-
Notifications
You must be signed in to change notification settings - Fork 88
Update Log
- Dependencies were updated to latest versions.
- Starting from *buntu 23.10, global python packages must be installed via APT, necessary changes were made. This unfortunately reduces the number of dependencies that can be provided with pinned hashes.
- Relay Program now uses
cryptographylibrary instead ofPyNaClfor deriving ed25519 keys from seeds.
- Tails installation can now rely on almost exclusively on pre-installed packages, which means the configuration now installs much faster.
- Fixed Tails control port number that was changed due to a MITM vulnerability.
- Remove kernel minimum version check, as all kernels with improper CSPRNG seeding checks have now reached EoL.
- Removed outdated LRNG description. More details will be added once the new design receives in-depth documentation.
- Updated
- certifi to 2022.12.7
- cryptography to 40.0.2
- distlib to 0.3.6
- filelock to 3.12.0
- Flask to 2.2.3
- importlib-metadata to 6.5.0
- MarkupSafe to 2.1.2
- pip to 23.1
- platformdirs to 3.2.0
- requests to 2.28.2
- setuptools to 67.7.0
- typing-extensions to 4.5.0
- urllib3 to 1.26.15
- virtualenv to 20.22.0
- Werkzeug to 2.2.3
- zipp to 3.15.0
- Replaced SHA512 for pinned file checks with BLAKE2b
- Replaced SHA256 for project's gpg signing key fingerprint with BLAKE2b
- Fixed typos here and there
- Added a FAQ entry for selecting correct baudrate
- Removed requirements badge and FAQ entry about it as the service no longer exists.
- Updated
- cryptography to 38.0.3
- exceptiongroup to 1.0.3
- mypy to 0.991
- types-requests to 2.28.11.4
- setuptools to 65.5.1
-
Fixed an issue where the
requirements-pre.txt(that containspipandsetuptools) was authenticated only after the requirements were installed. The attack surface was wider than necessary, but PyPI's TLS and internal authentication mechanisms have been present all along, and the risk was low. -
The new
cryptographypackage patches an issue where Linux wheels were compiles with OpenSSL 3.0.7 that has two vulnerabilities:- CVE-2022-3602 is an RCE vulnerability related to X.509 certificate verification. TFC only uses OpenSSL/cryptography for X448 key exchange, thus this vulnerability does not concern TFC.
- CVE-2022-3786 is a DoS vulnerability also related to X.509 certificate validation, and it also does not concern TFC.
-
The new setuptools package patches a ReDoS vulnerability (Note: No CVE entry exists) that is another DoS vulnerability when "the user is fetching malicious HTML from a package in PyPi or a custom PackageIndex page." Custom PackageIndex page is not used, but it's not clear how packages that use setuptools are affected. The risk rating by Snyk sets the vulnerability as low, thus most likely no action is needed.
- Minor cleaning of code wherever issues were spotted.
- Updated
- types-requests to 2.28.11.2
- pytest to 7.2.0 with new sub-dependencies
- exceptiongroup 1.0.0rc9
- iniconfig 1.1.1
- more-itertools to 9.0.0
- pytest-cov to 4.0.0
- certifi to 2022.9.24
- coverage to 6.5.0
- importlib-metadata 5.0.0
- mypy to 0.982 with new sub-dependencies
- tomli 2.0.1
- pytest-xdist to 3.0.2
- setuptools>=65.5.0
- stem to 1.8.1
- typing-extensions to 4.4.0
- zipp to 3.10.0
- Fixed Tails configuration's onion-grater profile that prevented Relay Program from launching the Onion Service on Tails.
- Added test-run option for Relay Program that spins a test Tor Onion Service without the requirement of having a Source Computer output the Onion Service private key to it first. This makes it easier to spot issues as the one discussed in the fix above.
- Updated
- argon2_cffi to 21.3.0
- With
argon2_cffi_bindings 21.2.0as new sub-dependency
- With
- backports.entry-points-selectable to 1.1.1
- certifi to 2022.9.14
- cffi to 1.15.1
- charset-normalizer to 2.1.1
- click to 8.1.3
- cryptography to 38.0.1
- distlib to 0.3.6
- filelock to 3.8.0
- Flask to 2.2.2
- idna to 3.4
- importlib-metadata to 4.12.0
- itsdangerous to 2.1.2
- Jinja2 to 3.1.2
- MarkupSafe to 2.1.1
- pip to 22.2.2
- platformdirs to 2.5.2
- PyNaCl to 1.5.0
- pyparsing to 3.0.9
- requests to 2.28.1
- setuptools to 65.3.0
- typing-extensions to 4.3.0
- urllib3 to 1.26.12
- virtualenv to 20.16.5
- Werkzeug to 2.2.2
- zipp to 3.8.1
- argon2_cffi to 21.3.0
- Switched from Travis CI to GitHub Actions for unit tests
- Switched from Coveralls to Codecov that supports GitHub Actions.
- Installation is now less crash-prone, as the one-liner and installer use an until-loop to ensure Torsocks makes the first connection. For some reason this may take up to 10 minutes.
- Updated
- argon2-cffi to 21.1.0
- cffi to 1.15.0
- pycparser to 2.21
- cryptography to 35.0.0
- Flask to 2.0.2
- click to 8.0.3
- importlib-metadata to 4.8.1
- zipp to 3.6.0
- typing-extensions to 3.10.0.2
- Jinja2 to 3.0.2
- Werkzeug to 2.0.2
- Requests subdependencies
- certifi to 2021.10.8
- charset-normalizer to 2.0.7
- idna to 3.3
- urllib3 to 1.26.7
- setuptools to 58.5.3
- virtualenv to 20.10.0
- distlib to 0.3.3
- filelock to 3.3.2
- importlib-metadata to 4.8.1
- zipp to 3.6.0
- platformdirs to 2.4.0
- typing-extensions to 3.10.0.2
- argon2-cffi to 21.1.0
- Added support for Zorin OS 16.
- Updated Travis config to use Focal, added py3.8 and py3.9.
- Fixed broken Tails installer.
- Updated
- charset-normalizer to 2.0.3
- pip to 21.2.1
- setuptools to 57.4.0
- virtualenv to 20.6.0
- platformdirs to 2.1.0
- Improved release pipeline to better detect hash mismatches.
- Updated
- cffi to 1.14.6
- execnet to 1.9.0
- importlib-metadata to 4.6.1
- mypy to 0.910 (with following new sub-dependencies)
- types-requests 2.25.0
- packaging to 21.0
- pip to 21.1.3
- pytest-xdist to 2.3.0
- requests to 2.26.0 (this finally resolves the pinned idna version)
- charset-normalizer 2.0.1 that replaces chardet sub-dependency
- setuptools to 57.1.0
- urllib3 to 1.26.6
- virtualenv to 20.5.0 (with following new sub-dependencies)
- backports.entry-points-selectable 1.1.0
- platformdirs 2.0.2
- zipp to 3.5.0
- Updated
- The Entire Flask ecosystem
- Flask to 2.0.1
- click to 8.0.1
- itsdangerous to 2.0.1
- Jinja2 to 3.0.1
- MarkupSafe to 2.0.1
- Werkzeug to 2.0.1
- attrs to 21.2.0
- certifi to 2021.5.30
- execnet to 1.8.1
- importlib-metadata to 4.5.0
- more-itertools to 8.8.0
- pip to 21.1.1
- pydocstyle to 6.1.1
- pytest to 6.2.4
- pytest-cov to 2.12.1
- setuptools to 57.0.0
- six to 1.16.0
- typed-ast to 1.4.3
- typing-extensions to 3.10.0.0
- urllib3 to 1.26.5
- virtualenv to 20.4.6
- zipp to 3.4.1
- The Entire Flask ecosystem
Fixed
-
PIP #9827 - Don't split git references on unicode separators which is a CVE numberless vulnerability that allowed hijack of commit based pinned dependencies. This does not concern TFC users as no commit based pinned dependencies are used, only releases.
-
Unencrypted (but authenticated) anonymous installation of apt dependencies is now also encrypted with
apt-transport-https.
- Updated
- cryptography to 3.4.7
- importlib-metadata to 3.9.0
- setuptools to 54.2.0
- urllib3 to 1.26.4
- virtualenv to 20.4.3
Fixed
- CVE-2021-28363 which is a vulnerability in the way the library validates TLS certificates. This does not concern TFC users as Tor manages the TLS-like encryption when requests client connects to Onion Services.
-
Updated
- cffi to 1.14.5
- cryptography to 3.4.6
- importlib-metadata to 3.7.2
- Jinja2 to 2.11.3
- requests to 2.25.1
- setuptools to 54.1.1
- urllib3 to 1.26.3
- virtualenv to 20.4.2
- zipp to 3.4.1
-
Redesigned release pipeline to allow pinned dependency versions, and replaced coarse requirements hash pinning with automated hash pinning of all wheels etc. that match supported Python3 minor versions.
Fixed
-
CVE-2020-36242 which is a buffer overflow error when encrypting large files with pyca/cryptography's fernet module. This vulnerability does not concern TFC as
pyca/cryptographyis not used to encrypt data symmetrically in TFC. TFC uses different library (pyca/pynacl) for that. -
CVE-2020-28493 is a DoS vulnerability that affects the urlize function of Jinja2 v2.11.2, which TFC does not use; Relay Program's Flask server does not render clickable links to the user.
-
CVE-2020-25659 is a Bleichenbacher timing attack against RSA in pyca/cryptography PKCS#1.5 RSA implementations. TFC only uses RSA for digital signature of the installer. The signing is done via
gpg, which does not usepyca/cryptography. Also, in digital signatures the decryption key is the public signature verification key anyway, so timing attacks against the decryption operation (=obtaining authentic copy of the installer's hash) on user-side, doesn't give the attacker any kind of advantage.
- Added support for Python 3.9 and the upcoming *buntu 21.04 releases: TFC installs on current Ubuntu 21.04 daily build, but if the final release breaks something, TFC's installer will be fixed on the April's maintenance update.
- Updated
- attrs to 20.2.0
- certifi to 2020.12.5
- cryptography to 3.3.1
- cffi to 1.14.4
- chardet to 4.0.0
- importlib-metadata to 3.1.1
- more-itertools to 8.5.0
- packaging to 20.4
- pyserial to 3.5
- requests to 2.25.0
- setuptools to 51.0.0
- urllib3 to 1.26.2
- virtualenv to 20.2.2
-
The Relay Program now caches outgoing packets on disk (under
$HOME/tfc) from where they are loaded by Flask when correct URL token is provided. Previously if the Relay Program of the contact went offline, any message sent by the user would be lost in the void, if the user also turned off their Relay Program. This is no longer the case. All buffered messages/files are delivered to the recipient the next time both users are online.This even applies to Tails if the user has enabled persistence: When running on top of Tails, the Relay Program now stores all user data under
$HOME/Persistent/tfcinstead of$HOME/tfc. If however persistence is not enabled, the$HOME/Persistence/directory (along with the TFC installation) is lost in the void once the Networked Computer is rebooted.The buffered data is protected by a new key called the
buffer_keywhich is a domain separated value of the TFC Onion Service private key. Thebuffer_keyis used for two things-
It is used as the symmetric key for additional layer of encryption added prior to storing data on disk. The key is static to allow cross-session decryption of buffered data. The cipher used for encrypting the persistent data is as always, XChaCha20-Poly1305.
-
To store the information about to which contact a buffered ciphertext is intended, the Relay Program creates a subdirectory for said contact. The name of the subdirectory is a keyed BLAKE2b digest of the Onion Address. They key in question is the
buffer_key.
The protection provided by the
buffer_keyis mediocre at best: it's not possible to protect any key delivered via the serial interface as malicious program might reserve the interface for itself first. The only alternative to delivered key would be to add a password for the Relay Program. This might cause the user to reuse their Transmitter/Receiver Program's password, and as the Networked Computer is by far the easiest to infect with a keylogger, we therefore argue a password would actually reduce overall endpoint security. Thebuffer_keyprovides some protection against low-strength adversaries (who have seized the endpoint) trying to e.g. discover to which Onion Addresses the user talks to. High-strength adversaries are assumed to be able to compromise the RAM allocated for the Relay Program, so they have access to all plaintext data (encrypted/decrypted with thebuffer_key) anyway. The protection provided by thebuffer_keyis purely additive: the actual message protection is provided by the TFC message keys that are never available to the Networked Computer. -
-
Fixed issue where aborting master password change on Source Computer would halt output of messages until the Transmitter Program was restarted.
-
Fixed issue where changing logging/file reception/notification setting for all contacts would display a malformed confirmation message on Receiver Program. Note that the setting changes still take place, thus this bug is mostly cosmetic.
- The number of required words in automatically generated master password is now calculated before choosing the words.
- Updated
- cryptography to 3.2.1
- setuptools to 50.3.2
- urllib3 to 1.25.11
- virtualenv to 20.1.0
- zipp to 3.4.0
- Updated cryptography to fix CVE-2020-25659. Note that since TFC exclusively uses X448 (the public key exchange algorithm is hard coded), this timing attack does not concern TFC. Users do not need to take any action.
- Added support for Pop!_OS 20.04 LTS / 20.10
- Small fixes here and there
- Improved Relay.py schematic
- Updated
- cffi to 1.14.3
- cryptography to 3.1.1
- importlib-metadata to 2.0.0
- setuptools to 50.3.0
- urllib3 to 1.25.10
- virtualenv to 20.0.33
- zipp to 3.3.0
- Switched inter-VM communication of TFC Qubes endpoint from UDP packets via sys-firewall to Qubes' qrexec RPC calls. This removes TCP/IP stack, which in turn makes the attack surface much smaller and ensures better TCB isolation.
- Fixed improper exception throwing on Transmitter Program.
- Small fixes here and there
- Updated
- appdirs to 1.4.4
- argon2-cffi to 20.1.0
- certifi to 2020.6.20
- click to 7.1.2
- distlib to 0.3.1
- idna to 2.10
- importlib-metadata to 1.7.0
- PyNaCl to 1.4.0
- requests 2.24.0
- setuptools to 47.3.1
- six to 1.15.0
- virtualenv to 20.0.25
- Linux Mint 20 has updated its Tor package: TFC now runs on it.
