SlideShare a Scribd company logo

Introducing Cloakcast

1 of 15
Download to read offline
Introducing Cloakcast

Steve Phillips @ SB Hackerspace's
      WebTech Wednesday
          (hosted by Eucalyptus)

             2012.07.25
Agenda


● Cloakcast
  ○ What it is
  ○ How it works
  ○ Which problem(s) it solves


● Go
  ○ What it is
  ○ Why I used Go to build Cloakcast
  ○ The codez
Cloakcast
What is Cloakcast? Why use it?
Cloakcast is a suite of tools for chatting
encrypted-ly.

Using (a soon-to-be-released version of) Cloakcast means
that a malicious, totalitarian third party can't tell...

● Who you're communicating with
● What you're saying to them, nor
● When you're communicating <-- the unique part

...even if they're sniffing the traffic of whoever you're talking
to. In a future iteration, they may not even be able to tell
you're using Cloakcast at all.
Who cares if They know when I'm
chatting, and with whom?
● Trivial to correlate web traffic with chat
  traffic, encrypted or not
   ○ Creepy!
● With no encryption over GTalk...
   ○ I visit URL gov't considers suspicious (e.g.
     Wikileaks)
   ○ I send URL to $friend over GTalk
   ○ $friend visits URL
● With Pidgin + OTR over GTalk...
   ○   I visit URL gov't considers suspicious
   ○   I send URL to $friend over GTalk but it's encrypted
   ○   $friend visits URL
   ○   ...still pretty damn obvious who's talking with who
       about what! Cloakcast solves this.
How does/will Cloakcast work?
1. Client Sending       2. Server                         3. Client Receiving
● Original text (from   ● Decrypts outer-                  ● Decrypts outer-most
  user, or random         most layer                         layer (from Server)
  garbage/decoy)        ● Re-encrypts with                 ● Decrypts inner layer
● Encrypts using          recipient's PGP                    (encrypted by
  recipient's PGP key     key                                original sender)
● Encrypts using                                           ● Original text
  Server's PGP key       Cloakcast Server



                         Uniqueness: Client sends
                         message to Server once per
                         second. If the user types a
                         message that second, that's
                         what gets encrypted and
               My        sent. If the user doesn't type    Your
                         anything, a "garbage",
               Client    decoy message gets sent          Client
                         instead.

Recommended

talk-ta3m-crypto-tools-workshop
talk-ta3m-crypto-tools-workshoptalk-ta3m-crypto-tools-workshop
talk-ta3m-crypto-tools-workshopSteve Phillips
 
Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Mark Niebergall
 
Tails os and Tor Proxies
Tails os and Tor ProxiesTails os and Tor Proxies
Tails os and Tor ProxiesBrijesh Kukreja
 
Intro to blockchain - Dapper Dev Bootcamp
Intro to blockchain  - Dapper Dev BootcampIntro to blockchain  - Dapper Dev Bootcamp
Intro to blockchain - Dapper Dev Bootcampshotdsherrif
 
Girl Develop It - Intro To Blockchain And Cryptocurrencies
Girl Develop It - Intro To Blockchain And CryptocurrenciesGirl Develop It - Intro To Blockchain And Cryptocurrencies
Girl Develop It - Intro To Blockchain And Cryptocurrenciesmagnachef
 
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...Paulo Henrique
 
Public key encryption presentation
Public key encryption presentationPublic key encryption presentation
Public key encryption presentationShishir Aryal
 

More Related Content

What's hot

Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSKrzysztof Kotowicz
 
What is Cryptocurrency Mining?
What is Cryptocurrency Mining?What is Cryptocurrency Mining?
What is Cryptocurrency Mining?Monica Dhara
 
REST project brief - typical setup for teams
REST project brief - typical setup for teamsREST project brief - typical setup for teams
REST project brief - typical setup for teamsDian Swanepoel
 
How Encryption for Strong Security Works
How Encryption for Strong Security WorksHow Encryption for Strong Security Works
How Encryption for Strong Security Workss1170087
 
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT TechniquesSeyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT TechniquesHacken_Ecosystem
 
Secure Token Storage
Secure Token StorageSecure Token Storage
Secure Token StorageEric Muyser
 
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...JosephTesta9
 
Dapps for Web Developers Aberdeen Techmeetup
Dapps for Web Developers Aberdeen TechmeetupDapps for Web Developers Aberdeen Techmeetup
Dapps for Web Developers Aberdeen TechmeetupJames Littlejohn
 
Encryption is for everyone!
Encryption is for everyone!Encryption is for everyone!
Encryption is for everyone!Jillian York
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.Leszek Mi?
 
