Author Topic: Cryptography - EvilIRCd RSA-AES Algorithm  (Read 9398 times)

0 Members and 4 Guests are viewing this topic.

Offline bluechill

  • Cybermancer
  • Royal Highness
  • ****
  • Posts: 682
  • Cookies: 344
  • I am the existence in these walls
    • View Profile
Cryptography - EvilIRCd RSA-AES Algorithm
« on: September 08, 2013, 08:51:35 pm »
So a while back we discussed the idea of adding more security to our IRCd and one of these features was PGP Encryption.  Now, before we go any further, we are not going to be encrypting every single message with RSA, as that's just well terrible for many reasons, see the second answer here.


So now that that's out of the way, let me describe how this would work in our IRCd.  This is a call-for-criticism/feedback on this as well.  So feel free to ask any questions about anything involved, we want this to be secure and without adequate feedback, the likelihood of it being secure diminishes fairly drastically.


Now before we begin the algorithm, you need to know the following about the EvilZone API.


Each IRCd server will have a public-private key pair with the public part uploaded to the main web server where it will be accessible to anyone.  Also, each user who wants to use public-private key encryption will need to upload their own public RSA key to the main web server.  You can retrieve any public key via this API.


Algorithm:


1. Client Connects to Server over SSL
2. Client issues an 'ENCRYPT' command.  The 'ENCRYPT' command tells the server that they want to begin a PGP Layer on their connection, you can only issue this command over SSL connections (although this can be changed).
3. Client sends a USER command followed by a NICK command, both encrypted with the server's public key.
4. Server uses the username parameter of the USER command to retrieve the user's public key from the EZ API.
5. Server sends 10 'KEY' Commands each with random data for the key, these key commands are encrypted with the user's public key.
6. Client randomly chooses one of those keys for the key to use for AES.
7. Client sends a 'VALIDATION' command to the server encrypted with that AES key.
8. Server tries to decrypt that 'VALIDATION' command with all the AES keys and then, once it can successfully decrypt it, uses that key for the connection.
9. Server sends a 'CONFIRMATION' command to the user encrypted with that AES key.
10. From this point on all messages are encrypted with that AES key.  Everything continues like normal, and the server sends a PONG command and then it's off to the races.


At any time the server or client can send an 'ENCRYPT' command and then this process begins all over again, however, the user's username and nickname must still be the same as before.  I was thinking about having this happen every five minutes in the IRCd.  Also, when the algorithm is run again, the 'ENCRYPT' command is sent encrypted with the previous AES KEY, not just over the SSL connection.  Also this process can be improved even more because as of RFC 2812, the USER command has an <unused> parameter and we could abuse that to specify which of the user's public-private key pairs to use.


In some respects this is a fancy version of TLS but it seems like it'd be more secure because it's specific to users and the handshake is completely secure, as in, you need data outside of the connection to determine the contents of the connection.


So basically, any connect could be upgraded to a EZ-Secure (name for this?) connection but preferably that'd happen over SSL.


Also of note, I'm going to be writing a proxy irc daemon which basically handles all this so that existing clients can still use this, furthermore, that proxy irc daemon can even add ssl support to non-ssl supporting clients.  However, that irc daemon will probably only work on *nix until I get time to write a version for windows.  I'm rather busy just trying to get my ircd up and running and working.


Thoughts? Questions? Criticisms? Concerns?
I have dreamed a dream, but now that dream has gone from me.  In its place now exists my own reality, a reality which I have created for myself by myself.

Offline bluechill

  • Cybermancer
  • Royal Highness
  • ****
  • Posts: 682
  • Cookies: 344
  • I am the existence in these walls
    • View Profile
Re: Cryptography - EvilIRCd RSA-AES Algorithm
« Reply #1 on: September 09, 2013, 02:44:07 am »
Furthermore I'm going to be writing a windows version to help with all this eventually just not until the rest of my IRCd is done.
I have dreamed a dream, but now that dream has gone from me.  In its place now exists my own reality, a reality which I have created for myself by myself.

Offline WirelessDesert

  • Knight
  • **
  • Posts: 356
  • Cookies: 10
  • I think...
    • View Profile
Re: Cryptography - EvilIRCd RSA-AES Algorithm
« Reply #2 on: September 09, 2013, 03:57:40 pm »
Nothing wrong with extra fancy security with these new leaks going around. Also it makes EZd(?) a even more secure place for open minded discussion and events.

Possible leet noob name: aezecursa
Check out my arduino project: Moving car - School project!
"I'm like current, I always take the easiest route."