- Minor code quality improvements
- Updated
- Certifi to 2020.4.5.1
- Click to 7.1.1
- cryptography to 2.9.2
- Flask to 1.1.2
- importlib-metadata to 1.6.0
- Jinja2 to 2.11.2
- setuptools to 46.1.3
- urllib3 to 1.25.9
- virtualenv to 20.0.18
- Werkzeug to 1.0.1
- Updated signing key prematurely for new signing environment
- Support for running TFC on *buntu 20.04 LTS with the bundled Python 3.8
-
Fixed issue where canceling file transmission gave incorrect error about missing file. This was most likely due to API change within Tkinter.
-
Updated Argon2 master.zip digest in unittests
-
Fixed some type annotations
-
Removed unnecessary f-strings
-
Removed unnecessary setuptools removal from uninstaller
- Updated
- cffi to 1.14.0
- idna to 2.9
- pycparser to 2.20
- requests to 2.23.0
- setuptools to 45.2.0
- Werkzeug to 1.0.0
- Virtualenv to 20.0.8 (with following new sub-dependencies)
- Appdirs 1.4.3
- distlib 0.3.0
- filelock 3.0.12
- importlib_metadata 1.5.0
- zipp 3.1.0
-
Support for running TFC on Qubes 4.0.3.
- New installation configurations, launchers etc. for Qubes
- Add socket based connections for inter-VM communication with UDP packets.
- No Reed-Solomon erasure codes are used for packets in the Qubes version.
- Installer prompts the user for VM IPs and handles the iptables rules.
-
Linux Mint Debian Edition 4 has updated its Tor package: TFC now runs on it.
- Faster
time costsearch function for Argon2id. Transmitter and Receiver Programs now estimate the time per-round of key derivation to figure out some upper bound fortime cost. The upper bound will then be used in binary search to find a suitabletime costvalue much faster. This feature is especially important for low memory platforms such as Qubes VMs where the requiredtime costvalue can be much higher than in normal Source/Destination Computers where gigabytes of RAM are usually available.
- Fixed an issue where injected non-ASCII characters in URL-token would show stack traces in the recipient's Relay-Program (note: this would not crash the Relay Program).
-
Greatly refactored the installer
-
Fixed typos here and there
-
Unified installation and launching instructions under single wiki article.
-
Threat model and installation wiki articles now categorize information based on the endpoint configuration used.
-
Created a new rendering for threat model that shows differences between different endpoint configurations.
-
Hid some of the more detailed information in wiki articles under collapsible sections.
- Updated
- Jinja2 to 2.11.1
- setuptools to 45.1.0
- stem to 1.8.0
- six to 1.14.0
- urllib3 to 1.25.8
- virtualenv to 16.7.9
- Werkzeug to 0.16.1
- Instructions for a new PCB-based datadiode with case, designed by cxcorp. Massive kudos!
- Downloadable Gerber-files for ordering the PCBs.
- Stereolithography files for 3D-printing a case for your data diode.
- Optional LED-board that displays through the case when data transfer takes place.
- As always, step-by-step instructions for assembly.
-
New account and public key import diff viewers
-
When importing a public key, incorrectly entered public key will now be exported back to the Relay Program together with the associated account. Relay Program will then display where the user had made typos -- compared to the latest received public key from that contact.
To ensure the user doesn't accidentally shoot themselves in the foot during use, only correct length purported public keys will be exported from Source Computer. Thus, it's very unlikely the user will accidentally do the wost possible thing and export the local key encryption key (KEK) used in local key exchange.
As an additional layer of protection to prevent that from happening, the BLAKE2b hash of the B58 encoded local key encryption key is now stored as part of local contact's data (it replaces the empty tx-fingerprint placeholder value). When the correct size (but mistyped) B58-encoded public key is entered, Transmitter Program will iterate over the entire string to form all possible substrings that could be the B58 encoded key encryption key. It will hash them and compare them against the stored hash of the original B58 KEK. If a match is found, the public key will not be sent to the Relay Program for visual diff display.
-
When importing contact's TFC account, an incorrectly entered account will also be exported back to the Relay Program. Unlike public keys, in the case of accounts it's not possible to automatically detect errors, as it's not always possible to guess which account the user intended to type. However, there's two ways to help here.
-
Relay Program will observe received contact requests, and if the account is similar (difflib.SequenceMatcher ratio >= 0.75), it will display diffs against that one.
-
If the ratio is less than 0.75 or no accounts are available, Relay Program will now open a GUI prompt into which the program asks the user to copy-paste the TFC account. This prompt will only accept valid TFC accounts. Once provided, the Relay Program will then display the diffs between the paste one and the one manually typed into the Transmitter Program.
To protect from accidental input of sensitive values (such as the local key encryption key (KEK)) to the account prompt, the Transmitter Program only exports correct length mistyped accounts to the Relay Program for diff comparison. Trying to copy-paste a KEK into the account prompt will result in length error. Furthermore, even if the user decides to append arbitrary chars to the KEK to meet the length requirement, they will only be met with another error about the input not being lower case (the B58 encocded format contains with very high probability at least one upper case char). So in order for the user to shoot themselves in the foot they would have to
- Not understand the difference between account and KEK
- Not take the hint from input field size
- Copy the KEK to clipboard for pasting to wrong field (which is pointless considering they're supposed to enter it by hand to Receiver Program on Destination Computer to proceed).
- Concatenate arbitrary data around the KEK
- Change all upper case KEK chars to lower case
-
Note: Diff display messages only help with inputting TFC accounts and public keys, thus local key decryption key (same as KEK) import has no such feature. Luckily, the format of KEKs is the most convenient with its three character segments and the key guide. Out of the three cases, this is -- by a significant margin -- where the least amount of typos happens.
-
- Undid black styling as it actually hurt readability of code.
-
Rendered new pictures for the new PCB data diode
-
Created new pictures for key diff guides and updated how-to images.
-
Clarified stuff here and there
- Updated
- virtualenv to 16.7.8
- certifi to 2019.11.28
- setuptools to 42.0.2
-
Tor port number is now chosen using
SystemRandominstead ofrandom. -
Switched to using absolute paths for binaries called by the software (Travis prevents using them for tests however).
- Initial master key derivation now displays parameters being tested and the key derivation time once the parameter testing round finishes. This ensures the user is aware of what is going on while the process is taking place.
-
Split functions to smaller pieces to reduce McCabe complexity.
-
Solved last cyclic import that required in-function import.
-
Added mypy badge as
--strict --ignore-missing-importsno longer complains. Removed moreAnyannotations. -
Added Codacy code quality metrics badge.
-
Added CodeFactor code quality metrics badge.
-
The code style is now black.
-
Removed some duplicate code.
-
Refactored code here and there.
- Updated
- argon2_cffi to 19.2.0
- cffi to 1.13.2
- Setuptools to 41.6.0
- six to 1.13.0
- urllib3 to 1.25.7
- Enabled
--no-depsflag for dependency installation via PIP. This prevents any third party packages not explicitly allowed.
- Changing master password now requires the user to enter the current master password first. This plugs a hole in accessing logs by changing the password to something the physical attacker chooses.
-
All TFC databases are now atomic. This should prevent corruption of databases in case of a sudden power outage.
-
Master password change and resulting database re-encryption is now also atomic.
-
Updated
- certifi to 2019.9.11
- cffi to 1.13.1
- cryptography to 2.8
- jinja2 to 2.10.3
- PySocks to 1.7.1
- Setuptools to 41.4.0
- urllib3 to 1.25.6
- virtualenv to 16.7.7
- Werkzeug to 0.16.0
-
Removed
- asn1crypto
-
Added support for *buntu 19.10.
-
Added support for PureOS.
-
Added Relay Program support for Tails 4.0 - The installer uses a separate, more compact one-liner that ignores dpkg lock check. Tails makes it possible to run a more safe Onion Service: In case the networked endpoint is compromised in real time, the OS contains no identifying user data (hard disks should not be connected to enforce this). Furthermore, Tails uses the onion-grater program that whitelists applications that have the permission to use dangerous Tor control port commands: It e.g. prevents user-level-privileged malware on Tails from obtaining the real IP-address of the system.
-
Entering the password
generatenow generates a +128-bit password for the user using the EFF wordlist. Note: The generated password will be visible on screen, thus the user must be alone when this feature is used. The password should be written down, and the copy should be kept secret and be disposed of as soon as the user has memorized it. -
Fixed Argon2 to determine memory by looking at MemAvailable instead of MemFree. This fixes slow initial master key derivation and increases security as more memory is used.
- Added missing confirmation codes for delivery of Tx-PSKs.
-
Fixed Tor port type annotations.
-
Removed several Any type annotations.
-
Increased the amount of run-time validation for the outputs of crypto libraries.
-
Removed star imports.
-
New icon color scheme that goes well with both OnionShare and Tor Browser icons.
-
Fixed typo in public key input guide.
-
Added instructions on how to generate the password.
-
Updated color scheme for Tor related renderings.
Tor requires accurate time information. If the system time has any offset (encountered at least with PureOS and Debian during testing), torsocks refuses to function properly and the TFC won't install.
To protect users' privacy, TFC is installed over Tor. Speed of Tor varies, so sometimes some component can time-out, and TFC won't install in those cases. There is no better fix than to try running the installer again.
- Updated
- virtualenv to 16.7.3
- PySocks to 1.7.0
- requests to 2.22.0
- certifi to 2019.6.16
- urllib3 to 1.25.3
- Flask to 1.1.1
- Werkzeug to 0.15.4
- cryptography to 2.7
-
Added support for Debian 10. Debian only runs FOSS software, and has reproducible builds for ~everything. Debian also runs Wayland instead of X11 by default, which offers GUI isolation between applications. This adds some protection against keyloggers Destination Computer might receive from the Networked Computer (or from a malicious peer over file transfer).
-
Non-dev install configurations now only make a shallow clone of the repository. This speeds up download and reduces bandwidth use.
-
Moved setuptools from APT to PIP dependency. This means more recent version is used, and it also reduces the number of dependencies that don't have a pinned hash.
-
Dev configuration installation now backups
$HOME/tfcdirectory instead of removing it.
-
Switched from Argon2d to Argon2id as the algorithm adds side-channel protection in a situation where malware from Networked Computer (or from a peer via file transfer) infects the Destination Computer and does a side-channel attack to extract information that speeds up password brute force. Note that if the Destination Computer is running X11, any user level program can access the keyboard and steal the master password. Using Debian 10 with Wayland (that features GUI isolation) instead of X11 is therefore highly recommended.
-
Updated Werkzeug to 0.15.5 to fix CVE-2019-14806. Fixing this security bug only requires the Relay Program on Networked Computer to be re-installed. This can be done without replacing hardware.
-
Logfile view and export now requires the user to enter the master password. This can be disabled from settings by setting
ask_password_for_log_accesstoFalse, and then entering the master password. The purpose of the feature is to ensure even if TFC is left open, it's not possible to view message logs without the password. However, the user must still take care to reset the terminals with the/resetcommand to hide the ephemeral message log as well as any log files viewed during the session with the/historycommand. -
Improved security of the ChaCha20 DRNG by requiring use of kernel version 4.17 or newer. This ensures that when CPU HWRNG is not trusted, in addition to
fast_pool, the DRNG also seeds itself from theinput_poolbefore considering itself fully seeded. -
Removed the
check_kernel_entropyfunction asinput_poolstate does not reflect the ChaCha20 DRNG seed level or state.
-
Fixed type annotations so that mypy doesn't complain even with
--strict(and--ignore-missing-imports) flag. There are still severalAnyannotations that need replacing so type checking is still a work in progress. -
Significantly refactored
src.common.cryptoand its tests. -
Significantly refactored
install.sh. -
Refactored
dd.pyand added tests for it. -
Fixed deprecated syntax used in
shredsubprocess command executed during wipe. -
Fixed typos here and there.
- Significantly improved docstrings of
src.common.cryptoandtests.common.test_crypto.
-
Fixed bug in automatic Argon2 key derivation parameter selection where incorrect value of memory parameter was stored in some cases.
-
Fixed name parsing in file transfer during traffic masking.
-
Mocked
os.system('reset')calls in unit tests: all tests can now be run in PyCharm as well. -
Hid DeprecationWarnings from third party libraries when running tests with
py.test.
- Reduced longest online check delay of contacts from 16 to 8 seconds. This makes contact appear online sooner when they log in.
- Updated
- Platform to Ubuntu 19.04 (that has Tor 0.3.5 in its repository)
- Python to 3.7
- certifi to 2019.3.9
- cffi to 1.12.3
- Jinja2 to 2.10.1
- urllib3 to 1.24.2
- Werkzeug to 0.15.2
- Network interface killer now leaves loopback interface on. This reduces the time it takes to install virtualenv dependencies for TCB configuration.
-
Switched to best practices in Argon2 key derivation. Transmitter and Receiver Programs now use all free memory in the system, and increase
time_cost(iterations) from one until key derivation takes as long as it needs (3..4 seconds). If aftertime_costhas been determined key derivation takes over 4 seconds, suitable value formemory_costis determined. Closes #6. Unfortunately, due to TFC's endpoint security, providing automatic updates to TCB side software is impossible. Improving Transmitter or Receiver Program's Argon2 security requires reinstalling TFC on a new computer. -
Changed Argon2 memory_cost for PSKs from 62.5 mebibytes to 512 mebibytes. This will break backwards compatibility with previous versions, but it's better to set more reasonable value sooner than later.
-
Fixed broken
/wipecommand during traffic masking. Unfortunately, due to TFC's endpoint security, providing automatic updates to TCB side software is impossible. Fixing this bug requires reinstalling TFC on a new computer. -
Updated Jinja2 to 2.10.1 to address CVE-2019-10906. Fixing this security bug only requires the Relay Program on Networked Computer to be re-installed. This can be done without replacing hardware.
-
Updated urllib3 to 1.24.2 to address CVE-2019-11324. Fixing this security bug only requires the Relay Program on Networked Computer to be re-installed. This can be done without replacing hardware.
