Secure Instant Messenger

User Manual v.0.9.07 http://goldbug.sf.net

1 What is GoldBug?

GoldBug is a secure Instant Messenger. You can be sure with using GoldBug (GB), that no third party can look into your chat communication. Private user-to-user communication remains private. GoldBug therefore uses strong multi-encryption with different layers of modern encryption technologies of well known and revised crypto libraries (like libgcrypt (GnuPG) and OpenSSL). For example it generates more than 8 RSA public / private encryption keys. The app offers as well decentral and encrypted Email and decentral public E*IRC-Chat. As in every Messenger, you can share and transfer files. 2 Why encryption matters:

Today mostly every WIFI is protected with a password.

In a few years as well every plaintext message or email to friends over the internet will be encrypted too.

It is not a question to have something to hide or not, • it is a question to control by yourself the security of your communications - or having it controled by others. • It‘ s a question of free thinking and • taking away the presumption of innocence.*) • Democracy requires the thinking and debate of alternatives in private and public. "The question is not 'do you have something to hide?' Strong-Multi-Encryption ensures the The question is whether we control declaration of human rights in broad constitutional consensi and is a digital or they controls us." - Oliver Stone self-defense, everyone needs to learn http://www.youtube.com/watch?v=0U37hl0n9mY and utilize.

GoldBug is one easy to use tool for that. *) http://www.faz.net/aktuell/feuilleton/buecher/themen/autoren-gegen-ueberwachung/demokratie-im-digitalen-zeitalter-der-aufruf-der-schriftsteller-12702040.html 3 GoldBug has alternatives to RSA

Find your own setting of encryption components: RSA, ElGamal, DSA. of course: Keysize! .. and for: Cipher, Hashtype, Iteration Count, Salt Length.

Encryption RSA or El Gamal Algorithm

NTRU or (not yet implemented) DSA

Signature or or El Gamal

RSA

4 Why the name GoldBug?

" 'The GoldBug' is a short story by Edgar Allan Poe. The plot follows William LeGrand, who recently discovered a gold-colored bug. His companion, Jupiter, fears LeGrand is becomming now obsessed with searching for treasure, knowledge and wisdom after being in contact with the GoldBug - and goes to LeGrand's friend, an unnamed narrator, who agrees to visit his old friend. After LeGrand has deciphered a secret message the three start an adventure as a team. 'The Gold-Bug' - as one of the few pieces of literature - incorporates ciphers as part of the story. Poe took advantage of the popularity of cryptography as he was writing 'The Gold-Bug' in 1843, and the success of the story centers e.g. on one such cryptogram and the search for the Philosopher's Stone. 'The Gold-Bug' was an instant reviewed story and was the most popular and most widely evaluation of Poe's works during his lifetime. His ideas also helped to popularize secured writing and cryptograms." - Wikipedia.

170 years later encryption has more weight than ever. It has to be a standard when sending out communication over the Internet. 5 Echo Protocol ?!

• Echo Protocol simply means, each Messgage is encrypted… • SSL ( AES ( RSA ( Message))) • … and every Neighbor sends every Message to every Neighbor. • Small World Phenomen: Everyone can reach everyone over 7 hops in a f2f/p2p network or over a common chat server.

6 Echo Protocol !

Every neighbor sends every message to every neighbor. (Klick on the image to see the simulation)

If you receive a duplicate message, it is controlled in your cache for congestion. You can also send out fake or impersonated messages, to disturb tracking. 7 The Echo Grid: E1 – O4

When we talk and teach about ECHO, we just draw an Echo Grid from E1 - O4 and connect the letters on the buttom line. E.g.: E1-E2 describes a neighbor IP connection.8 Paths based on Keys

Alice Ed

Bob Maria 9 Examples of the Key-Exchange of Alice, Bog, Ed and Maria.

• Alice (IP=E1) and Bob (IP=C3) swapped their keys and are connected over the IP-Neighbours: E1- E3-E5-E6-C3. • Bob (C3) and Maria (O4) are friends too, they swaped encryption-keys as well: and use the IP- connection of the neighbors: C3-C4-H5-H3-H4-H6-O3-O4. • Finally, Maria (O4) is a friend of Ed (H1). They communicate over either: O4-O3-H6-H4-H3-H1 or they use the path of: O4-O2-O1-O3-H6-H4-H3-H1. As every IP-neighbor sends every message to every connected neighbor, the path within shortest time delivers the message. • Direct IP Connections of Neighbors like e.g. E1-E3 can be secured by using an account information: No other IP address than E1 can connect to the listener of the neighbor E3. That way a web of trust can be established, without beeing dependent on encryption keys, nor need the neighbor a friend, you share your chat or email key with. • „Turtle hopping“ is more efficient: When Ed and Alice share a Starbeam-Filesharing-Magnet, the Echo protocol transports the packet over H1-H3-H5-C4-C3-E6-E5-E3-E1. Maria is not in the route, but will get as well the packets over echo, if she knows the Starbeam-Magnet. • A Buzz IRC Channel Room can be created/hosted by O2. As only Ed knows the Buzz Room name, all other Neighbors and Friends are kept out. Advantage: you can chat with unknown friends in a buzz room without swapping your public chat key, instead you use a one-time-magnet for a buzz room. • Maria is a common friend of Ed and Bob, she enabled for Emails the C/O-Funktion, that allows Ed to write emails to Bob, tough he is offline, Maria keeps the emails until Bob comes online. • Further: Alice enabled an institution for email: Ed sent his email-key to Alice and Ed added Alice Email instituation-magnet. Now as well Bobs emails to Ed are stored in Alice, even if Maria is offline.10 Adaptive Echo (AE) Tokens

When you, your chat-friend and the chat-server add the same Adaptive-Echo (AE) Token, then the chat server will send your message only to your friend (and not to all connected users, as provided by the "Full Echo"). With an AE-Token no one else will get or see your message and hence no one can try to break encryption, because potential recording nodes are excluded. Hansel and Gretel - another Adaptive Echo Example: When node A2, E5 and E2 share the same AE-Token, then E6 will not get any message, which A2 (Hansel) and E2 (Gretel) will exchange. Node E5 learns via the known token "white_pebbles", not to send to E6 (Wicked Witch). An "Adaptive Echo" Network does not reveal any destination information (comp. Ants Routing). Remember: "Half Echo" sends only one hop to the connected neighbor and "Full Echo" sends the message to all connected nodes over infinite hops. While "accounts" prevent clients from connecting, "AE-Tokens" provide graph- or path-"exclusivness" for sent messages via nodes, knowing an AE-Token. Server admins can share their tokens with other server admins as well, if they trust each other (ultrapeering for trust). 11 Explore and evaluate lots of GoldBug Features

• Encypted 1:1 Chat: GoldBug encrypts your private chat with RSA-Keys, SSL and end-to-end encryption. • Encrypted Groupchat: With all your friends you can create a group chat • Starbeam: FileSharing: Anonymous Seeding. • Public/Priv. RSA Keys: GoldBug uses public/private keys. The public key must be exchanged between riends. • Repleo: Either you send your key in plaintext or you use the Repleo, which encrypts your key itself. • Gemini: The Gemini is an AES-end-to-end encryption for chat and an additional layer of encryption. • GoldBug-Passphrase: Secure your GB-Emails with a passphrase per each email. This is called a GoldBug- Phrase. • p2p Email: Next to Chat: GoldBug offers you serverless p2p Email without data retention. Integrated BitMail.sf.net • e*IRC: Public Chat is provided with e*IRC, which is echo-ed IRC: Groupchat on AES Channels. • MELODICA: The MELODICA Button provides instant forward secrecy. Renew your Gemini in a second! • Instant Fwd Secrecy: Session AES-keys are inde-pendent from longterm RSA-keys. Use MELODICA often! Multi-Encrypted-Long-Distance-Calling. • Opt. Authentication: GB provides optional use of signatures, for authenticated Chat & Emails. Trust, when needed. • Chat over Tor-Proxy: Yes, GoldBug can be used over the Tor-Proxy. It is a new TorChat Application with end to end encryption, which keeps the tor-exit-node out of your communication. • Echo Protocol: Next to encryption & f2f Email: Echo is a new algorithm, that makes GB resistant to tracking. • Half Echo Modus: Half Echo sends messages only directly to one friends IP. Exclude others to ever get your message. • Simulacra-Scrambler: The simulacra sends out random fake messages from time to time. And No, it´s not the Mona Lisa. • WoT-Deniability: The Half Echo Modus creates a deniability for a web-of-trust (f2f) in a p2p-environmen12t. • At the same time you can build a web-of-trust with password-protected accounts. Screenshots: - Kernel Activation

13 Activate Kernel (Simple View)

• When you have set your password and checked (after restart) the simple view, the tab looks like this.

• Just press the activate button to start the kernel.

• When you close the gui, you close the gui, and the kernel will still be running. When you want to quit both, first deactivate the kernel and then close the gui. • You can de/activate the kernel by pressing the left LED or the button „Activate“. • Your generated keys are stored in the subpath /.spoton. In case you want to set up a new account and want to erase all your data, just delete the path and start fresh.