Offline vezzy

  • Royal Highness
  • ****
  • Posts: 771
  • Cookies: 172
    • View Profile
Re: Cryptography - EvilIRCd RSA-AES Algorithm
« Reply #3 on: September 09, 2013, 05:21:07 pm »
Judging from what you've described, I assume that having a selection of random keys every time an ENCRYPT command is issued is a way to implement forward secrecy?
Quote from: Dippy hippy
Just brushing though. I will be semi active mainly came to find a HQ botnet, like THOR or just any p2p botnet

Offline Mordred

  • Knight
  • **
  • Posts: 360
  • Cookies: 135
  • Nvllivs in Verba
    • View Profile
Re: Cryptography - EvilIRCd RSA-AES Algorithm
« Reply #4 on: September 09, 2013, 05:42:58 pm »
Judging from what you've described, I assume that having a selection of random keys every time an ENCRYPT command is issued is a way to implement forward secrecy?

I also actually was wondering about that part. Everything looks good, but what's the point of generating 10 random keys? It should be enough to generate one key. Making the client pick out of 10 different keys doesn't seem to add any important benefit to the protocol given that you anyway encrypt it with the PubK of the client (so if the PrivK is compromised it doesn't matter anymore even with 10 or 100 keys).
The AES session key isn't derived from the set of PubK/PrivK so why would it be an issue?
« Last Edit: September 09, 2013, 05:52:22 pm by Mordred »
\x57\x68\x79\x20\x64\x69\x64\x20\x79\x6f\x75\x20\x65\x76\x65\x6e\x20\x66\x75\x63\x6b\x69\x6e\x67\x20\x73\x70\x65\x6e\x64\x20\x74\x68\x65\x20\x74\x69\x6d\x65\x20\x74\x6f\x20\x64\x65\x63\x6f\x64\x65\x20\x74\x68\x69\x73\x20\x6e\x69\x67\x67\x72\x3f\x20\x44\x61\x66\x75\x71\x20\x69\x73\x20\x77\x72\x6f\x6e\x67\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x2e

Offline bluechill

  • Cybermancer
  • Royal Highness
  • ****
  • Posts: 682
  • Cookies: 344
  • I am the existence in these walls
    • View Profile
Re: Cryptography - EvilIRCd RSA-AES Algorithm
« Reply #5 on: September 09, 2013, 06:17:33 pm »
I also actually was wondering about that part. Everything looks good, but what's the point of generating 10 random keys? It should be enough to generate one key. Making the client pick out of 10 different keys doesn't seem to add any important benefit to the protocol given that you anyway encrypt it with the PubK of the client (so if the PrivK is compromised it doesn't matter anymore even with 10 or 100 keys).
The AES session key isn't derived from the set of PubK/PrivK so why would it be an issue?

Originally that wasn't always the case but now it can be just one.  This is like the fourth revision and I missed that part kind of :P
I have dreamed a dream, but now that dream has gone from me.  In its place now exists my own reality, a reality which I have created for myself by myself.

Offline Mordred

  • Knight
  • **
  • Posts: 360
  • Cookies: 135
  • Nvllivs in Verba
    • View Profile
Re: Cryptography - EvilIRCd RSA-AES Algorithm
« Reply #6 on: September 09, 2013, 06:52:42 pm »
Originally that wasn't always the case but now it can be just one.  This is like the fourth revision and I missed that part kind of :P

Ah okay then.
Other than that it looks pretty good imo.
\x57\x68\x79\x20\x64\x69\x64\x20\x79\x6f\x75\x20\x65\x76\x65\x6e\x20\x66\x75\x63\x6b\x69\x6e\x67\x20\x73\x70\x65\x6e\x64\x20\x74\x68\x65\x20\x74\x69\x6d\x65\x20\x74\x6f\x20\x64\x65\x63\x6f\x64\x65\x20\x74\x68\x69\x73\x20\x6e\x69\x67\x67\x72\x3f\x20\x44\x61\x66\x75\x71\x20\x69\x73\x20\x77\x72\x6f\x6e\x67\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x2e

Offline Traitor4000

  • Knight
  • **
  • Posts: 191
  • Cookies: 8
    • View Profile
Re: Cryptography - EvilIRCd RSA-AES Algorithm
« Reply #7 on: November 06, 2013, 02:12:42 pm »
Has this or will this ever be implemented?
The most vulnerable part of an impenetrable system is those who believe it to be so.

Offline bluechill

  • Cybermancer
  • Royal Highness
  • ****
  • Posts: 682
  • Cookies: 344
  • I am the existence in these walls
    • View Profile
Re: Cryptography - EvilIRCd RSA-AES Algorithm
« Reply #8 on: November 20, 2013, 02:52:41 pm »
Has this or will this ever be implemented?

It's in my new IRCd.  Not our current IRCd though
I have dreamed a dream, but now that dream has gone from me.  In its place now exists my own reality, a reality which I have created for myself by myself.

Offline kenjoe41

  • Symphorophiliac Programmer
  • Administrator
  • Baron
  • *
  • Posts: 990
  • Cookies: 224
    • View Profile
Re: Cryptography - EvilIRCd RSA-AES Algorithm
« Reply #9 on: May 03, 2014, 08:48:08 pm »
This was  alot of months before the Heartbleed bug.
Building your OS from scratch would be probably a very bad idea. It takes teams of Devs, Designers, et-la to come up with a clone of debian or ARCH. whatever.