-
Switched from custom implementation of PKCS7 padding to the function offered by the
cryptographylibrary (merges #7.) Thanks @tannercollin! -
Removed
kill_background_tor()function as TFC has not used separately compiled version of Tor for some time. -
Replaced last assert with conditional expression (related to #4).
-
Refactored code here and there.
-
Fixed some comments and docstrings.
-
Fixed some broken tests.
-
New
- Git
-
Updated
- virtualenv to 16.4.3
- cryptography to 2.6.1
- cffi to 1.12.2
- markupsafe to 1.1.1
-
Removed
- deb.torproject.org-keyring
- setuptools PIP-dependency
-
Moved TFC public key from unreliable PGP key servers to the GitHub repository.
-
Re-designed installer one-liner is now more compact and secure: The one-liner now sets permissions of downloaded files before authenticating and running them.
-
Fixed issue where gpg threw error
gpg: packet(13) too largewhen loading Tor's PGP key from the SKS key server. Installer now loads Tor's signing key from Tor Project's Onion Service (http://sdscoq7snqtznauu.onion) instead. -
Fixed issue where installer duplicated lines in
/etc/apt/sources.list.d/torproject.list. -
Replaced
torifywithtorsocksastorifyis nowadays only a wrapper for the other. -
Non-TCB installers now upgrade Tor to 0.3.5 before downloading further dependencies using
torsocks. -
Added separate terminator config file for
devinstall configuration that has correct paths (fixes #5). Added a launcher for the dev configuration. -
Added uninstaller for the program. The uninstallation can be started by running
bash /opt/tfc/uninstall.sh -
The installer no longer downloads every file from GitHub repository individually. Instead, it now clones the repository, removes unnecessary files and authenticates the remaining ones. This is much faster.
-
The installer configurations for local testing, TCB and Relay configurations now appear identical until they reach the point where the TCB configuration disconnects. This makes it harder for the attacker to predict if the installation is for Source Computer.
-
The installer no longer creates backup of empty user data directory when the software is re-installed.
-
Fixed bug where constant time context manager for URL token iterator returned prematurely. Note that this bug does not cause a timing attack side channel to determine URL tokens. At worst this bug allows an approved contact to determine how many contacts the user has added before them. Fixing this security bug only requires the Relay Program on Networked Computer to be re-installed. This can be done without replacing hardware.
-
Moved local testing configuration's Terminator config file to
/opt/tfc/from where it can not be edited without root privileges. This prevents malware from editing the path to TFC withing the config file*. Although local testing configuration is not intended to be endpoint secure, some degree of security can be achieved with access control list. Thus, users who use local testing configuration for communication should update their clients.*It also prevents user from making edits to Terminator's TFC profile/layout without editing the Terminator config file manually. This also means users who have created their own terminator configuration file can keep using it without editing TFC's config file.
-
Replaced all asserts with conditional expressions (fixes #4).
- Fixed issue where restarted Transmitter Program was unable to reconnect to running Relay Program because Relay Program
did not display confirmation code of consecutive
UNENCRYPTED_ONION_SERVICE_DATApackets.
-
Refactored code here and there.
-
Updated tests where needed.
- Removed typos where found.
- During installation,
torsocksmight throw1551596718 ERROR torsocks[3869]: Unable to resolve. Status reply: 4 (in socks5_recv_resolve_reply() at socks5.c:683). This should be mitigated by rerunning the installer one-liner.
-
Moved support from Tails 3.1 to future versions of Tails built over Debian Buster, that features Tor 0.3.5.
-
Moved support from *buntu 17.04 to *buntu 18.04 LTS that features
- Python 3.6.5
- uses GNOME 3.28 that ensures more reliable operation of network interface killer for TCB configuration
- Terminator 1.91 (Install candidate)
-
Updated
- argon2_cffi to 19.1.0
- cffi to 1.11.5
- PyNaCl to 1.3.0
- six to 1.12.0
- virtualenv to 16.2.0
-
New dependencies (subdependencies of dependencies are indented):
- Cryptography 2.5
- Asn1crypto 0.24.0
- Flask 1.0.2
- Click 7.0
- ItsDangerous 1.1.0
- Jinja2 2.10
- MarkupSafe 1.1.0
- Werkzeug 0.14.1
- PySocks 1.6.8
- Requests 2.21.0
- Certifi 2018.11.29
- Chardet 3.0.4
- Idna 2.8
- urllib3 1.24.1
- Stem 1.7.1
- Tor 0.3.5
- Cryptography 2.5
-
Removed dependencies
- Pidgin
- Pidgin OTR
-
TFC is now installed into
/opt/tfc, and the program code can no longer be altered without root privileges. User data is still stored into$HOME/tfc/user_dataand$HOME/tfc/received_files. -
Ubuntu installation configurations no longer require rebooting to enable serial port access.
-
The Relay Program configuration for Ubuntu now uses Python 3.6.
-
The Relay Program installation on Tails now asks for sudo password only once at the start of the installation.
-
Added development environment installation configuration for the *buntu platforms.
-
If the installer finds an existing configuration file for Terminator, it now displays a warning that informs the user under what name the backup file was stored.
-
The installer now configures the Terminator program's font size according to user's screen resolution. The most common screen widths (1368px, 1600px, and 1920px) are supported. Note that for Ubuntu, the dash should be moved to the bottom of the screen.
-
Switched from X25519 to X448 key exchange that provides 224 bits of symmetric security over the 128 bits of X25519.
-
Switched from XSalsa20-Poly1305 to XChaCha20-Poly1305 (IETF-variant) that provides better diffusion.
-
Switched from Pidgin and XMPP accounts to native Tor v3 Onion Service backend to provide anonymous communication.
-
Receiver Program now also shreds the content of
received_filesdirectory and removes the user data directories during the/wipecommand. -
Switched from BLAKE2s to BLAKE2b that's optimized for AMD64 architecture TFC is designed to be run in.
-
Replaced
hash_chainthat did not have a security proof with BLAKE2b. This increases the hash ratchet performance significantly. -
Removed the risk of falling into short cycles of keys within the hash ratchet, by hashing the previous key together with the hash ratchet counter.
-
Added protection against zip bombs for received data. The maximum size of decompressed file data is defined by a new setting
max_decompress_size. The maximum size for messages is fixed to 100,000 bytes. -
Fixed issue where a frenemy could crash the user's Receiver Program with file packet, the file name header of which contains a slash ('/').
-
Changing TFC's database sizes with
/setcommand now takes effect immediately on both Source and Destination Computer. -
tm_static_delayortm_random_delaynow have minimum setting and changing the value displays a warning that altering the value can make the traffic and endpoint of user look unique to an attacker. -
Added constant length padding for nicknames in packets containing contact keys, sent to the Receiver Program when adding a new contact.
-
Transmitter program now clears readline history when
/resetcommand is issued. This prevents accessing sent messages via the readline history feature. -
Added terminal reset, readline history clearing and clipboard clearing (of kdk is on clipboard) during local key setup. This ensures sensitive key material is not available to someone observing the system after local key exchange.
-
Prevented user from sending TFC databases to contacts as files.
-
The installer one-liner now first installs Tor before downloading and installing TFC anonymously. This may be slower, but it makes it harder for a global adversary to determine which endpoint it should compromise during install.
-
Added pinned SHA256 hash of public key to installer one-liner that is checked after the key is imported based on its SHA-1 fingerprint. Here is the formatted version of the one-liner:
c='local' h='20b51fc9aaea3a5493c7cf513a3c875764980ebd33eea2689748761ae697652f' fp='EA8F38BA674B242E9944845C981370E9725A0FBA' f='tfc_key.asc' ks='hkp://jirk5u4osbsr34t5.onion' while sudo fuser /var/lib/dpkg/lock >/dev/null 2>&1; do sleep .5 echo -ne "\rAPT is busy" done && sudo apt update && sudo apt install tor -y && gpg --keyserver $ks --recv $fp && gpg --export -a $fp > $f && if sha256sum $f | grep -Eo '^\w+' | cmp -s <(echo $h); then rm $f && torify wget https://raw.githubusercontent.com/maqp/tfc/master/install.sh{,.asc} -q && gpg --verify install.sh{.asc,} && bash install.sh $c else rm $f echo "ERROR: Signing key had invalid SHA256 hash" fi- The reason for the SHA256 hash is the delayed standardization of the next generation PGP (v5) fingerprints by the IETF OpenPGP WG, which means PGP users are currently vulnerable against nation-state actors capable of producing key pairs with colliding SHA-1 fingerprints.
-
Fixed a category of side-channel attacks where malware on Destination Computer could
-
show sensitive data like keys in place of unknown accounts when the Receiver Program displays group management messages. To prevent the attack, group management messages are now displayed by the Relay Program on Networked Computer, that does not have access to sensitive keys.
-
delay showing messages (like public keys, messages, and files) based on individual key bits, which could lead to user taking action on their Source Computer, that could in turn leak key bits to the Networked Computer. To solve this, the Relay Program delivers the 1ms resolution reception timestamp of received message to the Receiver Program. The user can detect a message from a contact displayed by the Receiver Program was timed according to key material, when no matching timestamp is also displayed by the Relay Program. Any difference between the current Destination Computer time and timestamp of received message that is significant enough to alter user behaviour, can be detected by the user. It's not perfect, but it's all that can be done.
Despite the protections, malware on Destination Computer might display questions from frenemy based on key material, and user's reply could be used to exfiltrate keys one bit at a time to that frenemy. Considering the security problem, such an attack cannot be fixed with security architecture, only by vetting contacts and if possible, isolating trusted and untrusted contacts on separate (best case scenario being, individual) TFC endpoints.
-
-
Indirect: https://pgp.mit.edu has upgraded its TLS configuration meaning slight improvement to overall security.
-
Switched from
Serial().read()toSerial().read_all()to read the exact size of serial interface buffer every time. -
Tweaked serial timeout settings to significantly increase data transmission reliability.
-
Fixed an issue where TFC would not immediately update Source Computer side key database size when the
max_number_of_contactssetting was changed.
-
New user-friendly naming scheme:
- TxM is now Source Computer
- NH is now Networked Computer
- RxM is now Destination Computer
- TFC-TxM is now Transmitter Program
- TFC-NH is now Relay Program
- TFC-RxM is now Receiver Program
This allows referring to each program and computer with a single word (e.g. Source or Relay).
-
The Source Computer handles the storage of the persistent Onion Service private key. What this means is, the Relay Program is able to maintain static onion address across sessions, even if it's run on an amnesic distro like Tails.
-
When adding a contact, the Transmitter Program no longer needs to ask the user to enter their account that corresponds with the contact's account.
-
When adding a new contact, a friend request is sent to the recipient. It is thus enough one contact knows the TFC-account of the other.
-
Diffie-Hellman key exchange can now be interrupted with
Ctrl+C, e.g. if the contact is not available, or if arrival of the public value takes too long. This sets the key exchange state to "Pending". The key exchange can be resumed by selecting the contact. This will reload the ECDHE private value generated earlier, and re-send the public value to the contact. Caching the ECDHE values prevents confusion about which public value is the correct one. Note however, that if Transmitter program is restarted, it will generate a new ECDHE keypair when pending contact is re-selected. -
Added support for
/add,/rm, and/connectcommands in the contact selection screen. This prevents the user from being unable to add new contacts until the key exchange is completed for the first contact. -
Significantly improved handling of local keys: Receiver Program now stores the BLAKE2b hashes of local key packets and local key decryption keys for the duration of session. Together, these allow the program to
- notify the user in case they entered an expired key decryption key
- notify the user in case the received local key packet was an old one
- automatically drop repeated local key packets: these packets no longer have to be manually canceled
- automatically attempt decryption of queued local key packets in case user enters local key decryption key for packet that the Receiver Program has received, but that it has not yet loaded for processing.
-
During key exchange, the fingerprint verification can now be skipped with
Ctrl+C. This shows the user a warning and sets the fingerprint verification state to "Unverified" (displayed in the contact list). This is an easy way for the user to keep track of key authentication status; no more lying to the "I have verified fingerprints" question. -
Added a new command,
/verify, that displays contacts' fingerprints, asks the user to confirm whether they match, and depending on the answer, stores the Verified/Unverified value to the contact database. The value can be changed afterwards if the user, e.g., feels the verification channel was not secure. -
/pskcommand now shows a confirmation code on Receiver Program after successful import of contact's PSK. When the code is entered to the prompt on Transmitter Program, the program removes the "(No contact key)" reminder from contact list. This helps the user keep track about which PSKs they have not imported yet. -
Symmetric keys derived during ECDHE key exchange now also require confirmation code. This ensures key exchange succeeds even if the key delivery packet would drop.
-
Set Networked Computer bypass messages setting (
nc_bypass_messages) toFalse(=disabled) by default. This feature is now marked for deprecation sometime in the future. -
Selecting window with unread messages now displays a horizontal line between the old and new messages.
-
The Relay Program now shows the arrival time of public keys.
-
During traffic masking, the ephemeral notification about file being received is now directed to the active contact/group window. This is because during traffic masking the window can not be changed.
-
Moved settings for serial interface from the encrypted settings database to a JSON file in $HOME/user_data. This removes the need to display the annoying Receiver Program serial interface prompt that prevented the user from locking themselves out in case Relay and Receiver program serial settings accidentally end up in inconsistent state.
-
Groups now use random group IDs to identify themselves across peers. This means the user can choose the name for each group they join.
-
The user can now rename the active group with the
/nickcommand. -
Changing contact's nick now automatically reloads the window with the new nickname.
-
The Relay Program now displays when contacts come online or go offline.
-
Much faster file transmission. TFC now works as follows:
-
Removed the
/feand/ficommands to make way for a new file transmission protocol. -
When traffic masking is enabled:
-
/filecommand sends the file the old way, in the background inside packets that are indistinguishable from messages.