14 Activate Kernel (Full View)

• Choose (any) settings for the public keys, e.g. choose a key size greater than 2048 bit. • Enter a passphrase with a minimum of 16 characters and press the „set“-button. • Make sure, the path to GeoIP.dat and Spot-On-Kernel is set correctly (highlighted in green).

• If the pathes are set correctly, you can check the simple mobile device interface view, this structures the interface even more simple. • Check „Simulacra“, in case you want to send out fake messages from time to time. • Check „Congestion Control“ in case you have a slow cpu or less bandwidth: it remembers the hash of an incomming (encrypted) message & reduces redundancy by not sending the same message out a second time. Default now. • Most important: Activate the kernel by pressing the red button. GUI (Graphical User Interface) and Kernel create a secure local socket connection and provide a Process ID (PID). The left LED at the status bar will get green.

15 Communication - Groupchat - Personal 1:1 Chat - p2p Email - echoed IRC (e*IRC)

16 GoldBug Chat is secure!

• After „kernel activation“ and „key exchange“ you will find your friend in the chat tab. • Both friends need to exchange keys and paste the friends key into the add friend tab. • You can just copy your key from the add friend tab or: you send a so called „repleo“ to your friend, then your key will be sent not as is, but encrypted with the (already gotten) key of your friend. This allows to prevent to send your key as is. So it is not - as a string – searchable in email accounts. • Select a friend and enter some text, then press the send button. • You can select even more than one friend to send out a groupchat. • Doubleclick on the friend to open a chat-pop up window. • MELODICA stands for Multi Encryted LOng DIstance CAlling and is the button to „call“ a friend. This generates 2 End to End Encryption keys, first an AES-256-Key, the gemini, and the so called MAC- Key, which additionally secures the Gemini transfer. The transfer of the Gemini is done within the RSA-/SSL-Encryption. • You can „call“ instantly new. That is: „Instant Forward Secrecy“. • Right mouseclick opens the context menu to find the commands as well there.

17 1:1 personal chat in a pop-up

• Have each friend in a pop-up chat. • Double click on the friends name.

18 p2p Email: without data retention

• GoldBug has integrated a p2p Email client based on the architecture of libspoton and the Bitmail.sf.net client. • You can use it as full Email client to email your friends. • Chat and Email have different RSA keys due to security reasons. You might want to add a friend to email, but not to chat. In case you shared the All-in-one-key, you share both keys: for chat and email (next to URLs and Rosetta Key). • In case you share only the email key, you need to approve the friend over the right mouse context menu „Accept key“ and you need to send your friend as well your own email-key. You can use as well a Repleo-Button for that, which encrypts your key (so you dont send it in plaintext). • You can send emails as well to offline friends! • Emails have no central server and are stored in your other friends, so try to get more than one friend into your email list. As the emails are encrypted, these „caching“ friends cannot read it. • You can use signed (= authenticated) messages, but need not. • When you want to set addtionally a password on your email, you can use the GoldBug button, which sets an AES-key on the email, but you then need to transfer this key to your friend. • Or you agree with your friend, that all emails are secured with the password e.g. with the town, you met first. 19 Anonymous p2p Email with Institutions

• Enable the C/O-Funktion in the tab for Email Settings. • Create an Institution and chose a Name and Address for the Institution.

• E.g. Name = „Google“ and Addres = „Dotcom“

• Add the email key of a friend to your node and let friends add your magnet of the institution to their node. The Magnet will look like this: magnet:? in=Google&ct=aes256&pa=Dotcom&ht=sha512&xt=urn:institution

• Then your node is saving emails of your friend while they are offline.

• You (as institution creator) need not to share your email key with your friends/subscribers. The friends/subscribers just add their email key to your institution and they add the magnet of your instituton.

• With Intitutions Offline-email is possible in the p2p network, without the Institutions or friends beeing connected as IP-Neighbor. That means within the echo grid you have anonynous email boxes over the institutional feature.

• You can share your email key in a buzz channel room, then even the institution creator remains anonymous for the key/magnet swap process.

• (Or you choose for offline email the c/o method of a third common friend enabling the c/o feature).20 echoed IRC

• Set your Nic-Name for the echoed IRC Chat (e*IRC) • To join a channel, simply enter the name of the channel-room or add a provided magnet link. The magnet link might have additional values next to the roomname such as key, hash or encryption cipher type etc. • When you enter just the roomname, the default values of 0000 are choosen for the encryption details and the channel will be encrypted based on the hashed roomname you provide. • Once done, press the button „Join“ (for magnets as well the pull down menu „de-magnetize“ will bring you into the room). • The Room-Tab opens, and you can set or delete the bookmark function for this room. • Enter some message and press the button „send“. • The Chat room is fully end-to-end encrypted and can be private or public, that depends on how you spread the roomname or the magent link. • As a public chat room you can link the magnet on your website and everyone knows how to come into the room. It is like IRC just with the difference, that the ISP and rooting servers of the internet cannot look into the communication, as it is encrypted. • Private room: you can easily open up a secure room beside the RSA 1:1 chat of your exchanged keys. A one-time-room shared with your friend over your secured RSA Chat. 21 FileSharing:

StarBeam

- Add/Create a Magnet - Optional: Nova - Optional: RAR/ZIP-Password - Select File+Magnet: Seed anonymously

22 StarBeam FileSharing

• The advantage of GoldBug is, that keys and IP addresses do not belong together. You just need a connection to any chat node. (Option: you can use accounts for building a Web of Trust (WoT)). • Of course, you can use the echo protocol and GoldBug to transfer files – like any other messenger. Encrypted Transfer of Files has been introduced with V 07 of GB and is called StarBeam. • Sharing files is the same as sending a text message in chat. You need an encrypted channel or the right key, to decrypt chunk by chunk. • That´s why you dont share a specific file in StarBeam, you share a wormhole, a crypto-channel. The channel is defined by a magnet. • Ideally you have for each file one magnet, for that you need to generate or add a (given) magnet. This can be a One-Time-Magnet (OTM). So once you have transferred ONE file over this magnetized crypto channel, the magnet expires and is deleted. But of course you can establish one crypto-channel with your sister and send out first the holiday pictures and then the text diary for the travel route. • A NOVA is an additional layer of encryption (AES) to protect the file. Like a magnet it must be given prior to be able to record the transmit. • Of course you can share a password protected rar/zip-file and share the secrets after the transmit has been done. • You can share a StarBeam Crypto-Slot with the public or just one person. • Once you have transferred a chunk of a file, the receiver can share it back and upload it again to the same or any other magnet-slot – and you even can do this with a time delay. 23 StarBeam: Magnets & NOVA‘ s

• When you want to download a file, just „add“ the given magnet (and maybe optional the NOVA-key). • NOVA is an additional encryption passphrase on the file. • Once the Magnet is added and your friend starts the seed, you see in the downloads tab the progress bar for the incoming file. • When you want to upload/seed a file, just „create“ one or more magnets and you will be able to select them in the Seed-Tab.

24 StarBeam: Transmit & Seed

• Select a file • Select one or more magnets (that´s what you generated in the magnet tab) • Optional: Set Nova-key. • Define Pulse/Chunk Size • Press Transmit Button • See the upload in the table • Side splitter to copy the magnet & transfer the magnet to a friend • Un-check „paused“ to start. 25 StarBeam: Downloads

• Copy a Magnet from a website or get it from a friend. • Add/Paste the magnet in the magnet tab. • Tell your friend you are ready to receive. • See the download starting. • (Set path and mosaic cache size).

• StarBeamAnalyzer (over Tools Menu) allows to check, if all chunks/links have been transmitted, if not, copy out the Missing- Links-Magnet and your firend can paste it in his client, to send you only the missing links/chunks. Otherwise he can rewind the full file and seed/upload it a second time.

26 Magnet URIs

• Magnets are used for a crypto-information bundle. • New extensions for the Magnet URI standard • Magnets replace e.g. RSA public & private Key exchange (Magnets are the new PGP). • OTP => ORM: One Time Magnets (OTM) are the new One Time Pad (OTP) • Starbeam Filesharing: Magnets describe not a file, but a crypto channel. You can link it without sorrows on any website. • Rar/zip-Files might have a further passphrase, which is given when the transmit has been done. • Do StarBeam Magnets offer a new way of thinking in terms of „Crypto-Torrents“ with anonymous Seeds on the echo protocol? 27 Set up - Chat server/ Listener - Accounts - connect Neighbor - exchange Keys

- further details 28 EMPP-Chat Server (simple view)?

• Let´s look at the simple view to create a chat server. It is really simple and you should forward the IP and Port in your router, so you have all 3 LEDs green. Then your friends can reach you even without a third webserver for the chat. • Use the Pull-Down menu to choose your local device IP. • Click it into the „My IP“ Textfield. • GoldBug automatically uses the TCP port 4710. • Press the button „Set“…. • …. And you should see the LED in the middle as well green. • Press now the button „Go Live“, this announces to your online friends, that this Listener/Chat Server has been created by you and the clients from your friends will connect. • Setting up a chat server has never been so simple.

