, the service was created as a way to rewritten or redistributed. have quick, easy video chats, Jason Shellen, a leader of the AIM team, said. Though there are plenty of other voice and video chat offerings available for computers and smartphones, AV is unlike many with its decision to eschew both logins and software downloads. In order to start a chat, a user gets a unique link from AV and sends it to friends. Once a friend with a webcam clicks on the link, a chat window will pop up on the screen and show live video of the user who started the chat session and any other participants. Up to four people can be involved in a chat at once, Shellen said. The service has several features, such as the ability to type messages to individual users while video chatting - to send a link to a webpage, for example.
    [Show full text]
  • Copyrighted Material
    Stichwortverzeichnis A B Abstreitbarkeit 167 Bequemlichkeit 30 Adblocker 96 Bitcoin 110 – Adblock Plus 96 Blackberry 215 – Disconnect 96 Bookmarks siehe Favoriten – Ghostery 96 Browser 68, 75 – Privacy Badger 96 – Add-on 87, 90 – uBlock 97 – Apple Safari 77 Add-on – Cache 88 – Browser 87, 90 – Chromium 78 – E-Mail-Client 126 – Chronik 87 – Enigmail siehe Enigmail – Fingerprinting 85, 98 – GpgOL 137 – Google Chrome 77 – Mailvelope 130, 132 – HTML-Engine 80 – Thunderbird 139 – Hygiene 88 Adium 170 – Iceweasel 78 Advanced Programming Interface (API) 90, – Inkognito-Modus 86 182 – integrierte Suche 84 Android – Internet Explorer 77 – Android Privacy Guard (App) 156 – Konqueror 78 – K9 Mail (E-Mail-Client) 156 – Microsoft Edge 92 – OpenKeychain (App) 156 – Midori 78 – PGP 156 – Mosaic 68 – R2Mail2 (E-Mail-Client) 158 – Mozilla Firefox 68, 76 – S/MIME 156 – Netscape Navigator 68 Anonymität 206 COPYRIGHTED– Opera 77MATERIAL AOL Instant Messenger (AIM) 164 – Plug-in 87 Apple Mail – Prole (Identitäten) 87 – PGP 145 – Synchronisation von Einstellungen – S/MIME 155 86 Authentizierung 167, 169, 176, 179 – Web (Epiphany) 78 – Adium 172 Buffer Overow 82 – Multifaktor- 201 Bugs 82 – Pidgin 169 Bundesamt für Sicherheit in der Informations- Authentizität 29, 54, 56 technik (BSI) 215 233 Stichwortverzeichnis C – E-Mail-Adresse 119 Caesar-Chiffre 36 – Header 121 Certicate Authority siehe Zertizierungsstelle – Provider 129, 131, 139 Chain of Trust siehe Web of Trust – Server 122 Chaos Computer Club (CCC) 133 Eingangsverschüsselung 125 Chat 161 Electronic
    [Show full text]
  • Massively Multiplayer Online Role Playing Game Chat Project
    [Massively Multiplayer Online Role Playing Game Chat] 175 Lakeside Ave, Room 300A Phone: (802)865-5744 Fax: (802)865-6446 1/21/2016 http://www.lcdi.champlain.edu Disclaimer: This document contains information based on research that has been gathered by employee(s) of The Senator Patrick Leahy Center for Digital Investigation (LCDI). The data contained in this project is submitted voluntarily and is unaudited. Every effort has been made by LCDI to assure the accuracy and reliability of the data contained in this report. However, LCDI nor any of our employees make no representation, warranty or guarantee in connection with this report and hereby expressly disclaims any liability or responsibility for loss or damage resulting from use of this data. Information in this report can be downloaded and redistributed by any person or persons. Any redistribution must maintain the LCDI logo and any references from this report must be properly annotated. Contents Introduction ............................................................................................................................................................................ 2 Background: ........................................................................................................................................................................ 2 Purpose and Scope: ............................................................................................................................................................. 3 Research Questions: ...........................................................................................................................................................