-
-
When traffic masking is disabled:
-
/filecommand encrypts the file and exports the ciphertext (CT), together with information about recipients, to the Relay Program's server that multicasts the CT to those recipients. The Relay Program of each recipient will forward the CT to their Destination Computer where the Receiver Program caches the CT if file reception is enabled for the sender of the file. The file packet is immediately followed by an automated, standard TFC message that delivers the decryption key for the CT. The key delivery message also contains the BLAKE2b digest of the CT to guarantee the integrity of the CT, to authenticate its sender, and to identify the correct CT for the decryption key.
-
-
-
As keys for file import/export are discarded, public keys are now using Testnet WIF addresses, meaning all keys that are input manually are distinct, and the user cannot mistakenly input the wrong key to the wrong place.
-
Increased TFC database padding settings to make databases of more users look identical
- 50 contacts
- 50 groups
- 50 members per group
-
Fixed an off-by-one error where TFC key/contact database would count local contact/key as part of members of the database, meaning actual number of contacts that could be added was one less than what the settings would imply.
-
Removed the
multi_packet_random_delaysetting as it's no longer needed. -
Traffic masking can now be enabled and disabled without restarting the Transmitter Program.
-
The serial interface setup during first launch now prevents the user from choosing an unavailable USB-to-serial/TTL adapter or unavailable built-in serial interface.
-
Moved the definition string for built-in serial interface from gateway module to the serial settings JSON file. (This string might need to be manually edited for some OSs, e.g., Raspbian uses
/dev/serial0or/dev/ttyAMA0).
-
Updated the Reed-Solomon codec to the fork by Stephen Larroque that runs ~10% faster than the original implementation under default settings. Added type annotations to the implementation.
-
Databases now store data in more compact form:
- Databases no longer store accounts as 1024-byte, padded, UTF-32 encoded bytestrings, but as the 32-byte Ed25519
public key of the Onion Service, which is the most compact representation of v3 onion addresses and thus, TFC
accounts. The new format means
- 63% smaller contact databases
- 75% smaller log databases
- 85% smaller key databases
- 92% smaller group databases (compared to the old setting of 20 members per group)
- Databases no longer store accounts as 1024-byte, padded, UTF-32 encoded bytestrings, but as the 32-byte Ed25519
public key of the Onion Service, which is the most compact representation of v3 onion addresses and thus, TFC
accounts. The new format means
-
Re-designed group management messages to require no multicasting over the serial interface.
-
Faster data transmission over the network: Ascii85 encoding instead of Base64.
-
Removed a redundant layer of base85 encoding from file transmission during traffic masking. This increases transmission efficiency from 80% to 100%, meaning 25% faster file transfer during traffic masking.
-
Removed redundant
relay.gatewayandrelay.miscmodules. Movedrelay.settingsundersrc.common.gateway. -
Removed magic numbers from all database field values.
-
Expanded use of statics, ensured each field and header has distinct value for length.
-
Improved readability by refactoring code.
-
Improved tests and added
mock.patchdecorators. -
Improved test coverage to 100% with practically no ignores. (Note that Travis requires skipping some tests, thus coverage will be capped to 99%.)
-
Improved mypy coverage: --disallow-untyped-defs no longer shows warnings. This still requires more work.
-
The Wiki now provides URLs for images in case GitHub fails to render images behind camo URLs.
-
Created new renderings.
-
Expanded and clarified almost everything.
-
Fixed grammar and typos here and there.
-
Switched docstring parameters to non-standard (but more readable) in-line parameter descriptions.
To summarize
- Protocol looks complete
- TFC uses complete suite of latest and greatest ciphers and algorithms:
- X25519
- XSalsa20-Poly1305
- Argon2d
- Hardware layout has improved a great deal since the project started.
- Test have 99.71% coverage (98.18% with no ignores).
- Mypy static type checking is complete, only typeshed related warnings are displayed
- 100% of user data at rest is encrypted and padded to the extent the only metadata that leaks, is the maximum number of contacts/groups and the maximum number of logged messages.
- Installer has a built-in authentication mechanism.
That being said, after four years, it is a great pleasure to announce the system is ready enough to have its major version number bumped to one. There's still room for improvement. In future TFC will hopefully ditch Pidgin as its underlying ciphertext delivery mechanism and switch to native Tor Onion Service routing. Routing via Tor Onion Services can already be done with Pidgin, but it is not the default. Cipher choices also leave some room for improvement: X448 with ChaCha20-Poly1305 is something to aim towards if/once they become available.
-
Fixed security issue where during traffic masking (the proper term that replaces "trickle connection") user could change GUI dialog setting so that it would show on NH, revealing the use of TFC.
-
Switched from argon2 0.1.10 to argon2_cffi 16.3.0 library that is better maintained and tested. Since there are no shared users or remote access to TxM/RxM, switched from Argon2i to Argon2d that provides more security against GPUs/ASICs.
-
Updated PyNaCl to version 1.1.2, the wheel format of which is much faster to install.
-
Updated pycparser to 2.18
-
Updated cffi to 1.10.0
-
Updated pyserial to 3.4
-
Added kernel version check that ensures TFC only runs on systems with kernel 4.8 or later. The version requirement ensures that kernel CSPRNG uses the new ChaCha20 compressor.
-
Reset command now clears TxM screen before running the slightly laggy reset command. The clear function gives a few milliseconds faster protection against shoulder surfers.
-
/exitcommand will now reset terminals before exit in case terminal stays open when exiting. The reset function helps especially when the settingdouble_space_exitsis enabled. -
Added
/whispercommand that allows the user to bypass enabled logging setting of the recipient. This is purely an agreement based (nothing prevents recipient from editing their client), but in situation where the recipient can be trusted, this feature is useful for sending, e.g., decryption keys for files that the recipient will import with/ficommand, as well as "off-the-record" messages (nothing to do with OTR-protocol), if users agree they generally want to log messages but sometimes not. -
Added
/wipecommand that resets terminals, overwrites and removes all encrypted user data and powers off TxM, RxM and NH. on NH TFC will also shred$HOME/.purpleto hide metadata about what accounts user was using and communicating with. With standard hard-disks (i.e., not SSDs) and DDR3, this should be sufficiently secure against cold-boot attacks that try to recover user data. -
Removal of contact with
/rmcommand now removes their ephemeral message log from all windows. -
Fixed issues with notify setting for contacts/groups not hiding messages for contact properly.
-
Installer now uses SHA512 instead of SHA256 for pinned hashes of downloaded TFC files.
-
Moved to support only Ubuntu 17.04 as it comes with APT 1.4 that
- deprecates Ubuntu's 13-year-old, 1024-bit DSA key (only a more recent, 4096-bit RSA key is used)
- doesn't support repositories that use signatures that rely on SHA-1
- is 10-20% faster (meaning shorter window of exposure for TxM)
- eliminates the need for additional repositories for Python3.6 and Terminator
- has latest version (9.0.1) of
pipin its repository
-
TCB configuration now installs the net-tools application that does not come with 17.04. The program allows the use of the current network interface disabling function.
-
Added priority queue for encrypted TxM to RxM commands (and local keys). The queue ensures that NH sends all queued commands between every assembly packet (and public key) received from contacts. Prioritized commands over public keys on RxM to prevent DoS for command loading.
-
Removed
log_file_placeholder_datasetting. It is pointless to store file placeholder data to hide file transmission because an adversary can easily tell file was transmitted from the burst packets. The only situation where that is not the case is with traffic masking.Noise packet logging was streamlined. Now, regardless of traffic masking setting, nothing gets logged if active contact/group has not got logging enabled. TFC now has a single setting,
logfile_masking, that when enabled logs all authenticated and decrypted packets during traffic masking. Received files, ephemeral group management / whispered messages as well as traffic masking noise packets are logged as placeholder data. Additionally, on receiving side if, e.g., file transmission is canceled and the packet is never decrypted, logfile masking logs placeholder data instead. -
Randomized keys that are not meant to be used, in case they due to some bug they would be loaded for encryption/decryption purpose.
-
Changed 8-byte group message time stamp to 16-byte random value. The new header hides system time from recipients, who could use the information to fingerprint TxM. The field length was doubled to deal with randomized nature, that would have otherwise caused a collision with 50% probability for every 2^32 messages. The probability now requires 2^64 messages, which is the lifetime of the key (limited by the hash ratchet counter field).
-
There was a slight chance adversary that would compromise NH, could first send a public key and then inject imported file. If contact were to use the public key from adversary to decrypt it, that adversary could import a possibly malicious file to RxM. File decryption keys now use Testnet format instead of Mainnet format, keys so wrong keys entered in confusion will raise checksum error.
- Fixed crash when accessing group's log containing a group management packet
- Fixed crash when viewing logs for removed contact
- Fixed crash when reloading group window containing removed contact
- Fixed crash when giving an empty command ('/ ')
- Fixed errors resulting from editing sequence during enumeration
- Fixed issue where a message sent to a group was only logged once
- Fixed issue where the local testing window would not open to the active workspace.
- Fixed issue where
/notify off allwould disable command messages - Fixed issue where file import decryption key's input widget drops when a valid but incorrect key is given
- Added
-eflag to the installer to exit script if any error occurs - Fixed exit codes for programs
- Fixed corner cases for some setting values
- Fixed laggy
/cmand/cfcommands - Fixed concurrency issues for NH management commands with low baud rates. All commands now work from 50 to 2M bauds.
-
Added command
/rmlogs {account,nick,group}that can remove log entries for specified accounts or groups. If all logs for accounts that are members of a group are removed, messages will also be removed from that group. However, if messages are removed from the group, private messages will not be removed from the log file. -
Transmitter will prompt the user to remove TxM/RxM logs for contact when contact is removed with
/rmcommand. -
Transmitter will prompt the user to remove TxM/RxM logs for the group when a group is removed with
/group rmcommand. -
Renamed references to
ECDHEtoX25519. -
Setting names are no longer constant length atrocities.
-
Changed behavior of notifications. All notifications are now enabled by default, but the only number of unread messages is displayed. Added setting
new_message_notify_previewthat when changed from the default value of False to True enables preview of messages. -
Receiver program now shows temporary notification about received messages in start window that is now command window until the user selects window using TxM.
-
One-liners and installer now automatically wait until APT's
/var/lib/dpkg/lockis released. -
Combined local testing launchers to one with alternative layouts in right-click context -menu.
-
Base58 representation of X25519 Public keys is now the exact implementation of Bitcoin's Wallet Import Format. It uses SHA256d instead of the hash chain and prepends Mainnet or Testnet byte depending on for what key is used. The goal here is to reduce fingerprinting capability of TFC public keys in case users for some reason read public keys displayed by their RxM instead of fingerprints.
The effect of this is all public keys are slightly longer than before, but always 51 chars long. Local testing still displays the key as one easy-to-copy string, but in normal use, the keys are displayed in 17 substrings of three chars (which feels like the right size for the humans' working memory), with lettering from A to Q that helps check position when typing the key:
A B C D E F G H I J K L M N O P Q
5Ka 52G yNz vjF nM4 2jw Duu rWo 7di zgi Y8g iiy yGd 78L cCx mwQ mWV
-
Updated description of Signal fingerprint verification before E2EE call, since SAS has been replaced with Signal's standard fingerprint.
-
Receiver program's message preview notifications will now always include the type of window the message was received in. For private messages, it notifies that the window in question was a private window, and for groups, it will notify the user that it was a group window and also include the name of the group.
-
RxM no longer shows group management messages for added/removed members or group exit notifications if the group does not exist on Receiver program, or if contact is not a member of the existing group. Invitation / join messages will still be displayed as they should.
-
TxM and RxM now print and export history in the same format as normal chats do.
-
Valid but incorrect local key decryption key no longer exits local key bootstrap phase (first time when setting up).
-
Added minimum value for notifications so that user does not hide them by setting delay very small.
-
New column based transmission window now shows the percentage of completeness instead of the progress bar
-
Added alias
joinfor group creation to make use more intuitive. Following commands do the exact same thing/group join team [email protected] [email protected] /group create team [email protected] [email protected] -
Receiver program no longer just shows that logging, notification or file reception setting was changed, it also tells if the setting changed or if it was already at that value.
-
Disabled factory from launchers using gnome-terminal, which prevents launching TFC accidentally twice.
-
Added
resendcommand to public key input so the user can easily resend their public key to contact.
- Changed the majority of magic numbers and strings to descriptive static values
- Rewrote many modules
- Removed serial interface detection for Raspbian until the OS can be fully featured
- Removed unused command class stub and terminal resize function
- Removed duplicate code from
tx.commandsandnh.misc - Removed debug message printed when the packet is canceled during traffic masking
- Refactored tests, switched to proper setUp and tearDown logic for most tests
- Refactored terminator config file
- Increased test coverage to 99.71%
- Fixed rest of the mypy warnings (third-party libraries are ignored)
- Added missing type annotations
- Tons of small improvements here and there
- Renamed
src/common/errors.pytosrc/commons/exceptions.py - Renamed
src/rx/window.pytosrc/rx/windows.py - Renamed
src/tx/tx_loop.pytosrc/rx/input_loop.py - Renamed
src/rx/rx_loop.pytosrc/rx/output_loop.py - Renamed
src/tx/trickle.pytosrc/tx/traffic_masking.py - Removed
src/tx/messages.py
-
Rewritten in Python3: 3.6 for TCBs. NH still uses Python 3.5 because the Tails 3 ships with it and because some modules such as dbus have not yet been updated for 3.6.
-
Split huge files to clean modules; This greatly reduces duplicate code. Some functions for NH.py were duplicated to avoid the need to install crypto modules on NH's virtual env.
-
As requested, TFC now features PEP484 type annotations for mypy static type checker.
-
Enabled Travis CI and unittest coverage report.
-
NH-side now has much clearer abstraction that makes writing plugins for other IM clients with IPC/sockets much easier.
-
TxM/RxM are Python 3.6 only as the version allows the explicit use of os.getrandom that always blocks when the entropy pool of the kernel CSPRNG has less than 128 bits of entropy. This happens for example during at the start of Live distros. As the 128 bits is kind if low, TFC startup routine now waits for /proc/sys/kernel/random/entropy_avail to have at least 512 bits of entropy before continuing. All this combined with the modernization of kernel CSPRNG in version 4.8 of Linux kernel to use ChaCha20 among other things, means HWRNG can safely be deprecated.