/THIS IS GOING OFFTOPIC. [THREAD HIJACKING]
If you can't explain it to a 6 year old, you don't understand it yourself.
http://upload.alpha.evilzone.org/index.php?page=img&img=GwkGGneGR7Pl222zVGmNTjerkhkYNGtBuiYXkpyNv4ScOAWQu0-Y8[<NgGw/hsq]>EvbQrOrousk[/img]

Offline unvent

  • NULL
  • Posts: 4
  • Cookies: -1
    • View Profile
Re: Cryptography - EvilIRCd RSA-AES Algorithm
« Reply #10 on: May 03, 2014, 11:29:30 pm »
This was  alot of months before the Heartbleed bug.
Building your OS from scratch would be probably a very bad idea. It takes teams of Devs, Designers, et-la to come up with a clone of debian or ARCH. whatever.

/THIS IS GOING OFFTOPIC. [THREAD HIJACKING]

It wasnt off-topic, teams of dev's if your programing in Linux maybe, ARC4 is weak and how do you distribute the key's without an adversary obtaining a copy? By e-mail? Or off the forum thread?

You have to hand out key's in person or give them the same OS. The weakness is of course in the wording Public Key as in shared with the General Public. be it a third party Key-Server or posted in electronic mail.

How do you find a bug in the GCC? By running the GDB.. But here's the thing Bro, that compiler you love so much is compiled on a Z80 from the 1980's and you along with everbody else sit's there scratching your head wondering why there's so many buffer over or under runs?!

The differance between Unicode & Truetype!?!

You along with the (dot)gov are playing with what all those hackers that are all in the late 50's to 60's with grey hairs call a "dead horse!"

How many line's of code in your Kernel? 4 Million? Then of course this micro kernel compiled on another 8 bit micro-processor is of no interest to you at only 154'000 lines of code which no metasploit can lay waste to or claim. One day they might understand that the guy running the GPL - General Public License is nobodies tool.

So what's his solution, keep giving them the busted compiler, eventually they might take the hint!

« Last Edit: May 03, 2014, 11:35:16 pm by unvent »

Offline kenjoe41

  • Symphorophiliac Programmer
  • Administrator
  • Baron
  • *
  • Posts: 990
  • Cookies: 224
    • View Profile
Re: Cryptography - EvilIRCd RSA-AES Algorithm
« Reply #11 on: May 03, 2014, 11:50:03 pm »
When you talk alot, your stuff starts not to correlate. I appreciate the fact that you can throw around afew line of things you might actually have knowledge about but please, if you have anything to share [like how you are building your OS, or compiler shit], start a thread of your own and GTFO of our IRCd thread.

Thanks for being complaint, i look forward to reading interesting posts from you.
Welcome to EZ.
If you can't explain it to a 6 year old, you don't understand it yourself.
http://upload.alpha.evilzone.org/index.php?page=img&img=GwkGGneGR7Pl222zVGmNTjerkhkYNGtBuiYXkpyNv4ScOAWQu0-Y8[<NgGw/hsq]>EvbQrOrousk[/img]

Offline unvent

  • NULL
  • Posts: 4
  • Cookies: -1
    • View Profile
Re: Cryptography - EvilIRCd RSA-AES Algorithm
« Reply #12 on: May 04, 2014, 12:02:38 am »

Thoughts? Questions? Criticisms? Concerns?

Thanks for your understanding, sorry - but I dont share how to build anything, that's for you to work out on your own.

Although Open Standards = Open Chips = Open Source - So sure I'll share an insight if you like.

One laptop per child, built using those open standards, with no BIOS, no UEFI, no RdRand. It's pretty self explainitory it has been since the 1970's and no it doesnt use C++ everywhere.

Offline Phage

  • VIP
  • Overlord
  • *
  • Posts: 1280
  • Cookies: 120
    • View Profile
Re: Cryptography - EvilIRCd RSA-AES Algorithm
« Reply #13 on: May 04, 2014, 12:17:42 am »
Please stay on-topic.
« Last Edit: May 04, 2014, 12:18:31 am by Phage »
"Ruby devs do, in fact, get all the girls. No girl wants a python, but EVERY girl wants rubies" - connection

"It always takes longer than you expect, even when you take into account Hofstadter’s Law."

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
Re: Cryptography - EvilIRCd RSA-AES Algorithm
« Reply #14 on: May 04, 2014, 12:23:30 am »


Come on guys this is a sticky for serious discussion of the security features of the IRCd, not you two going back and fourth about unrelated matters.

[Ontopic]

Although I dont use the irc very often, I love the idea of more encryption. I would love to see a client as well to interact with the ircd to streamline this process and make it automatic :-P but that's just me being lazy. I can't say I know much about the encryption process so I don't have much input there
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry