readme.html

Its about cryptography example. useful for chatting with some sort of security

<HTML>

<HEAD>
<TITLE>Crypto chat program</TITLE>
</HEAD>

<BODY>
<H1>Crypto chat program by <A HREF="http://members.lycos.co.uk/wuul/index.html">Wuul</A></H1>
<P>
<P>
<B>30 second summary</B>: A little program that allows 2 parties to chat to each other over a direct TCP/IP connection with ridiculously high levels of encryption which is all done in the background automatically - no central server or key management hassle required.  <A HREF="cryptochat.zip">download it here (includes Java source)</A>.  There's a <A HREF="screenshot.jpg">screen shot here</A> showing an imaginary conversation between Avi and Randy.

<P>
<B><I>NEW!!! Windows version now available!  I figured most people would probably prefer a Windows version of this program so I wrote one.  It seems to work ok but it's still quite rough so should be considered a "beta release" and probably has a number of bugs.  <A HREF="../wincryptochat/readme-win.html">Here's the details plus the program and full Delphi source code</A>.  I will continue improving this version so please check back later for updates.  Note - the Java and Windows versions are *not* compatible with each other, i.e. you can't connect to the Java version with the Windows version or vice-versa.</I></B>


<P>
<B>Description</B>: There are lots of programs available that allow you to chat with other people on the net.  However, how do you know that nobody is snooping on your conversation?  Even if a program claims to offer a secure connection, do you trust it?  Is the source code available?  If it uses encryption, can you trust the encryption library & examine the source code?  The secure chat program here provides the facility to have a secure chat session with anyone else who has a copy of the program, and the full source code is provided - no library files are used anywhere.  The program uses public key cryptography (the <A HREF="http://world.std.com/~franl/crypto/rsa-guts.html" target="new">RSA algorithm</A>) which is the standard way of establishing an encrypted connection on the internet, plus the <A HREF="http://csrc.nist.gov/CryptoToolkit/aes/rijndael/" target="new">Advanced Encryption Standard (AES) algorithm</A>.  However, all the RSA & AES implementation code is done within the main program, it doesn't use the Java SSL libraries, nor does it require you to manually generate a key & install it.  All the source code is there for inspection so you can be sure there are no trojans or other nasty backdoors.  The program generates a brand new public/private keypair every time it runs for additional paranoia.  There is no preset limit on the size of the key either, simply enter the number of bits you want & the key will be generated.  The default is for a 1024 bit key, but if you are utterly paranoid why not use a 2048 or even 4096 bit key?  It's up to you, but be aware that large keys can take a long time to generate.
<P>
From Cryptonomicon: <I>"Avi says: 'When you get to Manila I would like you to generate a 4096-bit key pair'...Randy is trying to generate one that is ridiculously long. He has pointed out to Avi, in an encrypted e-mail message, that if every particle of matter in the universe could be used to construct one single cosmic supercomputer, and this computer was put to work trying to break a 4096-bit encryption key, it would take longer than the lifespan of the universe."</I>

<P>
<B>How to use</B>: The program is written in Java & therefore requires a Java Runtime Environment (JRE) to run.  This can be freely downloaded from <A HREF="http://java.sun.com/j2se/1.4.2/download.html" target="new">Sun's website</A> - click the link that says "Download J2SE JRE" and just follow the prompts.  Once you have a JRE installed you can run the program by entering "java -jar chat.jar", or simply running "run.bat" if you are using Windows.  If you don't want to bother installing a JRE it might be possible to run from within your web browser which has a built-in JRE - try <A HREF="chat_launcher.html">this page</A> - due to applet restrictions it won't work from here but if you save the HTML page to your local disk it should work if you open it from a web browser.  The HTML file is also contained within the main zip file.  However, the preferred way to run the program is via run.bat as sometimes the browser can crash when running the applet.

<P>
<B>Instructions</B>: Suppose that Randy and Avi want to use the program to have a secure conversation.  One of the parties agress to be the "client" & one agrees to be the "server".  It doesn't matter who does what, but if the "server" is behind a firewall then the appropriate port needs to be open to allow the "client" to make the connection to them.  Let's say that Randy is the client and Avi is the server.  They both run up the program.  Avi can choose the port to listen on by changing the value in the "Port" field.  Avi then clicks the button "Listen" and the program immediately generates a new RSA key, then listens for incoming connections.  Randy then enters Avi's i.p. address and port in the "Remote Machine" and "Port" fields and clicks the "Connect" button.  If all goes well the connection to Avi's machine is established, the encryption keys are exchanged and both programs will display the message "HANDSHAKING COMPLETED".  Note that if very large RSA keys are used this can take a while.  Now Randy and Avi can type messages into the "Enter message to send" field and send them to each other.

<P>
<B>Finding your i.p. address</B>: If you aren't sure how to find your i.p. address, <A HREF="http://www.whatismyip.com/" target="new">this page</A> will tell you what it is.  Note that if you are behind a <A HREF="http://en.wikipedia.org/wiki/Firewall_(networking)" target="new">NAT Firewall</A> which most organisations use you are likely to have a "private" i.p. address and it is unlikely that anybody outside the firewall will be able to connect to you, although you may still be able to make outgoing connections.  To find out your private i.p. address from Windows, click Start, then Run, then enter <I>cmd.exe</I>.  At the C:> prompt enter <I>ipconfig</I> and press return.