-
As PyNaCl library finally includes getter for shared secret, a separate fork of the library is no longer needed.
-
As requested, PBKDF2-HMAC-SHA256 was replaced with state of the art Argon2 key-derivation function. The used version is Argon2i as it is designed against local attacks.
There are two configurations for Argon2 parameters depending on use case:
-
TxM/RxM persistent database encryption
-
h: Number of threads in CPU
-
m: Amount of available RAM during the creation of master password (at least 128MB as failsafe)
-
x: Number of round starts at 1 and is doubled for every test of key derivation under 3 seconds.
(Resource requirements are reduced by 50% during local testing to allow simultaneous login on TxM/RxM. This is fine because local testing is not intended for secure use).
-
-
PSK password protection
- h: 1 as the number of threads on recipient's system is unknown
- m: 128MB as the amount of RAM on recipient's system is unknown
- x: 16 so that derivation is slow even on faster systems. SBCs like Raspberry Pi will suffer but the inconvenience is a one-time thing (assuming user makes no typos when entering the password).
-
-
Hash ratchet now uses a hash chain construction built from SHA3-256, BLAKE2s and SHA256. The construction provides pre-image resistance and unpredictability as long as one of the hash function implementations is not compromised. All libraries are built into Python 3.6.
-
Fingerprints of public keys are now domain separated with the X25519 shared secret. This prevents deanonymization of clients by cross-correlating public key delivered over the network (e.g. when no OTR is used or when it's defeated by compromising NH) with fingerprint compared over an off-band channel that may not be anonymous and/or encrypted.
-
Major switch in NH and data diode design takes advantage of the full-duplex capability of serial interface meaning NH will only need one interface, but data diode designs will need to change accordingly. This lowers the price of endpoint setup by ~$15..25. It also streamlines NH-side code a great deal as autoconfiguration of interface directions is no longer needed.
-
New data diode design by Sancho_P uses USB-to-TTL adapters and Avago HCPL-7723 optocouplers that raise speed from 19 200 bauds to 1-2 million bauds, requires fewer components, very small amount of soldering and no batteries or external power supplies. Kudos!
-
As requested, any amount of errors Reed-Solomon corrects now raise a warning about possible serial/data diode failure so users can detect and prevent problems before they become unrecoverable.
-
Sent group messages now include the Unix timestamp of the time assembly packet creation started. This is a simple yet robust replacement to the previous approach where a counter was used to determine when all copies of group message had been received locally. Any unreceived packet would have caused the counter to desynchronize creating issues in displaying the sent message on RxM. From now on, RxM will display the first message it receives as the one sent to the group and shows only one of those messages. The timestamp is not secret and since it's global, the time zone of the sender is not revealed.
-
Fixed bad screen reset design where if window change packet was dropped during transmission, the cue for the active window on TxM would indicate that new window will get reset but in fact, it would be the old one still active on RxM. Reset command now includes the UID of the window which is to be reset.
-
NH and RxM now run a separate receiver process that does not handle the Reed-Solomon decoding. Serial interface's timeout was removed and inter-byte timeout now operates on external clock based on Python3's
time.monotonic()that ignores clock jumps. This allows much more reliable reception of data with very tight inter-packet delays (that for the first timescale for very small baud rate settings such as 50..1200 that highest assurance data diodes based on LED-phototransistors / optoforks require).
-
New VT100 control-code based user interface is much more intuitive to use.
-
Switched to Signal style base-10 fingerprints: The main issue with previously used hexadecimal format was that '3', 'b', 'c', 'd' and 'e' are pronounced very similarly in at least the English language.
-
Removed manual public key import feature: In the event fingerprints do not match it's better users exchange PSKs than risk MITM in either channel when they are clearly being targeted.
-
Redesigned message output: TxM now always runs two processes. One reads input from the user, another outputs messages from queues. This means that when trickle connection is disabled, different packets are being output based on their priority: Commands have the highest priority, followed by messages and finally files, that usually takes a long time to transfer. This comes at the cost of losing the multi-line paste mode. Trickle or no-trickle, messages/files for active contact/group are canceled with commands
/cmand/cf. -
Contacts are now added from an interactive wizard that is launched with the command
/add -
User can view ongoing Pidgin-side file transmissions from file window with the command
/fw -
RxM notifications now display to which group window contact sent the message.
-
Completely new way to send encrypted files with TFC. Use the file export command on TxM:
/feThis encrypts file name and data with XSalsa20-Poly1305, outputs the ciphertext to NH that stores it under a name that consists of 32 random hex chars. The exported file can be sent to contact over the channel of user's choosing (email, cloud etc). The decryption key will be displayed on the screen, and it must be sent over TFC manually to contacts receiving the file.
The recipient that receives the file with their NH, can issue file import command from TxM to NH:
/fiThis opens a file prompt on NH that allows the user to select the encrypted file. NH will transmit the file to RxM that prompts the user to enter the decryption key, and after successful authentication and decryption, the file is stored on RxM. This obviously does not hide the fact that the user is sending a file, but sometimes that is not a problem. The reason this is faster is that the file doesn't have to be encrypted in chunks, but also because there is no key rotation, database storage or similar. It also handles errors much better because sender and receiver can redo the process independently as many times with varying serial port speeds and error correction settings until ciphertext delivery over data diode succeeds.
-
/names command now lists groups below contacts with wrapping member list. This deprecates following commands:
/groups/group -
Added commands that the user to specify a new master password for TxM or RxM from TxM:
/passwd tx/passwd rx -
User can now view/export log of (n latest) messages of the active recipient/group with commands /history (n) /export (n)
-
Settings are now stored in an encrypted database. The user can control settings on TxM/RxM with /set
Some settings only change when TFC is restarted; User is notified of such events. The user must ensure all computers receive new settings by making sure they display notifications, before restarting programs. Otherwise, the user must change settings back so that NH and/or RxM can again understand sender device. The major issue is that due to encrypted settings database if the user enables/disables USB adapter and does not have integrated or USB adapter available, they would be unable to send data to RxM. This is prevented by making RxM ask the user to select between USB adapter and integrated interface at the beginning of every session. It is annoying but cannot be helped. Advanced users can comment out prompt trigger from
src/common/db_settings.py (lines 108-110). -
Improved /help readability on narrow terminals.
-
File data is now encoded using Ascii85 instead of Base64, meaning 5% increase in file transmission speed.
-
Group management messages now display nicks of known contacts and accounts of unknown ones.
-
Group management commands are displayed on the active window after which they move into the command window.
-
Nicknames are now unique identifiers and can be used during group commands when removing contact etc.
-
Removed noise packet logging. Logging excessive amounts of noise data just to hide metadata about how much communication has taken place in total from an adversary who physically compromises TxM is unlikely to offer meaningful protection. It is much more safe to not log any data in the first place. Smaller log file size makes TFC more portable and easier to hide.
Installing
-
Installer is now a minimalistic shell script
Type of installation is selected with an argument (tcb, nhu, nht or lt)
The installer is run with one of the following one-liners that make authentication of the installer with known GPG fingerprint easy. It also minimizes the race condition that would follow from manual installer authentication.
-
TxM/RxM on Ubuntu/Mint (64-bit only)
gpg --keyserver pgp.mit.edu --recv 861BD0CE1E47A9D29F03C4F54064F05A4D17DE97 && wget https://raw.githubusercontent.com/maqp/tfc/master/install.sh{,.asc} -q && gpg --verify install.sh{.asc,} && bash install.sh tcb -
NH on Ubuntu/Mint (64-bit only)
gpg --keyserver pgp.mit.edu --recv 861BD0CE1E47A9D29F03C4F54064F05A4D17DE97 && wget https://raw.githubusercontent.com/maqp/tfc/master/install.sh{,.asc} -q && gpg --verify install.sh{.asc,} && bash install.sh nhu -
NH on Tails
gpg --keyserver pgp.mit.edu --recv 861BD0CE1E47A9D29F03C4F54064F05A4D17DE97 && wget https://raw.githubusercontent.com/maqp/tfc/master/install.sh{,.asc} -q && gpg --verify install.sh{.asc,} && bash install.sh nht -
Local testing on Ubuntu/Mint (64-bit only)
gpg --keyserver pgp.mit.edu --recv 861BD0CE1E47A9D29F03C4F54064F05A4D17DE97 && wget https://raw.githubusercontent.com/maqp/tfc/master/install.sh{,.asc} -q && gpg --verify install.sh{.asc,} && bash install.sh lt
The trust chain works as follows: If the fingerprint in one-liner matches the one you know to be secure, imported 4096-bit RSA public signature verification key will also be authentic. With the authentic public key, only the installer install.sh with authentic digital signature is executed by the one-liner. The install.sh downloads TFC files and checks their SHA256 hashes. Among these files are the requirements.txt and requirements-nh.txt that contain pinned SHA512 hashes for dependencies downloaded over pip.
Installer creates virtual environments for Python3.6 (venv_tfc) and 3.5 (venv_nh) pip dependencies. This avoids littering the global Python environment.
-
Databases pad strings with Unicode chars and encode the padded string using UTF-32. This ensures constant length fields regardless of used symbols. Each data type is converted to constant length byte string in the most effective way that still has zero impact on security. This was actually done already in the previous version but the implementation was harder to evaluate as Python2 does not make a clear distinction between bytes and (Unicode) strings. The encoding in the previous version was UTF-8, thus ciphertext length would vary when some field contained Unicode chars that are encoded to longer strings.
-
Split keys and hash ratchets into a separate keys-database managed by the sender process. This ensures database i/o of input process does not block sender process and reveal use during trickle connection.
-
Moved logging of packets to separate process. That way i/o wait times when accessing the TxM logfile do not slow down
sender_loopand reveal use during trickle connection. -
TxM side database now also stores file reception and notification settings that are displayed with
/names.
From this version onwards, TFC-NaCl is the only version that gets new feature updates. The reason for this is in-part time constraints, in-part the goal to unify the userbase and ultimately integrate cascading ciphers. The 'NaCl' name will be dropped starting with this version.
Tx.py and Rx.py now feature an animated login screen built on curses, mocking all the things cyber. When the programs are launched for the first time, the user enters and confirms a master password. This password will be combined with salt (created with /dev/urandom) in PBKDF2-HMAC-SHA256, the iteration count of which is ensured to be within 2000..4000ms range, but with at least 65536 iterations. This means slow systems will suffer during login time; Security comes first. While the salt and long key derivation time are currently best practices, they offer negligible protection against weak passwords. No magical crypto dust exists to protect from this so make sure to use strong passphrases and possibly 2FA with something like Yubikey, that remembers a static part of the passphrase.
The output of HKDF is the master key, the SHA3-256 hash of which is stored together with the iteration count and salt to file .{tx,rx}_login_data. Forgetting the password, tampering with, or deleting the login data file renders all stored data useless: be careful. Under the assumption, the password remains unbreakable by the adversary, encrypted databases help against following problems:
All data is encrypted before it touches the hard drive: These are increasingly becoming SSDs that don't overwrite data the way magnetic drives do.
In the case where the adversary has not remotely exploited RxM with a keylogger that copies TFC master password, physical access where encrypted data is merely exfiltrated means attacker is unable to access sensitive data. Previously similar protection could be obtained with Full Disk Encryption (FDE) and ensuring the encrypted disk is not mounted. TFC now keeps data secure even if FDE drive is mounted but TFC is not running. Since encryption scheme is authenticated (XSalsa20-Poly1305), any tampering can be detected as authentication of encrypted data fails with the correct password.
In situations where TxM and RxM operating systems are left open (something user should never do) but when TFC master password hasn't been given, encryption of data prevents impersonating the user.
All fields in databases are padded prior to encryption. With groups and contacts, there is now a maximum number of contacts adjustable by the user. The database is padded accordingly to hide the length of data in fields, number of contacts, groups, and members of each group.
When the user creates a new PSK, in addition to contact details, Tx.py generates a 256-bit salt and prompts the user to enter and confirm a password that protects the PSK during transit. An encryption key is derived from the password and salt using PBKDF2-HMAC-SHA256 over 65536 iterations, and PSK is encrypted with that key using XSalsa20-Poly1305. The salt, nonce, ciphertext, and tag are written to PSK file.
The recipient who adds PSK to their RxM now uses command /psk that replaces the old command /rxkey. Rx.py then parses salt, nonce, ct, and tag from PSK file, and then asks the user for the password to decrypt the PSK. If the user enters the correct password, the key and contact details are added to RxM, keyfile is shredded and the user is advised to physically destroy the transmission media.
Delivery of PSK password should be split over multiple media.
Tx.py now prompts the user to enter and confirm the RPi SSH password the first time the connection is established. The password length is protected by padding it to the next 255 chars before it's the master key using XSalsa20-Poly1305. The resulting ciphertext is stored into file .ssh_login_data.
The user can now select a group for trickle connection (must be created before trickle connection is enabled from Tx.py configuration).
When the user adds a contact, they must now specify account of the user, associated with the account of the contact. When combined with Tails configuration for NH and Tor-hidden service XMPP server, this can effectively hide the metadata about group structure. For example, Alice could communicate to Bob and Charlie using separate accounts for both, and Bob and Charlie could do the same for the three. In such case, the contact list itself does not leak metadata about the structure of communicating parties' network.
The last unencrypted command (screen clearing) is now encrypted to prevent DOS of RxM in cases where NH is compromised. NH side screens are cleared with additional unencrypted command when trickle connection is not enabled.
Enabled shell escaping for all shell-commands with variables. All inputs for shell commands come from the user by design and are thus trusted. Enabling it, however, prevents shell-injection of RxM by typing commands to Tx.py. This is unlikely an issue as any physical attacker can type commands on RxM screen.
Added command /reset that resets Tx.py, Rx.py, and NH.py terminals. Reset also clears the ephemeral message history of session for active contact/group. All messages for that conversation that are not logged are lost for good; Use /clear for temporary screen clearing when you need a clean table or if you detect non-threatening shoulder surfing and /reset when the conversation needs to be removed.