• Your external IP from the ISP is shown in the status bar. Be sure this is not your local device IP you have in the pulldown menu and you want to enter into the IP field. It must be your internal local device IP 29 EMPP Chat Server (full view)

• You can connect either as a client to a chat server, or, open up at home your client as a „servent“ (server and client) and create a so called „listener“ for that. • A Listener is defined by a port. Default GoldBug uses Port 4710. • To define that, you need to choose from the pull down menu your local device IP-Address and press the button „set“. TCP is best for the transport. • Maybe you are at home, then you need to forward that Port and IP within your router or Nat. Otherwise your friends cannot reach you. • When you choose „half echo“ as an option, messages are sent only from client to server, one hop. Messages are not forwarded, that means, your friends can only chat with your directly connected server. • The Listener table shows you your created listener. With the check box „use accounts“ you also have the option, that your friends connect only with login credentials to your chat server. • You can create a chat account for your listener in the referring box. • The LED in the Middle will highligt in green, that you created successfully a listner for your chat server. • EMPP stands for Echoed Messaging and Presence Protocol 30 Connect a Neighbor (simple view)

• Set the Graphical User Interface in Settings to „simple view“ and you see, how easy it is to connect to a neighbor, friend or chat server: • Just enter the IP, (we assume the chat server has default port 4710) • And press the „Connect“ button • The right LED gets green. • That´s it. Exchange keys and see your friend online.

• In case a connection will not work, just delete in the path ./spoton the file „neighbors.db“ . In this encrypted database all the neighbor IP addresses are saved and if you delete it, GoldBug will make it new and you can enter a fresh IP address to connect, which hopefully makes the LED green.

31 Connect a Neighbor (full view)

• To connect to a chat network, to your friend or a chat server you need the IP-Address. Just enter it into the IP field. • Set the port of the chat server, by default it should be 4710. • Your friend could have set up a listener/Chat Server wich requires you to define the protocol: TCP or UDP, but normally it should be a TCP Listener, otherwise ask your friend. • The chatserver might drop TCP-SSL connections, which have not a defined SSL key size standard, so you can set the SSL key size which is needed for this server-connection. • You as well can set, to not connect to chat servers, that have not the SSL key size, you await (as client). • When you choose the half echo, your messages are only sent to the chat server and not to any further node. This means the chat server will be your only direct connected friend, other friends or nodes will not be in the „forwarding-loop“ (echo) and your message is shared only between these two nodes. • If you network requires a proxy, you can add the details and credentials for your connection. This can be used to chat as well over Tor, so the IP address is anonymized and the exitnode of Tor cannot read the message, as it is encrypted by GoldBug. An established TorChat application with end to end encryption that hides your chat at Tor-Exit nodes. • Enter the IP and press the button „connect“ and the right LED gets green. 32 Exchange Keys

• GoldBug uses a public/private Key infrastructure you know from GnuPGP. The public key can be shared and the private one ramains encrypted on your machine. For that, it generates several keys (one for email, one for chat etc) at the initial setup. • There is a button, which has all these keys in one text. Copy the full text of the key and share it with your friend. • You as well need to get the key of your friend and enter it into the key-box. • In case you do not want to send your key in plaintext, you can send it encrypted with the key from your friend, you already just got. This is called to make a REPLEO. A repleo is the text of your key, but encrypted with the provided public key of your friend. That means you will not transfer your own key in plaintext. Your public key keeps private. • A „key“-text starts always with the letter „k“ or „K“ and the Repleo with „r“ or „R“, so you know, which radiobutton to choose, depending on what your friend sends you. • Press the „Add“ button and see, if the friend is appearing in the chat friends list and in the email „to“-field as a recipient. • Set your usernames (in the chat and email tab) before you transfer keys, so your friend knows your name. Otherwise by default „unknown“ is written, which will update on connection. 33 Rosetta CryptoPad

• Find it under Tools. • Exchange/Add a Rosetta- Key with/of a Friend. • Enter Text. • Convert. • Post the Output to the Web anywhere. The Paranoids can post a Rosetta- Ciphertext even in Goldbug-Chat. • Decrypt Vice Versa. • A slow-chat-Tool. • Why the name? See Wikipedia. Stone of Rosetta.

34 Libspoton-Implementation

• Libspoton is the underlaying library for the GoldBug Instant Messenger. • Spot-On has as well a gui and is full of adjustable options, GoldBug aims to be a desktop/mobile messenger with a smaller set of options to fit mobile or tablet devices.

• libspoton is a c++ library as an exploratory research project investigating an encrypted communication and data transfer protocol, called the "echo protocol" or short "EMPP" protocol: Echoed Message and Presence Protocol. The package which includes the 'libspot-on' library, is found here: spot-on.sf.net It enables personal and group messaging, decentral p2p email, echoed IRC/Buzz Chat Channels and secure Filetransfer with multi-encryption (SSL, RSA (PGP / GnuPGP) / ElGamal, AES, libgcrypt, OpenSSL etc). IP Addresses are detached from Encryption Keys. It is programmed in c++ and is the underlaying library for chat, email and messaging applications like the GoldBug Instant Messenger App. Libspoton can be deployed by every c-developer into chat and filesharing apps. 35 libspoton features

• Chat and e-mail encryption and signature asymmetric key pairs. • DSA, ElGamal, and RSA encryption support. • DSA and RSA signature support. • E-mail. • Encrypted local data. • Extra encryption and hash chat keys. Extra e-mail encryption keys. • Hybrid communications. • IRC-like channels. • Lots of odd statistics. • Multi-threaded kernel. • Mutual access authentication. • Proxy support. • Pure symmetric communications. • Re-encode support of locally-encrypted data. • Scramblers. • Selectable SSL ciphers. • Selectable encryption and hash algorithims. • Simple IP-based firewalls. • StarBeam transfer protocol. • Support for TCP and UDP communications. • Tiered application: kernel and user interface processes. 36 Further Implementations & GB Features • Accounts: Enter your password to the account, it is not transferred to the server, just a hash comparison is done on both sides.

• All data on your hard disk (.db files) is strong encrypted. • Gemini (end-to-end encryption key) is secured by a MAC Gemini Hash. • Secure Key Transfer: Repleo encrypts your public key.

• Chat over Tor with GoldBug. • Instant Forward Secrecy with MELODICA Button: Change the encryption key end to end whenever you want. • Set an additional password for emails (based on AES). • Send p2p Emails to offline friends.

• Email-Signatures: Decide, if you want to send and receive authenticated emails or just non-authenticated.

• StarBeam (SB): Transmit your file into a network of encrypted packets anonymously. • TCP & UDP transport for the echo protocol: UDP is ideal for echoed VoIP. 37 MELODICA Instant Forward Secrecy

• MELODICA stands for Multi Encryted LOng DIstance CAlling and is the button to „call“ a friend.

• This function generates 2 end-to-end Encryption keys, first an AES- 256-Key, the Gemini, and the so called MAC-Key, which additionally secures the Gemini transfer.

• The transfer of the Gemini is done within the RSA-/SSL-Encryption.

• Only end-to-end encrypting apps are secure today.

• The echo protocol provides an environment, in which you can share and re-new the passphrase, only two people should know, instantly.

• UDP Transport allows end-to-end encrypted VOIP applications based on the echo protocol & MELODICA calls. 38 List of criteria to evaluate differences compared to other tools..

Use proxy capabilities? Send email messages to offline friends? Dont stuck the key to your IP Address? No hashing of a file and sending it with hash and senders/receivers ID to neighbors, so it is identifyable? Change rsa to another algo? Just need connectivity, no key exchange, keys are optional? You are more autonomous? Trust is not needed, or can be added as you define it? Technical simplicity? Anonymous seeds? You cannot determine, who is reading which message (as you have no destination ID or info added)? Free of Web of Trust-Graphs and no mapping of connections ? Its different, its fun? Local database stores all info in encrpyted .db’ s? Optional authentication of messages ? You can communicate without public keys, using Magnets ? Support for UDP to the degree that is given ? Support the multi-layer of encryption Multiple listeners are possible? Multi-threaded: Lots of threads? A kernel is given? You can communicate with TCP or UDP, or both? You can use SSL or not? You can define many points of connections? You can store messages in friends ? You have the option to use an end-to-end key for communication? You have the option to renew the end-to-end key each time you want (not only session based)? Using a one time magnet (OTM) for a crypto channel? Having different Keys for Chat, Email, Cryptopad, Filetransfer etc.? Having ipv6 support? Having Qt 5 and up deployed ? Hops are not forwarding, no routing, is it always a wrap the message new and send to just to your friend? Having the option to send fake messages to the analysts (with own fake keys)? Having multi encryption? SSL + RSA + AES ? Or even Ciphertext over SSL + RSA + AES ? Sending a message to a friend to his dedicated connection and not to all connections? Hiding the key exchange online? Use several encryption keys on one filetransfer? Adding a passphrase on a file transfer ? Use it as client without a listener? ... over 35 criteria, someone could analyse and write about in his/her master thesis with the different implementations in two tools compared. 39 The digital encryption of your private communication in the context of …

40 Principles of the protection of private speech, communication and life (I)

Principles of the protection of private speech, communication and life:

Universal Declaration of Human Rights, 1948 (Art. 12)

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. http://www.un.org/en/documents/udhr/index.shtml#a12 http://en.wikipedia.org/wiki/Universal_Declaration_of_Human_Rights

International Covenant on Civil and Political Rights, 1966 (Art. 17)

1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

2. Everyone has the right to the protection of the law against such interference or attacks. http://www.ohchr.org/EN/ProfessionalInterest/Pages/CCPR.aspx http://en.wikipedia.org/wiki/International_Covenant_on_Civil_and_Political_Rights

European Convention on Human Rights, 1950 (Art. 8)

1.Everyone has the right to respect for his private and family life, his home and his correspondence.