<P>
<B>Sending files</B>: When the session is underway, Randy and Avi can send files to each other over the secure link.  Let's suppose that Avi wants to send a file to Randy.  Randy must click the "Receive file" button and wait for Avi to send over the file.  Avi clicks the "Send file" button, and chooses the file to send to Randy.  When he does this, Randy receives the prompt to save the file to his local disk.  Everything is encrypted, the file name and the file contents.

<P>
<B>Disconnecting</B>: Either party can terminate the session at any point by clicking the Disconnect button.  The session can easily be re-established using the instructions above.

<P>
<B>Re-generating the key</B>: If you are completely and utterly paranoid you can even re-generate the encryption keys between sessions - simply enter the key size and click the "Generate key" link.  "Just because you are paranoid it doesn't mean they aren't out to get you...".

<P>
<B>Quirkies/gotchas</B>: Note - the RSA algorithm depends on the ability to generate extremely large prime numbers.  I used the Java "BigInteger" class which generates numbers that are "probably" prime.  If they are not prime there is the risk that somebody could break your key & intercept your conversation.  You can alter the probability that Java uses by changing the value "primeProbability" in the file "chat.properties" - this is currently set to 100.  This means that the probability that the numbers generated are not prime is less than 1 in 2 to the power of 100, i.e. 1 in 1267650600228229401496703205376.  You are probably more likely to simultaneously win all the lotteries in the world and whilst banking your winnings get hit by a flying saucer piloted by Bigfoot than have this occur.  Java documentation says that "The probability that the new BigInteger represents a prime number will exceed (1 - 1 divided by 2 to the power N [where N is the value in "primeProbability"] ).  Note that increasing this value will increase the amount of time the program takes to generate the key.

<P>
<B>IMPORTANT</B>: I take <U>absolutely no responsibility</U> for the reliability of this program.  The source code is provided so you can judge for yourself whether to use it or not.  I can't guarantee that the program is 100% secure and free of bugs.  If you want to be sure - use the source, Luke!  If you happen to use it & get caught discussing the location of stolen WW2 gold in the Philippines it's your problem, not mine.  It may be illegal to run this program in your country, and it's your responsibility to check this & decide whether to run it or not.

<P>
<B>Legal crap</B>: Some governments have passed or are considering laws that will require you to hand over your decryption keys if this is approved by a court of law.  Well if you're using crypto chat you can't do this, as the keys are *never* written to disk anywhere!  Each time the program runs a brand new RSA and AES key are generated, held only in memory and transmitted over TCP/IP to the remote party where they are only ever stored in memory as well.  <b><i>At no point does the program ever write anything to disk</i></b>, so nothing can be recovered.  The only way in which anything could be recovered from your disk is if your operating system writes contents of the memory occupied by the JVM to its swap file, and there is nothing I can do about this.


<P>
<B>Encryption details (for geeks!)</B>: the program doesn't use the RSA algorithm to encrypt every message you send as this would be incredibly slow, so what it does is generate a temporary random 256-bit AES key <I>(the AES (Rijndael) algorithm is approved by the US Government for TOP SECRET material when 256 bit keys are used)</I>.  This key is then encrypted using RSA (again, using a completely new key) and transmitted to the person you are connected to.  Now that both parties have securely exchanged the AES key, this is then used to encrypt the conversation.  Note, you don't have to worry about all this crap, all you have to do is enter the i.p. address of the other person and hit Connect, all the crypto stuff is completely automatic.  Peer-to-peer communcation is massively safer than chatting through a central server - you have no control over what the server administrator is doing with your messages.


<P>
<B>Final notes:</B> I wrote the main chat program including the networking stuff and all the RSA code (I got the RSA algorithm from The Code Book by Simon Singh), but the AES code I found on the web.  One last thing, if you are an expert Java programmer and think some of the code in this program could be improved, you're dead right.  Some of it sucks, but since it's only something I've knocked together in my spare time and isn't used commercially I don't care.  I started writing this back in 2001 as an experiment in Java socket programming and I basically update it every now and again when I have a spare 30 mins or so.  So don't expect anything particularly elegant - it's a bit of a hack, but it does work ok.

<P>
If you have any questions or want to report a bug please drop me a line at <script type="text/javascript" language="javascript">
<!--
// eMail Obfuscator Script 2.1 by Tim Williams - freeware
{
 	coded = "Y00ETQ@JBBJELDPHE.NBD"
		cipher = "aZbYcXdWeVfUgThSiRjQkPlOmNnMoLpKqJrIsHtGuFvEwDxCyBzA1234567890"
		shift=coded.length
		link=""
		for (i=0; i<coded.length; i++){
			if (cipher.indexOf(coded.charAt(i))==-1){
				ltr=coded.charAt(i)
				link+=(ltr)
			}
			else {     
				ltr = (cipher.indexOf(coded.charAt(i))-shift+cipher.length) % cipher.length
				link+=(cipher.charAt(ltr))
			}				
    }
			document.write("<a href='mailto:"+link+"'>this address</a>")
    }
//-->
</script>
<noscript>
<p>Sorry, but a Javascript-enabled browser is required to email me.</p>
</noscript>


<P>
<A HREF="http://members.lycos.co.uk/wuul/index.html">Home</A>
</BODY>

</HTML>