The hash ratchet counter is no longer an unauthenticated plaintext counter, but an XSalsa20-Poly1305 encrypted, eight-byte value that is prepended to packet. This removes metadata datagrams in IM client without OTR-protocol would otherwise reveal about the number of sent packets, and removes the DoS attack vector in RxM from third parties (TFC is still vulnerable against frenemies, but they can be removed altogether from TFC.)
Rx.py finally features separate windows or tabs for each conversation, including one for issued commands. If a message is received into an inactive window, either the message or a notification about the message is temporarily displayed. The duration of the notifications can be controlled with the setting new_msg_notify_dur. Information about commands is also temporarily displayed on the screen before moved into the command window. This helps keep conversations free from clutter.
Some warnings and notifications are not stored in the temporary message log, and they disappear when the user changes window by selecting same or another conversation with /msg command, or by opening the command window with /cmd or //.
The user can check if they have messages on unread tabs by typing either command /unread or (single space).
Moved from 72 hex char public keys to Bitcoin Wallet Import Format where keys are Base58 encoded and come with integrated SHA256 based checksum. Base58 encoding reduces the length to 48-50 chars that do not look like one another (unlike in the case of Base64).
When Alice creates a group, her Tx.py asks her if she wants to send an invitation to group members. The invite will contain a list of members she added to the group, and it is displayed by Rx.py of invited members. Joining users must manually create a group with the same name using their TxM, that will share the group with RxM.
If Bob creates the same group and sends a list of members he added to Alice and Charlie, Alice will get a notification "Bob has joined the group", while Charlie (who Alice did not add) will get an invitation to group. Alice and Charlie will see that Bob has added the other to the group, so they know to add each other as contacts and later, to the group.
When Alice adds new members to the group, her Tx.py asks if she wants to send a list of added members to existing members, so they can synchronize their side of the group. Members added to the group will receive the same invitation that members who are invited to the new group get.
When Alice removes Charlie and David from her group, her Tx.py asks if she wants to send the list of removed members to remaining members. That way, the remaining members are aware that she is no longer receiving or sending messages to these contacts. Removed members never receive notification about being removed. The only thing that happens is, Alice's Tx.py stops sending messages to removed contacts, and her Rx.py stops showing messages from these members directed to the group's conversation window. Removed users can still exchange private messages with Alice. To block this, Alice should block the contacts in IM client.
When Alice removes the group, Tx.py asks if she wants to send members of the group a notification that she's no longer sending messages to group or receiving messages from them. If she sends the notification, Rx.py of receiving contacts also warns the contacts, that unless they themselves remove Alice from their group, their Tx.py will keep sending the group messages to Alice, who could regardless of group exit message, still be decrypting and reading the group messages. All Alice needs to do is join back to the group, and not send a notification about it.
Preventing the user from doing this is comparable to sender based control, something that is not just snake oil, but impossible to achieve with free and open source software. The only way to prevent the user from receiving and decrypting messages from contacts when the parties by design share keys, is not to send messages to the user in the first place.
The user can now enable logging and file reception for groups with commands
/logging on <group name>
/store on <group name>
By default, the latter allows everyone in the group to send a single file to the user. Automatic disabling of file reception can be disabled by setting auto_disable_store to False.
Local testing uses now uses Terminator, that is installed alongside TFC. Tx.py, Rx.py, NH.py (and dd.py) are launched from one of two desktop entries:
TFC (Standard TFC local testing layout)
TFC DD (TFC local testing layout with data diode simulators)
Rx.py now displays public keys after the local key has been delivered to RxM. Screens are cleared for each step to make them easier to follow.
When Tx.py/Rx.py is unable to show Tkinter dialogs (for example, when Tx.py is used as blacker over SSH from a local network that sits behind TxM-NH data diode), Tx.py no longer demands the use of default directories, but asks the user to type the desired path over CLI (tab-complete is supported).
/names command no longer shows ID, but instead, account, nick, key exchange type (Curve25519 or PSK) and whether logging is enabled or disabled.
The user can now directly select group from select contact command or use nick instead of account to select a contact. Tab complete is supported.
This means better synchronization with TxM and RxM data in the future. It works even with trickle connection.
Most of the variables in configuration were changed to more descriptive. New static length naming is easier on eyes.
TxM/RxM/NH configurations for *buntu configurations now feature desktop entries and Terminator profiles. Each installation features their own layout and profile. Previously existing profiles will not be overwritten.
Switched from os.system("clear") that caused issues with Ubuntu 16 scrollback to VT100 control codes that remove the problem.
VT100 control codes are now also used to remove repeating questions (removes clutter), to move key input guides below text, to auto-complete previous lines (nick, key exchange choices, y/n answers etc). Notifications about file transfer and random delays when long_packet_rand_d is enabled, also have much cleaner notifications.
Group files:
Group files have been removed. Instead, all groups and values in fields that contain a list of members and a log setting for the group are stored in a fully padded format to file .tx_groups or .rx_groups.
Keyfiles: The "Keys" folder and aside PSK delivered to contact, all keyfiles have been removed. Keys are instead stored in the contact database.
Logfiles:
The "Logs" folder and log files have been removed. Instead, all messages for all contacts are stored in a padded state into the file .tx_logs or .rx_logs. The logged data is not the assembled data, but the plaintext form of each assembly packet. This prevents metadata leaks from observing the ciphertext. Messages are parsed from assembly packets when the log file is viewed with the command /history or exported with the command /export (requires confirmation from the user).
Database files: The database file is like group file, each field is padded separately to hide contact specific plaintext length. The contact database is padded with dummy contacts that contain dummy data. This protects from an adversary who gains physical access, from deducing metadata about the user. The database holds the following information: -account of contact -account of the user (TxM only) -nickname of user -key for sent messages -key for received messages (RxM only) -hash ratchet header key for sent messages -hash ratchet header key for received messages (RxM only) -hash ratchet counter for sent messages -hash ratchet counter for received messages (RxM only) -logging setting for contact -file reception setting for contact (RxM only) -window notification privacy setting for contact (RxM only)
The sampler program hwrng-nacl.py was renamed to hwrng.py.
New input_validation function that gracefully exits and gives more details: Example:
ERROR! Second parameter of function 'g_mgmt_print()':
Got <type 'list'> instead of <type 'str'>.
The code for group management was improved significantly by changing For-loops into set operations among other things (Tx.py and Rx.py).
Simplified data type carrying in Tx.py.
File packet loading and delivery time evaluation was completely rewritten.
Plaintext data fields are now separated using non-printable Unit Separator character (0x1F). This reduces overhead and greatly clarifies structure.
Account name string on Rx.py no longer carries trailing .ld / .rx, but separate origin parameter (u for user and c for contact) is passed to each function.
Removed need for exit queue by adding a periodical check if the child processes are alive, and exiting gracefully if they are not.
Added even more unittests. Running unittests now warn they remove all TFC user-data, and ask for confirmation before running.
Removed need for interface configuration packets sent by Tx.py during launch. NH.py now uses any packet to configure serial interface directions before forwarding it to Pidgin and/or RxM.
During start, Tx.py, Rx.py, and NH.py wait until missing USB-to-RS232 adapters have been connected before proceeding.
Tx.py, Rx.py, and NH.py no longer crash when USB-to-serial adapter is removed. Tx.py won't send further packets until the adapter is reinserted. Rx.py won't read packets until adapter has been reinserted. NH.py won't send packets to NH until both interfaces have been reinserted and the interface for TxM has been determined by any packet from TxM. All three programs can remap interfaces regardless of device name assigned to it by the OS (/dev/ttyUSB#, where # changes unpredictably). To ensure the mapping works, make sure there aren't additional USB-to-Serial adapters connected to any of the computers TFC uses.
In the situation where cables are crossed over, e.g. when the user changes the data diodes to opposing serial interfaces on NH (something the unidirectional interfaces can't detect), NH assumes it's outputting to RxM, while in fact, it's sending messages to TxM. In such situations packets will be lost until NH.py learns about the crossover by receiving a packet from TxM; NH.py listens to both interfaces for TxM data, and it automatically changes the port to RxM to the other interface, resolving the issue.
An exception to packet loss is during start when NH.py doesn't yet know which interface connects to TxM. The process that outputs messages to RxM, therefore, waits until user sends a packet from TxM. When that happens, NH.py maps the interfaces, and the process then outputs sent and received packets from the queue to RxM in order.
Depending on the quality of serial interfaces and data diodes, transmission errors might occur occasionally. TFC now uses Reed-Solomon error correction to detect and fix errors and missing data. A simple setting e_correction_ratio is provided to users. This number describes the maximum number of byte errors in transmission that can be recovered from.
The reference data diode design appears to remain stable with baud rates of 19200, this doubles the speed.
Changed the integrated serial interface of Raspbian to /dev/serial0.
NOTE: While this makes it possible to run TFC on Raspberry Pi 3, these devices have wireless network interface embedded within the processor. This makes Raspberry Pi 3 impossible to physically air-gap, thus using it is NOT secure.
Tx.py now shows the progress of key generation over SSH.
TFC no longer loads multiple 256-bit keys but instead specifies the amount of entropy that is required (varies between 256 and 768 bits). This speeds up key generation, and multiple SSH connections are no longer necessary.
Tx.py now checks accounts against regular expressions. This is generally bad practice with emails and XMPP accounts, so the rule set is just
<something>@<something>.<something>
This check ensures the user does not use reserved account name for the dummy accounts that are used as padding in the database.
Tx.py no longer asks for NH bypass during key exchange. This feature is mainly needed for local key delivery where remote exploitation of NH can be combined with a keylogger or visual collection. If root local key is compromised, all keys can be accessed from NH. Therefore, it's still useful to send encrypted local key directly from TxM to RxM. NH bypass messages now halt Tx.py only twice during the entire procedure (second time after confirmation code has been typed).
Tx.py no longer encodes sent file to temp file before reading it, but reads data into memory and converts it there. This helps when sending large files, but since file transfer is already slow due to design limitations, it won't do much good. Tx.py now uses zlib to compress (maximum compression setting) the file prior to encoding. This also saves some time depending on the entropy of sent data.
Tx.py no longer appends hash of file data, but prior to encoding generates a 256-bit key from /dev/urandom, that will be used to encrypt the file data. Encrypted data is then concatenated with the key. The benefit is, the decryption key will be sent to the recipient in the one or two last packets, meaning if the user e.g. cancels file transmission to a wrong recipient, the file can not be decrypted. Long messages are also encrypted with additional layer and trailing key.
The file packet estimation counter was completely rewritten and is now much more accurate. Delivery time estimation now scales up to 29d 23h 59m 59s.
Tx.py also shows more detailed information about the preprocessing of sent file e.g. loading, compression, encryption and delivery time evaluation).
Tx.py no longer allows sending files with /file /path/to/file. Instead, the file is selection is opened with the command /file, after which either GUI prompt (or if that's unavailable or disabled by setting disable_gui_dialog to False, tab-complete supported CLI prompt) is displayed.
New contacts are from now on always added with the command /add. Depending on which parameters user adds, Tx.py will interactively ask other ones:
/add [email protected] [email protected] alice ecdhe* asks to use HWRNG (if avail.)
/add [email protected] [email protected] alice also asks key exchange
/add [email protected] [email protected] also asks nickname
/add [email protected] also asks user's account name
/add also asks contact's account name
Please note that you can't skip parameters!
Giving command
/add [email protected] [email protected] ecdhe
assumes Bob wants to set nick as ecdhe, and asks for the key exchange
*Key exchange can be
-
eorecdhefor Curve25519 elliptic curve Diffie-Hellman -
porpskfor pre-shared XSalsa20-Poly1305 keys.
-
Fixed issue where long messages sent by Tx.py were not logged.
-
Fixed issue where Tx.py did not log any messages during trickle connection.
-
Fixed issue where the user can set contact's nickname as contact's account or as a name of a group during contact creation.
-
Fixed issue where canceling long msg/file transfer to a group doesn't cancel transmission to rest of contacts.
-
Added graceful exit for SSHError when IP is the same as TxM.
-
Added graceful exit for when hwrng.py is missing from Raspberry Pi's home directory.
NH can now send messages from multiple Pidgin accounts to contacts.
-
NH.py no longer crashes if Pidgin is not started first. Instead, it waits until DBus connection to enabled account in Pidgin is established, and then proceeds with startup. DBus has a timeout, however.
-
Fixed crash when NH.py is started while Pidgin is running but no account is logged in.
-
Fixed issues with error printing.
-
Fixed issue where no serial-interface is available for Raspberry PiNH.
-
Fixed crash when Tx.py sends clear screen command to NH.py with no account selected. An example of such situation is when an empty group is selected.
-
Moved to single startup animation based on login screen's curses animation. Animation scales according to terminal size and can be skipped with CTRL+C.
Messages for contact are now dynamically wrapped to screen according to the window size. Nicknames are dynamically updated, and date changes are displayed between messages. Messages are indented in front of the time stamp. Together these make a huge difference to usability compared to previous versions:
Moved from confusing messaging layout
10:20 Me > Alice: Hi Alice
10:21 Alice: Hi Bob!
Changed [email protected] nick to alice.
to
10:20 Me: Hey Alice
10:21 Alice: Hey Bob!
10:22 -!- Changed [email protected] nick to alice. // this message is displayed only temporarily
that's easier on eyes as recipient's nick isn't always next to the message. The previous style was required, as all messages sent to all contacts were displayed in the same window, and the user had to be able to tell to whom their message was delivered to. Me is no longer allowed as a nick: this is to prevent confusion about the author of the message. RxM-side log files use the same layout.
The messages displayed are now word-wrapped and long messages have extra room between prints.
When the user initiates new ECDHE key exchange, Rx.py displays the latest public key received from contact during the session. The user no longer needs to scroll RxM terminal up to find the public key.
Rx.py now resets the terminal when the local key encryption key is correctly input. This removes backlogs with the intention of hiding the sensitive key decryption key. If local testing is enabled and the key was pasted to Rx.py from Tx.py, Rx.py clears the clipboard.
-
Fixed issue where maliciously crafted invalid file header would crash Rx.py.