2.There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. http://conventions.coe.int/treaty/en/Treaties/Html/005.htm http://en.wikipedia.org/wiki/European_Convention_on_Human_Rights 41 Principles of the protection of private speech, communication and life (II)

Charter of Fundamental Rights of the European Union, 2000 (Art. 7, 8)

Article 7. Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications. Article 8. Protection of personal data 1.Everyone has the right to the protection of personal data concerning him or her. 2.Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3.Compliance with these rules shall be subject to control by an independent authority. http://en.wikisource.org/wiki/Charter_of_Fundamental_Rights_of_the_European_Union http://en.wikipedia.org/wiki/Charter_of_Fundamental_Rights_of_the_European_Union

Basic Law e.g. for the Federal Republic of Germany, 1949 (Art. 2 Abs. 1 i. V. m. Art. 1 Abs. 1)

Article 2 [Personal freedoms] (1) Every person shall have the right to free development of his personality insofar as he does not violate the rights of others or offend against the constitutional order or the moral law. Article 1 [Human dignity – Human rights – Legally binding force of basic rights] (1) Human dignity shall be inviolable. To respect and protect it shall be the duty of all state authority. https://www.btg-bestellservice.de/pdf/80201000.pdf http://en.wikipedia.org/wiki/Basic_Law_for_the_Federal_Republic_of_Germany Secrecy of correspondence - Fernmeldegeheimnis (Art. 10 Abs. 1 Grundgesetz) § 88 Abs. 1 Fernmeldegeheimnis - Telekommunikationsgesetz:

(1) Dem Fernmeldegeheimnis unterliegen der Inhalt der Telekommunikation und ihre näheren Umstände, insbesondere die Tatsache, ob jemand an einem Telekommunikationsvorgang beteiligt ist oder war. Das Fernmeldegeheimnis erstreckt sich auch auf die näheren Umstände erfolgloser Verbindungsversuche. (2) Zur Wahrung des Fernmeldegeheimnisses ist jeder Diensteanbieter verpflichtet. Die Pflicht zur Geheimhaltung besteht auch nach dem Ende der Tätigkeit fort, durch die sie begründet worden ist. (3) Den nach Absatz 2 Verpflichteten ist es untersagt, sich oder anderen über das für die geschäftsmäßige Erbringung der Telekommunikationsdienste einschließlich des Schutzes ihrer technischen Systeme erforderliche Maß hinaus Kenntnis vom Inhalt oder den näheren Umständen der Telekommunikation zu verschaffen. Sie dürfen Kenntnisse über Tatsachen, die dem Fernmeldegeheimnis unterliegen, nur für den in Satz 1 genannten Zweck verwenden. Eine Verwendung dieser Kenntnisse für andere Zwecke, insbesondere die Weitergabe an andere, ist nur zulässig, soweit dieses Gesetz oder eine andere gesetzliche Vorschrift dies vorsieht und sich dabei ausdrücklich auf Telekommunikationsvorgänge bezieht. Die Anzeigepflicht nach § 138 des Strafgesetzbuches hat Vorrang. (4) Befindet sich die Telekommunikationsanlage an Bord eines Wasser- oder Luftfahrzeugs, so besteht die Pflicht zur Wahrung des Geheimnisses nicht gegenüber der Person, die das Fahrzeug führt oder gegenüber ihrer Stellvertretung. 42 Principles of the protection of private speech, communication and life (III)

§ 206 Verletzung des Post- oder Fernmeldegeheimnisses

(1) Wer unbefugt einer anderen Person eine Mitteilung über Tatsachen macht, die dem Post- oder Fernmeldegeheimnis unterliegen und die ihm als Inhaber oder Beschäftigtem eines Unternehmens bekanntgeworden sind, das geschäftsmäßig Post- oder Telekommunikationsdienste erbringt, wird mit Freiheitsstrafe bis zu fünf Jahren oder mit Geldstrafe bestraft.

(2) Ebenso wird bestraft, wer als Inhaber oder Beschäftigter eines in Absatz 1 bezeichneten Unternehmens unbefugt 1. eine Sendung, die einem solchen Unternehmen zur Übermittlung anvertraut worden und verschlossen ist, öffnet oder sich von ihrem Inhalt ohne Öffnung des Verschlusses unter Anwendung technischer Mittel Kenntnis verschafft, 2. eine einem solchen Unternehmen zur Übermittlung anvertraute Sendung unterdrückt oder 3. eine der in Absatz 1 oder in Nummer 1 oder 2 bezeichneten Handlungen gestattet oder fördert.

(3) Die Absätze 1 und 2 gelten auch für Personen, die 1. Aufgaben der Aufsicht über ein in Absatz 1 bezeichnetes Unternehmen wahrnehmen, 2. von einem solchen Unternehmen oder mit dessen Ermächtigung mit dem Erbringen von Post- oder Telekommunikationsdiensten betraut sind oder 3. mit der Herstellung einer dem Betrieb eines solchen Unternehmens dienenden Anlage oder mit Arbeiten daran betraut sind.

(4) Wer unbefugt einer anderen Person eine Mitteilung über Tatsachen macht, die ihm als außerhalb des Post- oder Telekommunikationsbereichs tätigem Amtsträger auf Grund eines befugten oder unbefugten Eingriffs in das Post- oder Fernmeldegeheimnis bekanntgeworden sind, wird mit Freiheitsstrafe bis zu zwei Jahren oder mit Geldstrafe bestraft.

(5) Dem Postgeheimnis unterliegen die näheren Umstände des Postverkehrs bestimmter Personen sowie der Inhalt von Postsendungen. Dem Fernmeldegeheimnis unterliegen der Inhalt der Telekommunikation und ihre näheren Umstände, insbesondere die Tatsache, ob jemand an einem Telekommunikationsvorgang beteiligt ist oder war. Das Fernmeldegeheimnis erstreckt sich auch auf die näheren Umstände erfolgloser Verbindungsversuche. http://www.gesetze-im-internet.de/gg/art_10.html http://en.wikipedia.org/wiki/Secrecy_of_correspondence http://de.wikipedia.org/wiki/Briefgeheimnis http://de.wikipedia.org/wiki/Fernmeldegeheimnis http://de.wikipedia.org/wiki/Postgeheimnis http://www.gesetze-im-internet.de/tkg_2004/__88.html http://www.gesetze-im-internet.de/stgb/__206.html

United States Constitution: Search and Seizure (Expectation of Privacy, US Supreme Court)

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. http://www.usconstitution.net/const.html 43 Appendix: Website Information http://goldbug.sf.net

44 Home Download Project Source SVN

Englliish German Chiinese Spaniish French Russiian

GoldBug V 0..7 Chatt,, p2p Emaiill,, e*IIRC.. 4 publliic//priiv.. RSA-Keys.. Secure Messaging Secure End--tto--End- Communiicatte wiitth strong mulltii encrypttiion. Encrypttiion (AES).. SSL-Connecttiions.. Autthenttiicattiion (opttiionall).. Diisttantt-Chatt..

What is GoldBug? Why encryption matters:

GoldBug is a secure Instant Messenger. You Today mostly every WIFI is protected with a can be sure with using GoldBug (GB), that no password. In a few years as well every plaintext message or email to friends over the internet will third party can look into your chat communication. Private user-to-user be encrypted too. It is not a question to communication remains private. GoldBug have something to hide or not, it is a question to therefore uses strong multi-encryption with control by yourself the security of your different layers of modern encryption communications - or having it controled by technologies of well known and revised crypto others. Strong-Multi-Encryption ensures the libraries (like libgcrypt (GnuPG) and OpenSSL). declaration of human rights in broad The app offers as well decentral and encrypted constitutional consensi and is a digital self- Email and decentral public E*IRC-Chat. defense, everyone needs to learn and utilize. GoldBug is the easy to use tool for that. Tweet Share 17 Learn more about GoldBug » Get involved with GoldBug »

GoldBug Features GoldBug.sf.net

Encypted 1:1 Chat Encrypted Groupchat Secure Instant Messenger GoldBug encrypts your private chat With all your friends you can to a friend with RSA-Keys, SSL create a group chat to all your Sprache auswählen ▼ and end-to-end encryption. friends just by selecting all.

StarBeam FileShare IP-less Key: Share files over the echo: Transfer a file using a In regard to other web of trusts the key has no

Tails Icon one time magnet link to a crypto Orbot Icon relation to an IP-Address. WOT channel. 2.0.

Public/Priv. RSA Keys Repleo: GoldBug uses public/private RSA Either you send your key in keys. The public key must be plaintext or you use the Repleo, exchanged between friends. which encrypts your key itself.