    [Show full text]
  • Download: Brill.Com/Brill-Typeface
    Poets of Hope and Despair Russian History and Culture Editors-in-Chief Jeffrey P. Brooks (The Johns Hopkins University) Christina Lodder (University of Kent) Volume 21 The titles published in this series are listed at brill.com/rhc Poets of Hope and Despair The Russian Symbolists in War and Revolution, 1914-1918 Second Revised Edition By Ben Hellman This title is published in Open Access with the support of the University of Helsinki Library. This is an open access title distributed under the terms of the CC BY-NC-ND 4.0 license, which permits any non-commercial use, distribution, and reproduction in any medium, provided no alterations are made and the original author(s) and source are credited. Further information and the complete license text can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/ The terms of the CC license apply only to the original material. The use of material from other sources (indicated by a reference) such as diagrams, illustrations, photos and text samples may require further permission from the respective copyright holder. Cover illustration: Angel with sword, from the cover of Voina v russkoi poezii (1915, War in Russian Poetry). Artist: Nikolai K. Kalmakov (1873-1955). Brill has made all reasonable efforts to trace all rights holders to any copyrighted material used in this work. In cases where these efforts have not been successful the publisher welcomes communications from copyright holders, so that the appropriate acknowledgements can be made in future editions, and to settle other permission matters. The Library of Congress Cataloging-in-Publication Data is available online at http://catalog.loc.gov Typeface for the Latin, Greek, and Cyrillic scripts: “Brill”.
    [Show full text]
  • The Summarization of Technical Internet Relay Chats
    Proceedings of the ACL conference. Ann Arbor, MI. July 2005. Digesting Virtual “Geek” Culture: The Summarization of Technical Internet Relay Chats Liang Zhou and Eduard Hovy University of Southern California Information Sciences Institute 4676 Admiralty Way Marina del Rey, CA 90292-6695 {liangz, hovy} @isi.edu used for analyzing the impact of virtual social in- Abstract teractions and virtual organizational culture on software/product development. This paper describes a summarization sys- The emergence of email thread discussions and tem for technical chats and emails on the chat logs as a major information source has Linux kernel. To reflect the complexity prompted increased interest in thread summariza- and sophistication of the discussions, they tion within the Natural Language Processing are clustered according to subtopic struc- (NLP) community. One might assume a smooth ture on the sub-message level, and imme- transition from text-based summarization to email diate responding pairs are identified and chat-based summarizations. However, chat through machine learning methods. A re- falls in the genre of correspondence, which re- sulting summary consists of one or more quires dialogue and conversation analysis. This mini-summaries, each on a subtopic from property makes summarization in this area even the discussion. more difficult than traditional summarization. In particular, topic “drift” occurs more radically than in written genres, and interpersonal and pragmatic 1 Introduction content appears more frequently. Questions about the content and overall organization of the sum- The availability of many chat forums reflects the mary must be addressed in a more thorough way formation of globally dispersed virtual communi- for chat and other dialogue summarization sys- ties.
    [Show full text]
  • Google Talk: Is It Ready for the Enterprise?
    Research Publication Date: 16 April 2009 ID Number: G00166834 Google Talk: Is It Ready for the Enterprise? David Mario Smith, James Lundy This report discusses the Google Talk instant messaging product and its suitability for enterprises. This is important for companies which are looking at alternatives to IBM and Microsoft for messaging and collaboration. Key Findings • Google Talk IM is based on the Extensible Messaging and Presence Protocol (XMPP) and Jingle protocols. • To get enterprise-level support for Google Talk, companies have to purchase the full Google Apps Premier Edition (GAPE) suite. • Enterprise users are already using the Google Talk and Gmail free services. Recommendations • Enterprises making collaboration decisions should include the Google Apps portfolio as part of an effort to compare the economics of their current incumbent provider vs. similar services provisioned in the cloud. © 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice. WHAT YOU NEED TO KNOW Enterprise instant messaging (IM) has emerged to become an infrastructure component in enterprises.