-
Fixed issues with nickname indentation with variable length encoding.
Renamed hwrng-nacl.py back to hwrng.py as CEV/OTP versions use their own file names, and as CEV/OTP versions are slowly removed/integrated.
hwrng.py allows three key sizes to be loaded from GPIO-HWRNG: 256, 512 and 768 bits.
setup.py now detects if OS is Raspbian or Ubuntu derivative and allows the user to choose between four configurations. Unsupported OSs exit setup.
| Selection # | Raspbian | Ubuntu |
|---|---|---|
| 1 | TxM | TxM |
| 2 | RxM | RxM |
| 3 | NH | NH |
| 4 | HWRNG | Local testing |
setup.py will also detect Tails installation configuration and initialize the NH configuration setup automatically. Note that Tails installation configuration is not run as sudo.
When setup.py is run, the TFC public key and the digital signature for setup.py are downloaded automatically. It is up to the user to choose whether to verify the signature first or after installation by importing the key and running
gpg --verify setup.py.asc setup.py
The user shouldn't trust software downloaded from the network is actually downloading the correct public key. The only way to trust the signature verification key is by having prior knowledge of the authentic fingerprint (never use the short version) from the authentic source, e.g. from face to face meeting with the developer or via trustworthy Web-of-Trust.
Apt shows download progress more clearly.
Apt-commands and library downloads are now shuffled with CSPRNG when selecting TxM/RxM configurations. As the window of opportunity to remotely exploit TxM starts the second user downloads setup.py, this only delays detection of installation of those users who have obtained setup.py via sneakernet or different Tor session, where they weren't deanonymized.
TxM/RxM/HWRNG configurations for TFC can now be installed with single line:
TxM:
sudo echo && wget https://raw.githubusercontent.com/maqp/tfc/master/setup.py && sudo python setup.py 1
RxM:
sudo echo && wget https://raw.githubusercontent.com/maqp/tfc/master/setup.py && sudo python setup.py 2
NH:
sudo echo && wget https://raw.githubusercontent.com/maqp/tfc/master/setup.py && sudo python setup.py 3
HWRNG (Raspbian) or Local testing (Ubuntu)
sudo echo && wget https://raw.githubusercontent.com/maqp/tfc/master/setup.py && sudo python setup.py 4
The reason sudo echo is run is to not waste time writing sudo password after setup.py has been downloaded. While sudo wget would be equally fast, running wget as root is not a good idea. setup.py should be run as sudo because that way it has the permission to run sudo ifconfig # down for all network interfaces. Ethernet cable should be disconnected once installer tells the user to do so. All wireless network cards must be removed before TFC is installed on TxM/RxM.
HWRNG installation configuration now automatically sets RPi static IP 192.168.1.2.
TxM configuration for *buntu asks the user if they will connect to RPi HWRNG over SSH. If the user does this, setup.py will wait until at least one ethernet device is connected, and then asks the user to enter the one to be used (tab-complete supported). It then enables static IP 192.168.1.3 for TxM and restarts the network interface.
Setup.py now enables execution permissions on .py files, so they can be run with
./<program name>.py
Setup.py now scales (if supported by the terminal) the terminal to fit all configurations in the main menu.
-
Removed
from x import ystyle imports to avoid conflicts in namespace etc. -
Refactored code here and there.
-
Added more unittests. test_tx.py and test_rx.py now evaluate XSalsa20-Poly1305 implementation in PyNaCl using official test vectors by djb. Unittests can now be run from RPi over SSH.
-
Improved CLI here and there.
-
Banner can now be skipped with Ctrl+C
-
User can now send an encrypted command to RxM with the command
/rxkeythat opens a file prompt. This allows the user to load the PSK for the contact without turning off Rx.py. -
Added setting
show_file_promptsthat by default opens a storage prompt where the user can store contact's PSK. When false, keys are stored inkeys_to_contact. -
Resolved the
CTR mode needs counter parameter, not IVissue with Paramiko's SSH connection with AES CTR mode. -
Disallowed
:and/chars in accounts to fix crashes. -
Reversed PSK and ECDHE key choice answer to more intuitive order.
-
Fixed issues when sending dotfiles.
-
Changed trickle delay's time's constant delay time exceeding from critical error to a soft warning. Raspberry Pi tends to send the first packet with greater delay. The user will now be prompted to increase
trickle_c_delayif the problem persists.
Opens a file prompt when /rxkey command is sent by TxM. This allows the user to load the PSK for the contact without turning off Rx.py.
Fixed issue where missing rx.<account>.e key on RxM crashes Rx.py when /logging on <account> command is issued from TxM.
Opens file prompts based on keyfile change commands.
Added preinstalled hashes of tested (not audited) crypto libraries.
Improved SSH configuration during installation.
Added NH installation configuration.
Reduced the window of compromise time to minimum: setup.py now first downloads apt-packets. It then downloads and verifies crypto libraries and TFC. Finally, the installer runs sudo ifconfig down on every interface excluding lo, listed by ifconfig -a, before extracting and building libraries.
Fixed issues with file permissions when running the installer as superuser.
Renamed hwrng.py to hwrng-nacl.py in case multiple versions of TFC (CEV/OTP) use same RPi to load entropy from HWRNG.
dd.py now automatically re-sizes terminal window to a proper size.
In the initial bootstrap, Tx.py generates a 256-bit local key and 256-bit key encryption keys with separate processes, where 32-byte /dev/urandom string is hashed with SHA3-256 (simplesha3 library), that is then passed through 25k iteration PBKDF2-HMAC-SHA256. If Tx.py is run on a Raspbian (Raspberry Pi), the user can mix entropy from free hardware design HWRNG, connected to GPIO 4 of the SoC board into the PBKDF2 function. Entropy is sampled with 10Hz frequency and Von Neumann whitened during sampling. Once the Von Neumann samples have been collected, the 256-bit entropy is compressed using the SHA3-256 hash function. If Tx.py is run on a computer that has a direct ethernet connection to Raspberry Pi with GPIO HWRNG, Tx.py can SSH into that computer using Paramiko library, and query entropy with program hwrng.py.
The local key is padded to 254 bytes and encrypted with the key encryption key using PyCrypto library's XSalsa20 stream cipher (192-bit nonce), and 128-bit Poly1305 MAC. The signed ciphertext is transmitted to RxM through data diode. The user can choose whether to leave data diodes connected to NH and let signed ciphertext pass through, or whether they want to transmit keys directly from TxM to RxM by connecting serial interfaces that way. Such configuration prevents the adversary from obtaining the signed ciphertext from NH in case it has been compromised at this point.
RxM will then ask the user to manually type the 64 hex char key decryption key displayed by TxM. The key decryption key is concatenated with 8 hex char checksum, that is the truncated SHA3-256 hash of the key decryption key. Once the 72 char hex key has been typed to Rx.py, the program decrypts the local key, adds it to the database, and shows a two char hex code that lets TxM know local key delivery succeeded. This is a pre-requisite for the next step, where account data/keys are transmitted to RxM, encrypted with the local key.
If RxM does not receive the encrypted local key, the user can send the packet again by typing "replay" instead of the device code. The local key transmission can later be redone with command /localkey.
The user is guided when adding the first contact. Tx.py first prompts for an account, e.g. [email protected] and a nick. Empty nick uses nick Alice (automatically parsed from the account). Tx.py asks the user to confirm account and nick (choosing no jumps to the beginning of account creation). After this Tx.py prompts the user to choose key exchange method:
Use PSK instead of ECDHE (y/n)?
PSK is explained later so here we choose n (=no) to start ECDHE key exchange.
Tx.py generates a Curve25519 ECDHE private key by with PyNaCl's PrivateKey.generate(), that has been modified to XOR in either bitstring of 256 zeroes, or if provided, 256 bits string of external entropy. Tx.py always provides the external entropy:
ext_ent = PBKDF2-HMAC-SHA256(SHA3-256(32-bytes from /dev/urandom, salt)).
If Raspbian with HWRNG is available, Tx.py will add the salt to PBKDF2-mix:
salt = SHA3-256( Von Neumann whitening (HWRNG samples))
The number of samples is dynamic and depends on results. This ensures SHA3 always takes in 256 Von Neumann whitened samples. If HWRNG produces bad entropy i.e. a chunk of just zeroes/ones, they are not added as samples.
PyNaCl's PrivateKey.generate()'s own entropy is loaded after external entropy is provided, thus even if external entropy adds zero entropy, it does not weaken the overall security, as in such case it would be the equal of XORing PyNaCl's entropy with bitstring of zeroes.
Once the final entropy has been generated, PyNaCl will use it to create a private key object.
Tx.py generates the ECDHE public key from the private key object and transmits it to the recipient's RxM. Once the 64 hex char public key of contact has been received by Rx.py the program shows it concatenated with an eight char hex checksum like the one in the local key. The user must manually type the 72 hex char string to TxM. The manual process ensures no automated data channel from the network can infect TxM after setup.
Once the key has been successfully entered, Tx.py will ask the user to use Signal by Open Whisper Systems to verify the authenticity of contact's public key.
MITM against OTR session is possible if the adversary has exfiltrated respective keys from endpoints of users. If users find out during Signal call that the public keys have been generated by a man in the middle, they do not have to throw in the towel. Instead, users can read the public keys to each other over Signal, manually type in the new public key and effectively bypass the MITM in the network. Once the public key has been successfully typed, Tx.py will log the public keys for later, higher assurance verification is done face to face. This also enables retrospective detection of MITM, if for some reason users are unable to verify the authenticity of public keys during key exchange.
TxM is the only device that receives no automatically input data after setup, so it is the only device trusted to generate secret keys. Tx.py will generate two symmetric keys (one for encryption, one for decryption) by concatenating ECDHE shared secret with one of the public keys and passing them through PBKDF2-HMAC-SHA256 (25 000 iterations). This is mandatory for the forward secrecy to work. Forward secrecy is obtained by passing the encryption keys through PBKDF2-HMAC-SHA256 (1 000 iterations) between every message. Were the ECDHE shared secret used as the symmetric key for communication in both directions, offset in key derivation could lead to decryption of collected ciphertexts by iterating physically compromised key, that lacks behind in PBKDF2 iterations.
Once the symmetric keys are generated, the account details are encrypted and signed with XSalsa20-Poly1305 using the local key and transmitted to RxM, where the contact is automatically added. While this packet doesn't differ in any way from encrypted command, the user can still choose to prevent NH from receiving the ciphertext by plugging the TxM's data diode directly to RxM once the public key of contact has been received to RxM. During this period any message sent by contacts is not received. Dropped packets do not cause de-synchronization of keys, as each packet contains the number of times Tx.py has iterated the initial symmetric encryption key with PBKDF2. This means both receiving devices can catch up with the Tx.py's key. If Rx.py detects dropped packets, it will display the catch-up progress. KeyID introduces a DoS attack vector where packets with great keyID block Rx.py from operating. This would, however, require a MITM attack against the OTR, or messing with the NH; Such DoS would blow the cover of the high-strength attacker. A more covert DoS can be mitigated from within the network or IM server, so this attack is an unlikely problem. Were this evaluation incorrect, an efficient fix would be to use a separate static MAC key that signs the keyID. For now, it is not implemented. It should be mentioned that this DoS attack can also be mitigated by frenemies, but they are easy to block from the IM client.
Additional accounts can be added using commands
/dh <account>( <nick>)
and
/add <account>( <nick>)
While TFC-NaCl is all about convenient public key crypto with exfiltration secure private keys, it's security will not hold in the long run. Quantum computers are making their way albeit slowly, and in the future, any symmetric key agreed using Curve25519 ECDHE will be broken. The only public key algorithm secure against Shor's quantum algorithm is McEliece with Goppa Codes. Long-term security would require users to type in 1 000 000 bit public keys, which is highly inconvenient regardless of encoding used. As an initial answer to quantum computing, TFC-NaCl retains the possibility to create pre-shared symmetric keys for quantum-secure 256-bit XSalsa20-Poly1305:
Answering yes to PSK question, in the beginning, will create symmetric keys with PBKDF-HMAC-SHA256 (25 000 iterations), using SHA3-256(urandom(32)) as password, and if HWRNG connected to Raspbian (SSH or not) is available, by using SHA3-512(VN(256-bit HWRNG entropy)) as salt.
The contact's account, nick and the symmetric key for local decryption are sent to RxM, encrypted with the local key (again, NH doesn't have to be in between if the user so prefers). Tx.py then prompts the user for his or her account name.
If Alice is adding [email protected]as contact, a copy of her symmetric key is generated for Bob, and conveniently placed inside folder "PSKs", under the name
[email protected] - Give this file to [email protected]
Alice must then take a never-before-used thumb drive, copy the PSK to that and give it to Bob in a face-to-face meeting. Bob must also have generated a PSK for Alice in advance. Once Alice has received the thumb drive from Bob, she plugs it into her RxM (NOT TxM), and copies the
[email protected] - Give this file to [email protected]
keyfile to folder "keys". She must then restart Rx.py. Rx.py automatically strips the trailing instruction from the keyfile and adds Bob as a contact. Since keys for encrypting messages to Bob are already installed, once Bob has copied keyfile generated by Alice to his RxM, they are ready to communicate.
To ensure forward secrecy and privacy of messages, both parties MUST ensure the thumb drive given by their contact is physically destroyed immediately after keys have been added.
If contacts have already been generated, new PSKs can be generated with the command
/psk <account>( <nick>)
- Change of version style to 0.16.01 (0.YY.MM).
- Fully PEP8 compliant coding style/variable naming.
Local testing of TFC with a single computer now uses multiprocessing sockets instead of files. This reduces i/o errors also means fewer files in TFC root directory.