Gemini GoldBug-Passphrase The Gemini is an AES-end-to-end Secure your GB-Emails with a encryption for chat and an passphrase per each email. This is additional layer of encryption. called a GoldBug-Phrase.

p2p Email e*IRC Next to Chat: GoldBug offers you Public Chat is provided with e*IRC, serverless p2p Email without data which is echo-ed IRC: Groupchat retention. Integrated BitMail. on AES Channels.

MELODICA Instant Fwd Secrecy The MELODICA Button provides Session AES-keys are inde- instant forward secrecy. Renew pendent from longterm RSA-keys. your Gemini in a second! Use MELODICA often!

Opt. Authentication Chat over Tor-Proxy GB provides optional use of Yes, GoldBug can be used over signatures, for authenticated Chat the Tor-Proxy. It is a new TorChat & Emails. Trust, when needed. Application.

Echo Protocol Half Echo Modus Next to encryption & f2f Email: Half Echo sends messages only Echo is a new algorithm, that directly to one friends IP.Exclude makes GB resistant to tracking. others to ever get your message.

Simulacra-Scrambler WoT-Deniability The simulacra sends out random The Half Echo Modus creates a fake messages from time to time. deniability for a web-of-trust (f2f) in And No, it´s not the Mona Lisa. a p2p-environment.

FAQ

Is GoldBug really secure?

GoldBug uses modern technology based on open source libgcrypt libraries to encrypt the data. Not only the communication over the internet is encrypted several times with different methods, as well the application stores your data in an encrypted database. Even if Online-Banking (HTTPS) would be regarded not as secure anymore, GoldBug still will be: therefore it uses a mixture of a kind of public/private-PGP-Key/RSA-encryption - optionally with e.g. AES encryption. So it is additionally assured with (hash-salted) session keys and AES end-to-end encryption. Instead of AES you can of course choose some other given ciphers. It is your choice. Last not least, all that multi-encryption is sent over a secured SSL connection. The SSL connection is not founded on any central certificates of a server, which could be backdoored, instead SSL is used the p2p way, so that there is no central instance, which could sell your trusted certificate to third party. The SSL-certs are self-signed. Furthermore you can sign every message and email. This is an option, as well unsigned messages can be sent. OpenSSL is used for key derivation and encryption for each socket. The personal keys that you own (chat, email, url) are made by libgcrypt and are independent of OpenSSL. There are a total of six pairs of keys that this app generates at the beginning of the initial setup.

How to install ?

(1) Download the zip-Installer and unzip. 6 Milestones of Security (2) Settings Tab: Create a password. (1) Open Source (3) Settings-Tab: Check, if pathes to kernel and GeoIP.dat are green. If not, set the pathes. The GoldBug Messenger is open source: with BSD-license. Use Open (4) Settings-Tab: Activate the kernel. Source Linux instead of Windows.

(5a) Add-Key-Tab: Copy out your key with the big copy-key-button and exchange key with a friend (e.g. email). (2) Decentral SSL It uses the echo protocol with de- (5b) Add-Key-Tab: Paste the key of your friend and press the add-button. central SSL deployed by Qt & OpenSSL. Read about (half/full) (6) Connect-Tab: Add IP+Port of your friend or of a chat-server. echo below.

(7) Create-Listener-Tab: Choose the IP of your device (or localhost) and press the button "Set" and (3) End-to-End Encryption then "Go Live" GoldBug integrated the Gemini, Email-Passphrase- and MELODICA- (8) Status-Bar: See, if all 3 LEDs are green. If the Neihbours LED (middle) will not be green, try to add features based on AES-end-to-end- another IP or delete the file "neighbors.db" in the subpath ".spoton" and restart adding an IP into a encryption. Read below. fresh neighbors-database. (4) Multi-Encryption GoldBug uses (1) the public/private- (9) Chat-Tab or E*IRC-Tab: See, if chat friends are online. Key-Method (asymmetric encryption with RSA-Key) (2) with e.g. AES- Cipher (symmetric-end-to-end encryption) over (3) Why the Name? decentral, self-signed SSL.

(5) Strong Encryption GoldBug was the title of a short story of Edgar Allan Poe about cryptograms in 1843. In the GoldBug uses 2048-RSA-Keysize short story Mr. LeGrand, who was recently bitten by a gold-colored bug, starts an adventure with two and up with AES-256. other friends after deciphering a secret message. Poe took advantage of the popularity of cryptography and the success of the story centers on one such cryptogram. "The Gold-Bug" was an instant success and was the most popular and most widely read of Poe's works during his lifetime. It also (6) Clientside Encryption helped to popularize cryptograms and secured writing. You cannot log into a central website, instead you install the GoldBug client on the local device in your hand. Define yourself options like: key-sizes, What is StarBeam FileSharing? ciphers, salt-length etc.

StarBeam is the new FileSharing protocol provided by libspoton and GoldBug Messenger. While other filesharing applications like Emule (since 2002) with Edonkey-links, ShareAza (since 2004) and Vuze (since 2003) with Bit-Torrents and Magnets (in the old standard) are well known for their Weblinks to download files - Ten years later the StarBeam filesharing protocol renews the FileTransfer and the Magnet-URI Standard. Magnets from StarBeam can be linked on any website, because they are not related to any specific file. Instead, they are links to a crypto channel in the echo p2p-network. Only a so called "One-Time-Magnet" (OTM) is related and used only one time for the transfer of a specific file. That means it is fully ok to publish a StarBeam (SB) directory with magnets on your website. SB- Magnets are deniable: in no case it is guaranteed, that only a specific file or even two files are transmitted over this channel. No one can proof, is a OTM has ever been used or is used twice. StarBeam-Magnets can be private or public, in case they are public, you should use an account to a trusted neighbour. In case you don't have an account to a neighbour, even this is not needed, just transmit an encrypted zip/rar-file and share the password in a different channel or at a later point of time than you share the magnet. StarBeam Peers are able to record the stream and decrypt it later, when the Zip-Password is public. A recorded stream is called "mosaic", as you collect the chunks and puzzle the encrypted pieces thgether like in a mosaic. Once you have a part of a mosaic, you can play it again back to others. Sattelites of the Source make a StarBeam-Stream sustainable. Even XORed Files (offsystem) can be sent over the echo. Many potentials for the new filetransfer with StarBeam. Nothing to be curious about, every Instant Messenger allows to transfer a file, here it is just done over the echo protocol. Think the echo! A StarBeam-Magnet contains the ciphertype (CT), an encryption key (ek), a MAC Key (MK) (which secures the encryption key a second time) and the hash type (ht) and looks e.g. like this: magnet:? ct=aes256&ek=3BRXu+KofMPEjTLkPLEam1Bv9ndoX4nj&ht=sha512&mk=SLGzOi6HoSgYpdraIR39PAvw2pOhiPaWszfEdW03TYLaciawK1OOLoqApE94RAA6vIB75827mrtD6

Who can set up a server?

Everyone. Everyone can and should setup a chat server for GoldBug. It is quite easy to create a Listener (listening port) for your friends, if you can manage to make it acessible on your web (which means often to forward the chosen port in your router/nat or to set it up not at home, but directly on a webserver. The installation does not provide currently any server IP, so set up one for your friends to test. Or find server IPs on boards and forums. Some forums, boards or internet service communities have an own Echo-Server. Just ask at your board. A E*MPP-Server - a server for the "Echoed Messaging and Presence Protocol" - short: Echo Protocol - connects to only one or many clients. And servers of course as well. That all means: there is no central server and everything is decentral like any Jabber chat server. The difference is that this chat server does not allow any plaintext communication and: chat servers connected to chat servers announce within a p2p network their existence. Once you are connected, you should be able to connect to one or several chat servers/listeners of the decentral p2p-net.