Bitcoin explained. Talk at Vaughan Public Library
Bitcoin explained. Talk at Vaughan Public LibraryBitcoin explained. Talk at Vaughan Public Library
Bitcoin explained. Talk at Vaughan Public LibraryThatCrypto
 
Cryptography in networks
Cryptography in networksCryptography in networks
Cryptography in networksKajal Chaudhari
 
Sustainability of a multi blockchain ecosystem
Sustainability of a multi blockchain ecosystemSustainability of a multi blockchain ecosystem
Sustainability of a multi blockchain ecosystemFederico Tenga
 
Deepweb darknet mansukhani
Deepweb darknet mansukhaniDeepweb darknet mansukhani
Deepweb darknet mansukhaniJack Mansukhani
 

What's hot (17)

Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
 
What is Cryptocurrency Mining?
What is Cryptocurrency Mining?What is Cryptocurrency Mining?
What is Cryptocurrency Mining?
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
 
Cryptography
Cryptography Cryptography
Cryptography
 
REST project brief - typical setup for teams
REST project brief - typical setup for teamsREST project brief - typical setup for teams
REST project brief - typical setup for teams
 
How Encryption for Strong Security Works
How Encryption for Strong Security WorksHow Encryption for Strong Security Works
How Encryption for Strong Security Works
 
Euklid (1)
Euklid (1)Euklid (1)
Euklid (1)
 
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT TechniquesSeyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
 
Secure Token Storage
Secure Token StorageSecure Token Storage
Secure Token Storage
 
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
 
Dapps for Web Developers Aberdeen Techmeetup
Dapps for Web Developers Aberdeen TechmeetupDapps for Web Developers Aberdeen Techmeetup
Dapps for Web Developers Aberdeen Techmeetup
 
Encryption is for everyone!
Encryption is for everyone!Encryption is for everyone!
Encryption is for everyone!
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
 
Bitcoin explained. Talk at Vaughan Public Library
Bitcoin explained. Talk at Vaughan Public LibraryBitcoin explained. Talk at Vaughan Public Library
Bitcoin explained. Talk at Vaughan Public Library
 
Cryptography in networks
Cryptography in networksCryptography in networks
Cryptography in networks
 
Sustainability of a multi blockchain ecosystem
Sustainability of a multi blockchain ecosystemSustainability of a multi blockchain ecosystem
Sustainability of a multi blockchain ecosystem
 
Deepweb darknet mansukhani
Deepweb darknet mansukhaniDeepweb darknet mansukhani
Deepweb darknet mansukhani
 

Similar to Introducing Cloakcast

CryptoGraphy Module in Mulesoft
CryptoGraphy Module in MulesoftCryptoGraphy Module in Mulesoft
CryptoGraphy Module in Mulesoftshyamraj55
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at DecisivTeleport
 
PresentationonCRYPTOGRAPHY.pptx
PresentationonCRYPTOGRAPHY.pptxPresentationonCRYPTOGRAPHY.pptx
PresentationonCRYPTOGRAPHY.pptxHRockyAman
 
Mulesoft Meetup Cryptography Module
Mulesoft Meetup Cryptography ModuleMulesoft Meetup Cryptography Module
Mulesoft Meetup Cryptography ModuleManjuKumara GH
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)Mikal Villa
 
Blockchain and smart contracts, what they are and why you should really care ...
Blockchain and smart contracts, what they are and why you should really care ...Blockchain and smart contracts, what they are and why you should really care ...
Blockchain and smart contracts, what they are and why you should really care ...maeste
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client BackdoorMichael Scovetta
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
Total privacy of transactions, Mimblewimble and Grin
Total privacy of transactions, Mimblewimble and GrinTotal privacy of transactions, Mimblewimble and Grin
Total privacy of transactions, Mimblewimble and GrinEugene Pavlenko
 
