Agenda● Cloakcast ○ What it is ○ How it works ○ Which problem(s) it solves● Go ○ What it is ○ Why I used Go to build Cloakcast ○ The codez
What is Cloakcast? Why use it?Cloakcast is a suite of tools for chattingencrypted-ly.Using (a soon-to-be-released version of) Cloakcast meansthat a malicious, totalitarian third party cant tell...● Who youre communicating with● What youre saying to them, nor● When youre communicating <-- the unique part...even if theyre sniffing the traffic of whoever youre talkingto. In a future iteration, they may not even be able to tellyoure using Cloakcast at all.
Who cares if They know when Imchatting, and with whom?● Trivial to correlate web traffic with chat traffic, encrypted or not ○ Creepy!● With no encryption over GTalk... ○ I visit URL govt considers suspicious (e.g. Wikileaks) ○ I send URL to $friend over GTalk ○ $friend visits URL● With Pidgin + OTR over GTalk... ○ I visit URL govt considers suspicious ○ I send URL to $friend over GTalk but its encrypted ○ $friend visits URL ○ ...still pretty damn obvious whos talking with who about what! Cloakcast solves this.
How does/will Cloakcast work?1. Client Sending 2. Server 3. Client Receiving● Original text (from ● Decrypts outer- ● Decrypts outer-most user, or random most layer layer (from Server) garbage/decoy) ● Re-encrypts with ● Decrypts inner layer● Encrypts using recipients PGP (encrypted by recipients PGP key key original sender)● Encrypts using ● Original text Servers PGP key Cloakcast Server Uniqueness: Client sends message to Server once per second. If the user types a message that second, thats what gets encrypted and My sent. If the user doesnt type Your anything, a "garbage", Client decoy message gets sent Client instead.
"Which connected user are youchatting with?"● ...only its better than this● Ive been talking about this like its a conversation happening in real-time● It doesnt have to be● Messages stay in a users inbox until read ○ [EDIT: this will likely change in an upcoming version]● Malicious parties only see data encrypted with the Servers key or recipients key ○ ...assuming youre using an uncompromised server, in which case they know whos chatting, but not when nor what about
Cloakcast Release Schedule● Conceived, started July 9● v0.1 ○ Finished July 15 ○ Basic PGP-encrypted chatting in terminal● v0.2 ○ Expected out in late July or August ○ WebSocket chat in browser● v0.3 ○ Connect through Tor? ■ Cloakcast and Tor dont compose super nicely due to the 1-second pulse...
Future Feature Ideas● Multi-server support ● Public key swapping within ○ No server sees entire Cloakcast? conversation ● Use OTR (instead of● Request data from server at PGP/GPG)? adjustable rate ○ Maybe use mpOTR?● Use HTTPS on port 443 ● Multiple concurrent 2-person ○ Extra encryption layer chats ○ Hides destination url ● Group chat + PGP sucks● Can your ISP even tell ○ O(n^2) keys :- youre using Cloakcast? ● Platform??? ○ Maybe, using DPI, ○ Distributed system :-) maybe not (HTTPS) ○ Compute, scrape, etc● Tor tunneling ● Legit auth ○ Cloakcast will help ○ "Client: prove you can against timing attacks decrypt $this to check your inbox"
What is Go?● Programming language open sourced by Google in 2009● Reached stable v1.0 in late March 2012● Qualities ○ Fast and Concurrent ○ Compiled ○ Statically typed (in a good way!) ○ Simple and Powerful ○ Avoids typical trade-offs ■ Fast, static typing, painful v. Slow, dynamic, fun● My favorite programming language ○ Thats right: Python is #2
Cloakcast Code Samples (Emacs time...)
SOON: Run Cloakcast on your Android deviceScreenshot taken 2012.07.03 (3 weeks ago)
Go Resources● Start here: http://tour.golang.org/● Articles: http://golang.org/doc/#articles ○ Also see http://blog.golang.org/● Then read http://golang.org/doc/effective_go.html● My Go snippets (in go/ and go-r60/ dirs): https://github.com/sbhackerspace/sbhx-snippets/● More at Go homepage: http://golang.org/