Hence, EMPP chat servers define a new state of the art. For that it is highly recommended to think about jabber server software (and even jabber clients) being hybrid with the echo-protocol of libspot-on, Releases & Info which GB deploys too. GoldBug V 0.7 has been released on 2013- V0.7 12-17 (Christmas Release): Multi-Encryption: What technology do you use? Changelog 0.7: (1) Added FileSharing: Introduced the StarBeam Transfer Protocol. Magnet The technology is most modern, next to libgcrypt and a the pgp-like-method over SSL with optional Links are related to Crypto-Channels in the network, AES end to end encryption the whole client is using a new protocol, the Echo. Echo is currently and are not related to files. One-Time-Magnets ("OTM' s") are a Crypto-Channel to one dedicated file-transfer. deployed by the library libspot-on. Spot-On requires Qt 4.8.5 or Qt 5.1.x, libGeoIP 1.5.1, Magnets of StarBeam are linkable on any homepage, libcrypto 0.9.8 or later, libgcrypt 1.5.x, and libssl 0.9.8 or later. Qt 4.6.3 is also supported. as they are not associated to a file. The "Rewind" function starts the seed again. Seeders within these kind of "Crypto-Torrent"-like Magnets as trackers keep How to compile myself for windows? anonymous. Chunks are Encrypted. Keep Magnets private or use Accounts for Neighbours you trust or Download the source either from SVN or the download section. It is as well included in the win- provide the file-rar/zip-encryption key after the Transmit. installer zip. It might be good, to get compile experience with the spot-on library fist. For GoldBug (2) e*IRC: Added hash keys and types to Buzz read the compiling wiki. channels. (3) Transport: Added UDP transport as Option next to regular TCP transport. (4) GoldBug now deploys 6 RSA keys for Scrambler with faked Impersonator chat Messages (install fresh; in case you How to compile for Linux, OS X Mac, Raspberry Pi, OS/2, Android? upgrade: please delete ./spoton path and generate a new profile). (5) Added support for TLS 1.1 and TLS Easily: 1. Install Qt, 2. Install the needed libraries: GB requires Qt 4.8.5 or Qt 5.1.x, libGeoIP 1.5.1, 1.2, where available. (6) Introduced sequence numbers libcrypto 0.9.8 or later, libgcrypt 1.5.x, and libssl 0.9.8 or later. Further libsqlite3-dev, libgcrypt11-dev, and UTC times to chat protocol (in regard of UDP libssl-dev, libgeoip-dev. The libGeoIP library is optional and may be circumvented by configuring the commmunications). (7) Gui Improvements. appropriate project file. 3. Choose the referring .pro file and compile with Qt Creator (gui and kernel). GoldBug V 0.6 has been released You can report your compiling experiences and scripts in the wiki. Help to create a documentation.. V0.6 Changelog 0.6: (1) Introduction of ElGamal Qt 4.8.5 or higher is highly recommended. encryption key pairs (as alternative to RSA- If header (h) or interface (ui) files have changed, please perform a distclean before building Spot-On. Keys). (2) Signature key pairs are extended to a choice of: DSA and RSA. (3) Added Accounts for chat- Absolute cleaning: servers/neighbors-connections: Create a dedicated make distclean or mingw32-make distclean connection on your EMPP-Chat-Server for friends only with a password. (4) Added pop-up windows per 1:1- FreeBSD: friend-chat (doubleclick on a friend to open it). (5) Allow qmake -o Makefile spot-on.freebsd.pro neighbors to be defined such that (non-ssl)-plaintext make connections are prohibited (HTTPS-Only-Connections, Default: enabled - For that reason, please remove Linux: neighbors.db. in case you overtake your ".spoton"- qmake -o Makefile spot-on.pro datapath). (6) Introduced threaded peers: Go parallel make with your processes! (7) Added Magnet-Uri Scheme for e*IRC/Buzz-Chat Channels as kind of Booksmarks for OS X: your echoed IRC-like-Chatrooms! qmake -spec macx-g++ -o Makefile spot-on.osx.pro make GoldBug V 0.5 has been released. V0.5 Changelog: - Option to set permanent SSL- Windows: certificates for listeners. Peers will test qmake -o Makefile spot-on.win.pro certificates and discrepancies will be logged. This make or mingw32-make secures decentral selfsigned SSL even more. Please remove listeners.db and neighbors.db. or full .spoton- subpath. - Simple Mobile Gui View. - Randomized ciphers and further encryption improvements derived What is Key, Repleo? Gemini and GB? from libspoton: e.g. added different available kernel cipher types. Default: randomized. - Added OS/2 project files. - Gui improvements, e.g. Tooltips with When you want to connect to a friend, you need to send him or her your key , you find it in the Hashes for Usernames. - V0.5 is not compatible with key-tab. Once your friend has added your key, you need to select your friend in the chat tab previous versions, please update. (participants list) and copy the so called "Repleo" (of this dedicated friend, so select him first). The

Repleo needs to be sent back to your friend and once it is added there too, you both will get ... connected. Furthermore you should of course connect to an IP of your chat server or a third friend, which has set up a listener in servermode. As long as chat servers are not connected to other chat servers, it makes sense, that both friends use the same chat-server-IP. Furthermore: The Gemini GoldBug V 0.1 has been released on 2013- V0.1 07-27. is a feature to add another security layer to the chatroom with an AES Key for end-to-end encryption. The Gemini is additionally secured by a cryptographic hash key (SHA 512), a so called MAC (Message authentication code). Third: The GoldBug-feature is used in the integrated email client to add here as well an end-to-end AES-Encryption layer - the GoldBug , or: just a password, You want to listen to Echo? :-) (The song ist both users use to encrypt their emails once more. So with the Gemini or GoldBug, you need a kind of Echo not affiliated with the echo protocol.) password (e.g. AES-string) to open the email of a friend or to be able to chat with him.

How is p2p Email to Offline Friends working?

You have a chat partner who is offline? No problem, send him an email with the GoldBug Messenger. Let´s go to the email-tab. The email system based on the echo-protocol has no central servers and each email to an offline friend is stored in a cache of your other trusted friends. It is not stored on the network or any foreign nodes, only your direct chat partner take care for your personally encrypted envelopes and deliver it to the offline friend, when he is coming online. Currently no p2p Email system allows to send out email using this kind of security architecture. POP3 and IMAP are outdated in regard of security, as any post box could be created just by everyone with setting up an EMPP chat server. Test this email-feature with at least 3-5 friends to get the full impression of emailing with GoldBug in a secure way. Because of the multi-encryption it is more secure than Gnupg and it needs no central pop or imap server due to the decentral architecture. Data retention is brought back to private responsibility with the echo-mail.

What can the echo do to secure an encrypted Web of Trust (WOT)?

"First: Hide in the network." Bruce Schneier

There are three reasons why Web of Trust (WoT) architectures and even Friend-to-Friend (F2F) so called "Turtle-Hopping" Networks might be considered insecure.

As trackers are regarded to map everything and analyse a hopping at least of three hops to friends, it is quite easy to know, who is trusting whom. This can be analysed from outside of a WoT, but also inside the WoT, as a Web of Trust shows, who is trusting whom by nature. So, if data retention (VDS) is tracking every social network connection, then a WoT does not provide anonymity on the one hand.

With the echo-protocol everyone has every message - not only your WoT members - and it is highly complex to map that network. Though - at the same time - you can use a so called "half echo" modus, which creates a F2F network within the P2P network. Every Node decides, if one or in general all connections should be full or half echoed. In case a half echo is utilized, your message will be sent only to the direct connection and stops there. You have created a WoT within the general network. Deniability: With 'half echo' you cannot determine a private communication within the general echo network. So second, within a p2p network you have created a plausible deniability of a Web of Trust.

While other networks discuss the pro and cons of p2p and f2f networks, GoldBug deploys both and creates an individual option to set as slider between two ends: choose either detachement towards network-mappers or build non-determineable direct trust-connections. YOU define, how to communicate over the echo with your friends in the GoldBug Messenger.

Third, GoldBug introduces a kind of Distant Chat. With GoldBug you can message as well to friends, which are outside of your WoT, which are not directly connected to you - but still with the same trust and signature, as you have exchanged keys (Repleo). Ever tried to disconnect a trusted friend while keeping the secure communication and trust?

You see, a WoT is easily mappable, it is not anoynmous as you cannot disconnect a trusted friend while keeping the signed trust and communication and third you cannot create a plausible deniability of having utilized a WoT, if you use a WoT. Adding echo to a WoT brings real added value to the IT architecture. The future will bring a lot of research to the comparison of web of trust models for chat based on security, detachment, signatures and encryption.

Fourth: GoldBug has the option for authentication and non-authentication, in case you choose not to sign your messages, you also have no need for deniability. The wish for "plausible deniability" (compare analogy of: a-theism) has turn into a "conscious state for no need of deniability" (compare analogy of: a-gnosticism). In case you combine e.g. authentication within e.g. direct connections ("signatures" as an option with "half echo" as an option and "super echo" as an option) - then you have a web of trust hidden in the network. This "conscious state for no need of deniability" could be called "agnostic deniability".

Some serverbased messengers, which are originally not made for a secured connection and communication, need Addons to encrypt the communication. In a surveilled environment the connection pathes are still very easy to map: Alice sends to the server and Bob receives it from the server. It is possible to encrypt the communication with some provided addons, but the graph will not be hidden. Network analysts know at every time it is: A(lice, plaintext) -> S(server, plaintext) -> B(ob, plaintext), even if encrypting tools are deployed: A(lice, ciphertext) -> S(server, ciphertext) -> B(ob, ciphertext).

How strong are the Encryption-Keys?

GoldBug and its underlaying libraries use strong encryption. Public/Private-RSA-Key less than 2048 are regared as insecure and weak. Passphrases should have 16 digits and End-to-End Encryption keys need at least 32 digits with real random generated charakters like the AES-256 standard.

Can I run GoldBug over Tor or a Proxy?

Of course, that is possible. You can use any proxy of the web or Tor to connect from your GoldBug to any neighbor or chat server. Due to the fact that the chat protocol uses HTTP, you should be even able to create a chat server and listener for GoldBug using a so called TOR hidden service. But this has not yet been tested and would be a task for the Tor-community to run the chat and echo over Tor. As well firewalled environments are not a problem, as long as you are able to do online banking and have an accessible chat server within your IT-environment/country.

GoldBug is Open Source BSD License?

Yes, GoldBug is open source with the BSD license (for the deployed Libraries see here). That means you can revise the code and use it to create your own application. In a time in which you cannot be sure if operating systems, communication applications or drivers of hardware like network switches and keyboards, who knows, or even anti-virus-software updates might send you backdoors onto your machine or send out private data or email passwords, open source code has become a milestone in security. Dont trust closed source operating systems, applications, drivers or updates. It is highly appreciated that GB source code is revised and used for the development of your own client. Y0u find the source as an own Zip in the download section, as a subpath in the installer-Zip of the Application or in the SVN repository libspoton. LibSpotOn uses libgcrypt and OpenSSL as is without modification. The deployed crypto-libs might not use a BSD license, e.g. libgcrypt is LGPL, but as these are not modified and there is no "derived code", it is possible to deploy these libs in the BSD licensed App (with BSD license for for Gui and Kernel).