    [Show full text]
  • A Comparison Between Inter-Asterisk Exchange Protocol and Jingle Protocol: Session Time
    Engineering, Technology & Applied Science Research Vol. 6, No. 4, 2016, 1050-1055 1050 A Comparison Between Inter-Asterisk eXchange Protocol and Jingle Protocol: Session Time H. S. Haj Aliwi N. K. A. Alajmi P. Sumari K. Alieyan School of Computer Sciences Saad Al-Abdullah Academy School of Computer Sciences National Advanced IPv6 Center Universiti Sains Malaysia for Security Sciences, Kuwait Universiti Sains Malaysia Universiti Sains Malaysia [email protected] [email protected] [email protected] [email protected] Abstract—Over the last few years, many multimedia conferencing sessions. Such applications are Gtalk, Talkonaut, and Hangouts and Voice over Internet Protocol (VoIP) applications have been [7]. developed due to the use of signaling protocols in providing video, audio and text chatting services between at least two participants. II. BACKGROUND This paper compares between two widely common signaling protocols: InterAsterisk eXchange Protocol (IAX) and the extension of the eXtensible Messaging and Presence Protocol A. IAX Protocol (Jingle) in terms of delay time during call setup, call teardown, In 2004, Mark Spencer created the Inter-Asterisk eXchange and media sessions. (IAX) protocol for asterisk that performs VoIP signaling [22]. IAX is supported by a few other softswitches, (Asterisk Private Keywords-multimedia conferencing; VoIP; signaling protocols; Branch eXchange) PBX systems [23], and softphones [18]. Jingle; IAX Any type of media (Video, audio, and document conferencing) can be managed, controlled and transmitted through the I. INTRODUCTION Internet Protocol (IP) networks based on IAX protocol [25]. With the appearance of numerous multimedia conferencing IAX2 is considered to be the current version of IAX.
    [Show full text]
  • XEP-0234: Jingle File Transfer
    XEP-0234: Jingle File Transfer Peter Saint-Andre Lance Stout mailto:xsf@stpeter:im mailto:lance@andyet:com xmpp:peter@jabber:org xmpp:lance@lance:im http://stpeter:im/ 2019-06-19 Version 0.19.1 Status Type Short Name Deferred Standards Track jingle-ft This specification defines a Jingle application type for transferring a file from one entity to another. The protocol provides a modular framework that enables the exchange of information about the file to be transferred as well as the negotiation of parameters such as the transport to be used. Legal Copyright This XMPP Extension Protocol is copyright © 1999 – 2020 by the XMPP Standards Foundation (XSF). Permissions Permission is hereby granted, free of charge, to any person obtaining a copy of this specification (the ”Specification”), to make use of the Specification without restriction, including without limitation the rights to implement the Specification in a software program, deploy the Specification in a network service, and copy, modify, merge, publish, translate, distribute, sublicense, or sell copies of the Specifi- cation, and to permit persons to whom the Specification is furnished to do so, subject to the condition that the foregoing copyright notice and this permission notice shall be included in all copies or sub- stantial portions of the Specification. Unless separate permission is granted, modified works that are redistributed shall not contain misleading information regarding the authors, title, number, or pub- lisher of the Specification, and shall not claim endorsement of the modified works by the authors, any organization or project to which the authors belong, or the XMPP Standards Foundation.
    [Show full text]
  • Security Analysis of Instant Messenger Torchat
    TALLINN UNIVERSITY OF TECHNOLOGY Faculty of Information Technology Department of Informatics Chair of Software Engineering Security Analysis of Instant Messenger TorChat Master's Thesis Student: Rain Viigipuu Student code: 072125 Supervisor: Alexander Norta, PhD External Supervisor: Arnis Parˇsovs, MSc TALLINN 2015 Abstract TorChat is a peer-to-peer instant messenger built on top of the Tor network that not only provides authentication and end-to-end encryption, but also allows the communication parties to stay anonymous. In addition, it prevents third parties from even learning that communication is taking place. The aim of this thesis is to document the protocol used by TorChat and to analyze the security of TorChat and its reference implementation. The work shows that although the design of TorChat is sound, its implementation has several flaws, which make TorChat users vulnerable to impersonation, communication confirmation and denial-of-service attacks. 2 Contents 1 Introduction 6 2 Tor and Hidden Services 8 2.1 Hidden Services . .9 2.1.1 Hidden service address . 11 3 TorChat 12 3.1 Managing Contacts and Conversations . 12 3.2 Configuration Options . 16 4 TorChat Protocol 17 4.1 Handshake . 17 4.2 File Transfers . 18 4.3 Protocol Messages . 19 4.3.1 not implemented . 19 4.3.2 ping . 20 4.3.3 pong . 21 4.3.4 client . 22 4.3.5 version . 22 4.3.6 status . 22 4.3.7 profile name . 23 4.3.8 profile text . 23 4.3.9 profile avatar alpha . 24 4.3.10 profile avatar . 24 4.3.11 add me.............................
    [Show full text]