CurveZMQ, ZMTP and other Dubious Characters
CurveZMQ, ZMTP and other Dubious CharactersCurveZMQ, ZMTP and other Dubious Characters
CurveZMQ, ZMTP and other Dubious Characterspieterh
 
Intro to Cryptography
Intro to CryptographyIntro to Cryptography
Intro to CryptographyGalin Dinkov
 
-----BEGIN PGP PUBLIC KEY BLOCK-----Version Encryption Desktop.docx
-----BEGIN PGP PUBLIC KEY BLOCK-----Version Encryption Desktop.docx-----BEGIN PGP PUBLIC KEY BLOCK-----Version Encryption Desktop.docx
-----BEGIN PGP PUBLIC KEY BLOCK-----Version Encryption Desktop.docxhoney725342
 
encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)Alastair Irvine
 
Web3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMWeb3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMTal Be'ery
 
Defcon 23 - David Huerta - alice and bob are really confused
Defcon 23 - David Huerta - alice and bob are really confusedDefcon 23 - David Huerta - alice and bob are really confused
Defcon 23 - David Huerta - alice and bob are really confusedFelipe Prado
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet
 

Similar to Introducing Cloakcast (20)

CryptoGraphy Module in Mulesoft
CryptoGraphy Module in MulesoftCryptoGraphy Module in Mulesoft
CryptoGraphy Module in Mulesoft
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
 
PresentationonCRYPTOGRAPHY.pptx
PresentationonCRYPTOGRAPHY.pptxPresentationonCRYPTOGRAPHY.pptx
PresentationonCRYPTOGRAPHY.pptx
 
Mulesoft Meetup Cryptography Module
Mulesoft Meetup Cryptography ModuleMulesoft Meetup Cryptography Module
Mulesoft Meetup Cryptography Module
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
 
Blockchain and smart contracts, what they are and why you should really care ...
Blockchain and smart contracts, what they are and why you should really care ...Blockchain and smart contracts, what they are and why you should really care ...
Blockchain and smart contracts, what they are and why you should really care ...
 
Cryptography 101
Cryptography 101Cryptography 101
Cryptography 101
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
 
Total privacy of transactions, Mimblewimble and Grin
Total privacy of transactions, Mimblewimble and GrinTotal privacy of transactions, Mimblewimble and Grin
Total privacy of transactions, Mimblewimble and Grin
 
CurveZMQ, ZMTP and other Dubious Characters
CurveZMQ, ZMTP and other Dubious CharactersCurveZMQ, ZMTP and other Dubious Characters
CurveZMQ, ZMTP and other Dubious Characters
 
Intro to Cryptography
Intro to CryptographyIntro to Cryptography
Intro to Cryptography
 
-----BEGIN PGP PUBLIC KEY BLOCK-----Version Encryption Desktop.docx
-----BEGIN PGP PUBLIC KEY BLOCK-----Version Encryption Desktop.docx-----BEGIN PGP PUBLIC KEY BLOCK-----Version Encryption Desktop.docx
-----BEGIN PGP PUBLIC KEY BLOCK-----Version Encryption Desktop.docx
 
Windows Domains Part 2
Windows Domains Part 2Windows Domains Part 2
Windows Domains Part 2
 
encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)
 
Web3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMWeb3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEM
 
Defcon 23 - David Huerta - alice and bob are really confused
Defcon 23 - David Huerta - alice and bob are really confusedDefcon 23 - David Huerta - alice and bob are really confused
Defcon 23 - David Huerta - alice and bob are really confused
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domain
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
 