Will GoldBug be released on mobile devices?

Currently GoldBug is provided as a release version for the Windows 7 operating system. The source code provides as well Mac OS X and several Linux compiling settings. A mobile compile is intended, hence the drafted(!) sketches for a mobile design at this site, but not yet released. Android should be possible, as well as linux operating systems like sailfish or ubuntu mobile. Developers with dedicated devices and compiling skills are requested to provide binaries for GoldBug and join the project or set up a mod-project on their own. however, the encrpytion will alwayse be done on your device - clientsided. There is no browserbased webservice which offers that for you, as this is regarded as compromisable. You have to install a client, the app.

Does GoldBug save every message on a server?

GoldBug has no central sever, so nothing is saved on a corporate server. Everything is userbased and decentral. In case you email to an offline friend, the message is stored in your trusted chat friend, which are currently online. So have a few friends in your GoldBug: The decentral approach requires of course that you maintain at least a small network of users, you are connected with. If you do not want to use these decentral approach, you can set up your own dedicated server or use the 'half echo' - modus, so that your message is sent only to one participant over one dedicated connection. Does the network scale?

Yes. There is no need to think theoretically. Set up a chat-server for your university or community and you see, you will be able to handle any chat like any other chat server. In case you want to join several neighbors, while you are not knowing to which neighbor your friend is connected to, there have been good tests so far with other p2p applications. Every email uses several servers, so can you do the messaging as well with the echo protocol. In case we speak of several hundred-thousands of users there are of course some fast machines needed and your friends should use some countrybased or institutional-based chat severs. The small world phenomen has the paradigm, that you are connected to everyone over seven hops. So just test it out in practice.

What about authentication and forward secrecy?

GB guarantees with the implemented signature for authentication that the sender is who you think it is. If you receive a message from a contact whose fingerprint you verified, you are sure it can not have been sent by someone else. Furthermore GB offers a way to additionally encrypt all messages using a instant-shared symmetric-key (the “Gemini”). The MELODICA feature guarantees a proper management of these keys (changing them often) with instant forward secrecy. Obtaining someone’s private RSA-key is not enough to decrypt their past conversations.

What is the Echo Protocol of LibSpot-On?

The echo protocol means in simple words, you send only encrypted messages, but you send the one message to all of your connected friends. They do the same. You maintain your own network, everyone has every message and you try to decrypt every message. In case you can read and unwrap it, it is a message for you. Otherwise you share the message with all your friends and the message remains encrypted. If you use the modus "half echo", then your message is not shared with other participants. Echo is very simple and the principle is over 30 years old - nothing new. As echo uses HTTP as a protocol, there is no forwarding or routing of messages, as you send your message e.g. from your home laptop to your webserver. That is similar as if you send an encrypted zip from your home to your own webserver. The process starts at each destination new - as you define it. With echo, you start not only a new protocol, but also a new dimension of networking and thinking. Echo is not p2p nor is it f2f, it adds a third category into the net world, which of course can bridge p2p to f2f More Screenshots and create not-determined WoTs connections with the half echo. The super-echo is an option to forward a message even in that case, that you could have read it. This will make analysis (in a simple environment, so called "triangulation of the destination") senseless, in which two nodes as an anylizer are connecting to one other node and a forth node is sending a message: With the GB- option "Super- Echo" every analyzing node is getting the message in every case (readable messages are as well processed to neighbors).

GB has a new encrypted IRC Chat implemented?

Next to the implemented private chat and implemented offline email, GoldBug Messenger integrates as well an IRC chat for public channels and IRC rooms. The IRC protocol has been defined new with the echo, as the chat is not based on the irc protocol, the poper name would be E*IRC = Echo*IRC. GoldBug has currently implemented only one channel - how could it be, it is: goldbug (in small letters). All people, connected to one IP, just need to enter the room name, e.g. "goldbug" and they are connected within the room. The advantage is, that this channel is created based on an AES-key. Every connection to this room is encrypted and cannot be read by any ISP - as long as the channel name is not known. Example: Two friends at a party or at the online chat can agree to find a common word as a channel name, they only both know. Ask your girlfriend: "What is the pet we both like most?" - She thinks: "Dalmatian". And you connect now within this room. Qt-IRC clients (like Quassel or KVIRC) are kindly requested to implement the echoed IRC. One client, which already declared to add E*IRC functionality will be http://netsplit.sf.net - Qt-Developers are appreciated to join. Netsplit is in oldstyle IRC a well known phenomen: if several IRC servers are disconnected, the room members are splitted. Which means on the opposite: When different server IPs have the same room name hosted, and both servers connect - all the members of the same room behind the milky way will join the same named channel. With GolbBug E*IRC servers, which connect as well to E*IRC servers, the netsplit is transcended: two rooms are bridged into one. For the 'goldbug' channel-room you get more users, when you add several chat servers to your messenger.

End-to-End-Encryption: What is the MELODICA Function?

With the MELODICA button or (right mouse click) context menu you call your friend and send him a new Gemini (AES-256-Key). The Key is sent over your asymmetric encryption of the RSA key. This is a secure way like the sneakernet to transfer end-to-end keys, as all other plaintext transferals like email, spoken over phone or in other messengers have to be regarded as unsafe and recorded. MELODICA stands for: Multi Encrypted LOng DIstance CAlling. You call your friend even over a long distance of the echo protocol and exchange over secure asymmetric encryption a Gemini (AES-256 key) to establish an end-to-end encryted channel. As the Gemini is a shared secret, how will your transfer it over the insecure internet? How to transfer a symmetric key safe and secure? Just use MELODICA, which provides a key transport based on public key encryption. You can press the button at any time when your friend is online and quickly generate a new Gemini unique at both sides. MELODICA has been introduced with GoldBug libspoton version V02 (which is not backwards compatible with kernel and gui of V01 - please update).

What are de-magnetized e*IRC-Chat rooms?

A public e*IRC-Chat room can be linked on a website with a Magnet-Link. These rooms are encrypted with an AES key, only those participants can join and decode the chat, who know the key. This keeps your ISP out of public chat. The rooms are defined by the roomname, by a salted hash and a frequency value. These values are summarized in the Magnet-Uri. These Magnet-Links in GoldBug follow the Magnet-URI standard. That means, you can add a GoldBug IRC Room on your website with the Magnet Link. Users can copy the Magnet, add it in GB and de-magnetize the Link and join the room. Some similar function like "irc//:". The magnet has the following structure: magnet:?dn=goldbug&xf=10000&xs=&ct=aes256

DN = roomname / xf = exact frequency / xs = exact salt / ct = ciphertype. Changing one value creates a new (private) room you can share with one person or the public.

Can I join the development or contribute ?

Of course you can: spread the word, add a notice to your blog, test the software, download the source code, invite friends, add translations, evaluate the code, contribute code to the given echo projets or create your own client based on the echo or implement it hybrid or as a plugin into given applications referring to communication, which should be secured. Most important: create a listener, which is reachable from the web on your webserver or at home, by proper forwarding your chosen port in your router/nat. Or write a RFC. Since the libspot-on release echo is open for research and GB-Messenger added a cool userinterface (ui) to it: Either research echo as is or its way of thinking as added value for other applications and protocols. As well in the given echo-apps like GoldBug some features might be of interest: Email currently has no attachement and you might ask about echo beeing a webproxy between two nodes (á la psiphon) or you think of echo-torrents?! Learn to understand what echo is and rethink given protocols based on the echo. GoldBug is just a simple design study of the user interface for the spot-on library, which deploys the echo. Jabber, Torrent, Pop3/IMAP, IRC and are not up to date anymore in case you consider the echo. Please update.

Has the code been revised?

The code and implementation is under a very high level quality control by the professional development and it is an open source contribution of several communities for the used and revised libs included. Be part of this contribution. External evaluations have proven it clean: e.g. "FreewareFiles tested GoldBug Instant Messenger 0.4 on 2013-09-03 using leading antivirus scanners and found it 100% Clean. It does not contain any form of malware, spyware, viruses, trojans, etc. We will re-test each updated

version." Or: "This product was last tested in the Softpedia Labs on 19th of September 2013 by Andreea Matei. Softpedia guarantees that GoldBug Instant Messenger 0.5.1903 is 100% Free, which means it does not contain any form of malware. This software product was tested thoroughly and was found absolutely clean. GoldBug Instant Messenger V 0.5 - SOFTPEDIA "100% CLEAN" AWARD: We are impressed with the quality of your product and encourage you to keep these high standards in the future. To let your users know about this

certification, you may display this award on your website!"

How can John see, what is transferring?

