[tor-dev] Encrypted PM site/hidden service

Daniel Dennis sdjfjsdfiuhszduh at fastmail.fm
Fri Jul 13 13:57:42 UTC 2012

Because I don't have access to phones that may support this I will not
try. The code will be open sourced so anyone may port it. But however I
will now assume the app may not always be running on an encrypted
filesystem so i'll add some support for keeping the files private

Anonbox looks cool. It doesnt appear i can write emails? This isn't
meant for emails, just simple PMs which you cannot attach image nor need
to sign up for. Right now by design i cam PM someone w/o giving them a
way to know who i am (although if you want a discussion you should
attach your public key)

The tech used will be openssl, mono (or .NET) and sqlite. I can drop
openssl but i suspect people would prefer using openssl pem keys rather
then mono/.NET generated keys.

It sounds like you want to know how it works technically. Well, here are
some notes i written for myself. It may not make sense or be a little
incoherent but perhaps you can get an idea how secure it may be.

--What data we have (in the client sqlite db)--
-If app is encrypted, all data unless with a * is encrypted with the
symmetric key-
db version*, path to pem file*, symmetric key (encrypted with said pem
file or generated with PBKDF2 on the users password),
	misc options, server url, server public key
private keys, plain names, ids*, last ident
public  keys, plain names, ids*
association table: association value*, private key id*
 inbox: private key id*,  inmsg/timestamp/optional from     public key
outbox: public  key id*, outmsg/timestamp/optional reply to public key
draft:  same fields as outbox

last ident is when the user last identify himself to the server. If user
marks server as untrusted this will prevent user from grabbing all his
msgs from the server using different keys. This is so the server is less
likely to associate a group of keys to one user
communication to server
Handshake with server: Client encrypts random data with server public
key, server sends it back plaintext
Register public key. Client gives user pub key, server reply's with an
encrypted block of random data, client decrypt it using private key then
sends it back plaintext
Unregister: delete all msgs and public key from user. Of course server
sends random data which will need to be sent back as plaintext to verify
the key is mine.
Send Message: Client send data which is encrypted with AES which key is
encrypted with the recipient pub key. The data is msg+optional my reply
to/identity pub key) + recipient pub key. This data is compressing with
	Server replies with success or error message. It makes sure
	recipient and your pub key is registered. Also replies with test
	to ensure the reply-to pub key is yours.
Get Messages: Send pubic key i'd like to get messages for. Server sends
me random data to send back in plaintext. Then receive all my data
(compressed with DEFLATE)
	Messages is msg + timestamp(UTC server date) + if available the
	reply to public key.

The client app will decrypt the messages and store it either compressed
or compressed/encrypted with the db AES key. Timestamp and reply-to pub
key are encrypted.

Messages are deleted from servers after 10days of retrieval (or
immediately). If pub key has not been seen > 1 year he is unregister and
all messages are deleted

> Date: Thu, 12 Jul 2012 17:12:01 +0000
> From: krugar <tor-admin at krugar.de>
> To: tor-dev at lists.torproject.org
> Subject: Re: [tor-dev] Encrypted PM site/hidden service
> Message-ID: <4FFF0561.40906 at krugar.de>
> Content-Type: text/plain; charset=ISO-8859-1
> take a look at https://anonbox.net/ for a similar service.
> a few considerations: if you create an "app" that lives on a mobile
> phone, are private keys stored on the phone? are they secured somehow
> while the app is running / not running? which public keys will be stored
> on the phone? will messages be stored on the phone?
> will someone always know who sent a PM, or only if the sender so
> chooses? how do you know how to reach someone on your service? are there
> pseudonyms? how long to they last? what about key revocation?
> what happens if the server is compromised somehow, will attackers be
> able to look at the data and see who wrote messages to whom? for which
> time period?
> try to clearly define which privacy guarantees you try to achieve
> against which type of attacker. the more precise you write this down,
> the easier someone can help you spot weaknesses in your concept, and the
> better for you and your users once the system is live.
> http://dud.inf.tu-dresden.de/Anon_Terminology.shtml may help if you are
> uncertain about wording.
> cheers
> -k

http://www.fastmail.fm - Faster than the air-speed velocity of an
                          unladen european swallow

More information about the tor-dev mailing list