Introducing Cloakcast

  • 1. Introducing Cloakcast Steve Phillips @ SB Hackerspace's WebTech Wednesday (hosted by Eucalyptus) 2012.07.25
  • 2. Agenda ● Cloakcast ○ What it is ○ How it works ○ Which problem(s) it solves ● Go ○ What it is ○ Why I used Go to build Cloakcast ○ The codez
  • 4. What is Cloakcast? Why use it? Cloakcast is a suite of tools for chatting encrypted-ly. Using (a soon-to-be-released version of) Cloakcast means that a malicious, totalitarian third party can't tell... ● Who you're communicating with ● What you're saying to them, nor ● When you're communicating <-- the unique part ...even if they're sniffing the traffic of whoever you're talking to. In a future iteration, they may not even be able to tell you're using Cloakcast at all.
  • 5. Who cares if They know when I'm chatting, and with whom? ● Trivial to correlate web traffic with chat traffic, encrypted or not ○ Creepy! ● With no encryption over GTalk... ○ I visit URL gov't considers suspicious (e.g. Wikileaks) ○ I send URL to $friend over GTalk ○ $friend visits URL ● With Pidgin + OTR over GTalk... ○ I visit URL gov't considers suspicious ○ I send URL to $friend over GTalk but it's encrypted ○ $friend visits URL ○ ...still pretty damn obvious who's talking with who about what! Cloakcast solves this.
  • 6. How does/will Cloakcast work? 1. Client Sending 2. Server 3. Client Receiving ● Original text (from ● Decrypts outer- ● Decrypts outer-most user, or random most layer layer (from Server) garbage/decoy) ● Re-encrypts with ● Decrypts inner layer ● Encrypts using recipient's PGP (encrypted by recipient's PGP key key original sender) ● Encrypts using ● Original text Server's PGP key Cloakcast Server Uniqueness: Client sends message to Server once per second. If the user types a message that second, that's what gets encrypted and My sent. If the user doesn't type Your anything, a "garbage", Client decoy message gets sent Client instead.
  • 7. "Which connected user are you chatting with?" ● ...only it's better than this ● I've been talking about this like it's a conversation happening in real-time ● It doesn't have to be ● Messages stay in a user's inbox until read ○ [EDIT: this will likely change in an upcoming version] ● Malicious parties only see data encrypted with the Server's key or recipient's key ○ ...assuming you're using an uncompromised server, in which case they know who's chatting, but not when nor what about
  • 9. Cloakcast Release Schedule ● Conceived, started July 9 ● v0.1 ○ Finished July 15 ○ Basic PGP-encrypted chatting in terminal ● v0.2 ○ Expected out in late July or August ○ WebSocket chat in browser ● v0.3 ○ Connect through Tor? ■ Cloakcast and Tor don't compose super nicely due to the 1-second pulse...
  • 10. Future Feature Ideas ● Multi-server support ● Public key swapping within ○ No server sees entire Cloakcast? conversation ● Use OTR (instead of ● Request data from server at PGP/GPG)? adjustable rate ○ Maybe use mpOTR? ● Use HTTPS on port 443 ● Multiple concurrent 2-person ○ Extra encryption layer chats ○ Hides destination url ● Group chat + PGP sucks ● Can your ISP even tell ○ O(n^2) keys :- you're using Cloakcast? ● Platform??? ○ Maybe, using DPI, ○ Distributed system :-) maybe not (HTTPS) ○ Compute, scrape, etc ● Tor tunneling ● Legit auth ○ Cloakcast will help ○ "Client: prove you can against timing attacks decrypt $this to check 'your' inbox"
  • 11. Go
  • 12. What is Go? ● Programming language open sourced by Google in 2009 ● Reached stable v1.0 in late March 2012 ● Qualities ○ Fast and Concurrent ○ Compiled ○ Statically typed (in a good way!) ○ Simple and Powerful ○ Avoids typical trade-offs ■ Fast, static typing, painful v. Slow, dynamic, fun ● My favorite programming language ○ That's right: Python is #2
  • 13. Cloakcast Code Samples (Emacs time...)
  • 14. SOON: Run Cloakcast on your Android device Screenshot taken 2012.07.03 (3 weeks ago)
  • 15. Go Resources ● Start here: http://tour.golang.org/ ● Articles: http://golang.org/doc/#articles ○ Also see http://blog.golang.org/ ● Then read http://golang.org/doc/effective_go.html ● My Go snippets (in go/ and go-r60/ dirs): https://github.com/sbhackerspace/sbhx-snippets/ ● More at Go homepage: http://golang.org/