Either use Whireshark or you just set up a non-ssl Listener on 127.0.0.1 and connect your browser to http://127.0.0.1:4710/ and you will see all transferred http code like this:

POST HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 5098 content=WDV5a2Q2RTFvS0lhcE5LKzJrMXpjWmxMMTdycVFZbzE5eVhxdXBLdE5LdFNlNFZ6RFd BSzVoYjNqQWFRcEJ4SHNqeEVEb3hKcHg4OG1aUG5BZnBHcEx0WGFDT3BOM2VDL0RMTXI1 c5VitoWm9EOUt1NkEwY082byt6QjkrZzdrYWVrVkdjUVR4RVNLWnhFSTQwdjAzUEN2YktNaGNZ UJkMGhvQ2RPZ056cy9x@Soxcheckxoutxmyxmessagextoxyou@UVBQnBzZDZISE1LbzBIenV NUJZdmkvQit2ODg0S1AxRWxVcq@Asxaxmatterxofxfact@kwRjNadE1Ib28zbVd3WXd5Y1VYNW 1MU4wQTBrU3RVQXZra1@Don'txletxnothingxholdxyouxback@2RVpVSVBqZEJHanNuZm8qwgEWc ZyRUN0QTR5QVZReHNOQTNiMV@Ifxthexscatmanxcanxdoxit@Z2djFReGUxblhObGtYZi9kNUt0 UZEeXpUako0eGxub0U4OGNLbkpReXVjN@Soxcanxyou@0gweTRVbHE3RXJYbVVjK3pwRnZr YTNscEhKNWlyQWRqcnlpellCOU9tdkJ5TFQwU3c3VWt4UGNLL3Z3N2tqU2FXSHpLZ2hQMDJ6W sK010RtKMGZPzNL@https://www.youtube.com/watch?v=Geiq0FP13uQ@tMWMkRZQlq4gfDS 43QlcrOVFGcGVlOEtVblY2MFNtMks3ZjZuTCtmdUFvQy8yYzduY0tqbmo4Wjlrdm9nZGlXM3hwR DJSaCsvVmU1bEpJU1dFRjFNRnlTZFk3TEFrTGJBdVZoZUpFY1Ntb1lrRHc1bFVFRWZNN21SUn ckhTKzFnWnVGVVJZSVRKM3hod0R4RFdZbVZlU0pjQWVvN045enVaR0w5ckNMaXg2OFhuMj...

Is there a graphic-scheme for the encryption model ?

I want to subscribe to the mailinglist-forum

Subscribe https://lists.sourceforge.net/lists/listinfo/goldbug-forum for new updates.

66 Vocabularies learned at the School of Privacy

AES

Authentication

Algorithm

Base-64

BitMail

BitMail is the name used in GoldBug for the Email client.

Buzz

c/o

"Care of", used to address a letter when the letter must pass through an intermediary (also written c/o). Neighbors are often asked to care of your postal letters, in case you live with them in one house or have a relationship to them. As well parcel stations, letter boxes or just persons e.g. at you home or in the neighborhood provide a local delay of your envelopes and parcels, in case you are at work and want to receive the parcel or letter in the evening. The included Email Function of GoldBug provides such a feature.

Call

A call is new defined by the library libspoton. A "Call" with the MELODICA feature of GoldBug means, to transfer over a public/private key encrypted environment a symmetric key (e.g. AES) - a password for the session talk, only the two participants know. With one click on the MELODICA button you can instantly renew the end-to-end encryption password for your talk. Congestion Control

Congestion Control provides a cache, so that messages, you already are aware of, are not processed to neighbors anymore. This helps especially for mobile devices and webservers running GoldBug to reduce redundancy and process messages faster.

Decentral

Deniability

DNS

e*IRC

The IRC protocol has been defined new with the echo protocol, as the chat is not based on the irc protocol, the poper name would be E*IRC = Echo*IRC. GoldBug has currently implemented only one channel - how could it be, it is: goldbug (in small letters). All people, connected to one IP, just need to enter the room name, e.g. "goldbug" and they are connected within this group chat room. The advantage is, that this channel is created based on an AES-key. Every connection to this room is encrypted and cannot be read by any ISP - as long as the channel name is not known.

Echo

The echo protocol means from an operational view: you send only encrypted messages, but you send your to-be-send-message to all of your connected friends. They do the same. You maintain your own network, everyone has every message and you try to decrypt every message. In case you can read and unwrap it, it is a message for you. Otherwise you share the message with all your friends and the message remains encrypted. Echo is very simple and the principle is over 30 years old - nothing new. As echo uses HTTP as a protocol, there is no forwarding or routing of messages: no IPs are forwarded, e.g. like it is if you send your message e.g. from your home laptop to your webserver. The process starts at each destination new - as you define it. The echo protocol provided by libspoton has nothing to do with RFC 862. The new echo protocol RFC has to be written new. With or without that number.

Echo, Full

With the modus "full echo" your message is forwarded from friend to friend and so on, until the recipient could decrypt the envelope and read the message. It requires a few connections to neighbors in a p2p network.

Echo, Half

If you use the modus "half echo", then your message is not shared with other, third participants (Model: A -> B -> C) . Only direct connections are used (Model A -> B). It requires only one direct connection to one friend.

Encryption, asymmetric

Encryption, clientside

Encryption, Multi-

Encryption, strong

Encryption, symmetric

End-to-End

Forward Secrecy

In public key cryptography, perfect forward secrecy (PFS) is a property of the key-agreement protocol that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future. The key used to protect transmission of data must not be used to derive any additional keys, and if the key used to protect transmission of data was derived from some other keying material, that material must not be used to derive any more keys. Thus, compromise of a single key will permit access to only data protected by a single key. Forward secrecy has been used as a synonym for perfect forward secrecy, [1] since the term perfect has been controversial in this context. FS has also been used to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.

Friend

Gemini

The Gemini is a feature in GoldBug Secure Instant Messenger to add another security layer to the chatroom with an AES Key for end-to-end encryption.

Get

GoldBug

The GoldBug-feature is used in the integrated email client to add here as well an end-to-end AES- Encryption layer - the GoldBug, or: just a password, both users use to encrypt their emails once more. So with the GoldBug, you need a kind of password (e.g. AES-string) to open the email of a friend or to be able to chat with him.

GUI

Hash

Https

Iteration Count

In mathematics, an iterated function is a function which is composed with itself, possibly ad infinitum, in a process called iteration. In this process, starting from some initial number, the result of applying a given function is fed again in the function as input, and this process is repeated.

Kernel

Key, Public

Key, Pivate

Key-Exchange

Key-Size

libgcrypt

libSpot-On

Spot-On is an anonymous and encrypted distributed, confidential messaging library in the forms of e- mail and near-instant communications.

Listener

In computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication. The purpose of ports is to uniquely identify different applications. Applications implementing common services often use specifically reserved, well-known port numbers for receiving service requests from client hosts. This process is known as listening and involves the receipt of a request on the well-known port and establishing a one-to-one server-client connection, using the same local port number; other clients may continue to connect to the listening port. This works because a TCP connection is identified by the tuple {local address, local port, remote address, remote port}.

MAC: Message authentication code

In cryptography, a message authentication code (often MAC) is a short piece of information used to authenticate a message and to provide integrity and authenticity assurances on the message. Integrity assurances detect accidental and intentional message changes, while authenticity assurances affirm the message's origin. A MAC algorithm, sometimes called a keyed (cryptographic) hash function (however, cryptographic hash function is only one of the possible ways to generate MACs), accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a message's data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content.

MELODICA

With the MELODICA feature in GoldBug Secure Messenger you call your friend and send him a new Gemini (AES-256-Key). The Key is sent over your asymmetric encryption of the RSA key. This is a secure way, as all other plaintext transferals like email, spoken over phone or in other messengers have to be regarded as unsafe and recorded. MELODICA stands for: Multi Encrypted LOng DIstance CAlling. You call your friend even over a long distance of the echo protocol and exchange over secure asymmetric encryption a Gemini (AES-256 key) to establish an end-to-end encryted channel.

Status, online

Neighbor

OpenSource

OpenSSL

Padding

Participant/User

Passphrase

PGP-Method

Port

Post

Proxy

Qt

Repleo

RSA

Scrambler

Salt

Signature

Source

SSL

Super Echo

Tor

Web-Of-Trust

In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure (PKI), which relies exclusively on a certificate authority (or a hierarchy of such). As with computer networks, there are many independent webs of trust, and any user (through their identity certificate) can be a part of, and a link between, multiple webs. The web of trust concept was first put forth by PGP creator Phil Zimmermann in 1992 in the manual for PGP version 2.0: As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys. In simpler terms, you have 2 keys: a public key that you let the people you trust know; and a private key that only you know. Your private key will decrypt any information encrypted with your public key. In the web of trust you have a key ring with a group of people's public keys. You encrypt your information with the recipients public key, and only their private key will decrypt it. You then digitally sign the information with your private key, so when they verify it with your public key, they can confirm that it is you. Doing this will ensure that the information came from you and has not been tampered with, and only the person you are sending it to can read the information (because only they know their private key).

GoldBug source code is open source About GoldBug Download & GB-Links and uses LibSpot-On. This w ebsite Goldbug Project Get Involved Manuals w ith content and layout is licensed Dow nload Donate Installation Guides under a Creative Commons Contact Us Source Wiki Attribution 3.0 License, unless otherw ise noted.