Added a program (dd.py) that emulates data diodes on screen. The user needs to enable dd_sockets boolean in Tx.py and NH.py with the argument -d before this can take place. Each dd.py program is launched with a set of arguments so that they know which sockets to use and to what direction data visually flows between terminals. An example set of commands that launches TFC on *buntu is
gnome-terminal --title='TxM' --geometry=100x35+0+630 -x sh -c "python /dir/Tx.py -d -l"
gnome-terminal --title='NH' --geometry=71x41+920+150 -x sh -c "python /dir/NH.py -d -l"
gnome-terminal --title='RxM' --geometry=100x20+0+0 -x sh -c "python /dir/Rx.py -l"
gnome-terminal --title='dd' --geometry=25x12+740+630 -x sh -c "python /dir/dd.py txnhlr"
gnome-terminal --title='dd' --geometry=25x12+740+425 -x sh -c "python /dir/dd.py nhrxlr"
Setting keyboard shortcut or alias for each of these makes local test startup fast.
User's device configuration is asked during installation. This will configure Tx.py, NH.py and Rx.py to look for either integrated ttyS# (or ttyAMA0in the case of Raspbian) serial interface, or for a USB interface ttyUSB# if the user decides to use those. The serial interface numbering is finally automatically detected, so if the user accidentally pulls out serial interface, the user doesn't have to manually edit the interface if OS remaps /dev/ttyUSB0to /dev/ttyUSB1.
Removed the need to run NH.py with -f flag to flip interfaces: Tx.py will send a serial interface configuration packet to NH.py during start. In the event NH.py has mapped TxM and RxM in opposite interfaces, initial listener processes detect Tx.py's configuration packet (or any packet for that matter), and map correct interfaces to TxM and RxM.
Moved location of group files, keyfiles, received files and logfiles to respective folders. Renamed txc.tfcand rxc.tfc to dotfiles .tx_contacts and .rx_contacts. The only TFC files visible in software root directory are .py files (and syslog.tfconce it's first generated).
In the future, this prevents interoperation with older versions of TFC. It allows fingerprinting of users (only if NH is remotely exploited or OTR is being MITM attacked / not used) but forces users to keep up with security updates. New protocol uses more simple and mature separation of payload components.
input_process() now prepares all data to packets with length in the range [0, 253] and puts the data into message or file queue. The queue is periodically read by sender_process() that opens a thread that pads, encrypts, signs, adds headers and outputs messages. XSalsa20-Poly1305 algorithms are designed to run constant time. The system time in ms is recorded immediately before function starts; Once the function finishes, the timestamp is passed to function trickle_delay() for evaluation. This function will then sleep the difference between Thread runtime and value trickle_c_delay to hide platform speed. Platforms should not introduce problems, as older Raspberry Pi (generation 2), only takes about 400ms to encrypt a message, leaving 1600ms headroom for slower SoC boards.
Changed random sleep to use /dev/urandom instead of Python math.random. The CSPRNG prevents statistical attacks that might be able to calculate the internal state of math.random's Mersenne Twister state to detect whether communication takes place. When print_ct_stats boolean is enabled, Tx.py shows the statistics about how long the message/command output thread ran, how long constant time sleep was added, and how well the constant time matched trickle_c_delay: Average error in constant time delay was 2ms so the CSPRNG based random sleep will hide the slight differences effectively. Tx.py will gracefully exit if thread runtime exceeds trickle_c_delay.
The packet_delay used to prevent congestion / IM server spam with long messages is now also constant time, to prevent slower data transmission with slower devices. The default value is 500ms which should be enough to hide metadata about TxM device performance and make hardware fingerprinting harder. This also makes the prediction of file transfer duration easier.
Logging can now be enabled for individual contacts with command /logging {on,off} <account>. When logging is enabled, in addition to automatic logging of public keys, Tx.py will also log messages sent to contact. This allows the two users to manually audit whether malware has at some point infected RxM device(s) and substituted words in log files, by cross-comparing the clean TxM logfile of Alice and purported RxM logfile of Bob, and vice versa. Rx.py also stores information about dropped packets. Malware that replaces received messages with notification about the dropped packet is harder to detect; offline record keeping might be required.
Changed CRC32 checksums to truncated SHA-256 hashes (8 hex = 32 bits) so data diode error detection accuracy can be tweaked at will by changing variable checksum_len. The checksum doesn't have any effect on security: it only detects transmission errors inside data diode.
Converted classes to functions to fit with functional programming style. The program is now much more structured and easier to audit. Added processes that exchange data via queues. DBus / purple should no longer output error messages, nor should they drop packets. NH multiprocessing now cleanly exits.
/file 1.txt still sends the file from TxM directory. Absolute paths can also be defined. Non-TFC filenames in Tx.py directory are now included in the tab-complete list. Command "/file" opens a file dialog for easy file selection. Tx.py will first encode file data to base64 and load it into memory. It'll evaluate and display an approximate amount of packets and time required for file transfer, based on delay settings.
File data is prepended with a header that contains the name, extension, file size and estimated number of packets and delivery time for transfer. This information is displayed to the recipient after the first packet of the file has been received. File reception must be enabled.
The user can control global file reception by setting boolean file_saving
to True.
/store {on,off} enables/disables file reception for all contacts
/store on [email protected] enables file reception for just Alice
By default, boolean setting a_close_f_recv is True. This means file reception for Alice is closed automatically after the file has been received. When the variable is false, file storage will remain open until the user enters
/store off [email protected] or
/store off
During trickle connection, messages and files can be canceled with commands /cm and /cf. Already sent data is out of control of the user. Rx.py will discard received data when it receives cancel packet / new message/file, but this is a convenience feature, NOT a security feature. Sender-based control is snake oil: Nothing prevents the receiver from modifying their Rx.py to show/log partially transmitted data. The only solution to this would be to offer closed source version of TFC, which would defeat all security FOSS software is designed to offer.
Since the base64 encoding of transmitted files depends on TxM of contact, a frenemy could still send malware to user's RxM. Thus, the entire manual decoding feature was removed. The file is no longer generated with subprocess. This prevents shell injection with custom file names that would have otherwise become possible.
File data during trickle connection is loaded from a separate queue that has lower priority than message queue. This means that users can still exchange messages during file transmission: file data is output to contact when there are no messages to output. File data is indistinguishable from messages to NH, IM client, IM server and any adversary who might observe data from these systems. During trickle connection, it is extremely hard to determine whether the user is sending noise data, messages or files. No guarantees can, unfortunately, be made. Timing attacks are prone to side channel attacks anywhere from NH/smartphone microphone to the user moving the mouse on NH. Python is also a high-level language, which has its own problems.
Added arguments for Tx.py, Rx.py, and NH.py to control many settings from the command line. View arguments by launching the program with -h or --help flag.
Packet length was hardcoded to 254 to ensure everyone uses the same value, and to minimize the chance of errors when sending encrypted commands.
Wrote unittests for Tx.py, Rx.py, and NH.py to reduce the number of bugs. Created custom error classes for some functions for this purpose as well. Unittesting is a work in progress, so while TFC is more stable than ever, no guarantees are made.
I want to thank Tom Wallroth for his awesome work. I had so much fun editing his project to fit print_banner(). I'll leave the details of style as a surprise, check it out.
Installer now uses SHA256 instead of SHA512. As collision resistance against quantum computers is still 128 bits. The reason for this was the simplified import of file hashes when making changes.
More authentication was added with Trust-on-first-use (that being me) hashes for most downloaded libraries (PIP has no authentication). Provided that you can verify the setup.py's authenticity, you can detect MITM against crypto library downloads.
Added installation configuration for HWRNG Pi that TxM connects to over SSH. Ensured support for *buntu 16.04 OS and fixed issues with Lubuntu/Xubuntu in previous versions. Dropped NH support for Fedora and OpenSUSE and added it to Raspbian Jessie. Ensured NH configuration works with the latest release of Tails (2.2.1).
Changed installer naming style, instead of tfcOTPinstaller.py, it's just setup.py (run it as sudo).
-
Updated abstract
-
Changed CEV description, added proof of security for cascading cipher configuration
-
Added description of HMAC-SHA2-512 and SHA3-512 MAC
-
Upgraded network flow graph and attack graph
-
Updated key generation chapter
-
Updated abstract
-
Updated software settings
-
Updated software screenshots
-
Added URL source that helps the user to connect Pidgin to Tor hidden service (XMPP server)
-
Upgraded all hashes from Keccak-256 to Keccak-512.
-
Upgraded Keccak-CTR PRF from 256-bits to 512-bits.
-
Upgraded Keccak-CTR key length from 256-bits to 512-bits.
-
Upgraded cyclic hashing of keys to also use Keccak-512: This should ensure keys stay secure over time.
-
XSalsa20, Twofish-CTR and AES-GCM use only 256 first bits from 512-bit keys.
-
Added SHA2-512 HMAC and SHA3-512 MAC (Keccak). These two MACs are concatenated to the cascaded ciphertext and GMAC and are independently verified using a constant time function. All three MACs need to be correct before the decryption takes place.
SHA-3 is immune against length extension attacks, thus the nested HMAC construction is not needed. However, according to paper* by Mostafa Taha and Patrick Schaumont, the optimal length of Keccak MAC-key is as close to (2 * rate - 1) as possible but not over the value. In the case of Keccak-512, the optimal key size is
(2 * 576 - 1) = 1151 bits ~ 143 bytes (1144 bits).
*http://rijndael.ece.vt.edu/schaum/papers/2013hosta.pdf
-
Added self-test functions for both MAC algorithms.
-
Upgraded key generation process:
-
Sampling speed is now set to 2000Hz: it no longer depends on RPi clock speed.
-
getEntropy now works without KeyboardInterrupt: Program now loads 1 500 000 samples over the period of ~15 minutes and exists.
-
Changed key generation process (pseudo-code):
-
old construction:
entropy = (VN(VN(HWRNG samples))) ⊕ /dev/(u)random
Keccak256(common kb-entropy input + entropy)
> independent 256-bit key (Keccak-CTR)
> independent 256-bit key (XSalsa20)
> independent 256-bit key (Twofish-CTR)
> independent 256-bit key (AES(GCM))
As Von Neumann whitening requires HWRNG sampling to be a Bernoulli process, it was requested a single layer of compression with a hash function would be added between them. For feces and jollies, added two, plus a third VN whitening pass. New construction:
entropy =
(VN(Keccak512'(VN(Keccak512'(VN(HWRNG samples)))))) ⊕ /dev/(u)random
Keccak512(kb1 + entropy) > independent 512-bit key (Keccak-CTR)
Keccak512(kb2 + entropy) > independent 512-bit key (XSalsa20)
Keccak512(kb3 + entropy) > independent 512-bit key (Twofish-CTR)
Keccak512(kb4 + entropy) > independent 512-bit key (AES(GCM))
Keccak512(kb5 + entropy) > independent 512-bit key (HMAC-SHA2-512)
Keccak512(kb6 + entropy) > independent 512-bit key (SHA3-512-MAC #1)
Keccak512(kb7 + entropy) > independent 512-bit key (SHA3-512-MAC #2)
Keccak512(kb8 + entropy) > independent 512-bit key (SHA3-512-MAC #3)
where kb1..8 is a separate input by the user from the keyboard.
The Keccak512' takes 1024 bits in and outputs 512 bits. This ensures
the entropy of input is larger than output unless HWRNG produces very
bad entropy (4 bits / byte or less)).
-
Added feature to launch tfcInstaller.py from Tx.py or Rx.py during local testing if lack of dependencies causes the first crypto library (XSalsa20) to causer import error.
-
Added option to Rx.py to print Noise packets/commands. This helps in debugging if the user is unsure why incoming packets are not displayed.
-
Removed deskew.c and integrated VN-whitening to genKey.py
-
Added prompt to overwrite keys that already exist.
- Added missing Keccak self-test function to startup self-test routine.
-
Removed unnecessary padding of one-time MAC
-
Added error handling and message when Rx.py runs out of keyfile.
-
Fixed issue where Tx.py not in local_testing mode aborted rx-side keyfile change if keyfile was not also in TxM side folder.
- Added toBytes C program (by G. Vazzana) that speeds up keyfile conversion.
-
Replaced KeccakError class and error handling with graceful exits.
-
Fixed metadata leak in constant transmission mode: When sending long packets, between each packet only one command packet would be sent with the probability of 1/2. This made detection of long packets possible with statistical analysis. Tx.py now sends a random amount of command packets between each packet of a long message.
-
Clarified docstrings.
-
Changed software to only import what is needed from modules.
-
Edited white space, exterminated typos, renamed variables, rewrote functions etc.
-
Changed
rx.local.efilename globally tome.local.e. This allowed significantly cleaner code in genKey.py. -
Changed references in documentation and variables from
xmpptoaccount.
-
Keyfile rotation, overwriting, message encryption and keyID increase is now handled using a thread. KeyboardInterrupts etc. no longer cause errors when writing key IDs and keys.
-
Fixed issue where generated keys were not moved to instructive folders.
-
Fixed issue where the existence of keys to be overwritten is not checked from instructive folders.
-
Fixed display of
me.header in nick change command. -
Fixed issue where temporary files were not removed after keyfile generation.
-
Removed installation of Secure-Delete as isn't needed to run shred.
-
Added serial exception handling to Tx.py and Rx.py
-
Fixed issue where
,caused problems with CSV files. -
Fixed issue where illegal nick during contact creation was accepted.
-
Fixed issue where Tx.py did not remove temporary file if it was empty.
-
Added animated banner for TFC name and boolean setting
print_bannerto disable it. -
Simplified self-test and key generation UI with acknowledgments that are printed to the same line after the task is complete.
-
Added a boolean option to genKey.py to disable prompt to create triplet from the key.
-
Added command
/store {on,off}for Tx.py that allows the user to enable file reception on RxM. The command is encrypted. Rx.py lets the user know if file reception was (already) enabled/disabled. -
Tx.py now shows useful printed commands when
clear_input_screenis setTrue. The user just needs to press<enter>to continue.
- Fixed metadata leak where 138 or 139 char long messages were padded to 280 chars. Added check and graceful exit for padding function to ensure leaks will no longer happen.
- Fixed crashes with long messages, files and multiple commands with bad parameters, rewrote contact selection functions. Fixed sliced logfile names. Fixed notification for locally received messages being discarded not showing when it should and vice versa.
-
New pictures of chapter providing background.
-
Added more detailed analysis on leaks.
-
Added circuit for data diode with the flip-flop circuit.
-
Added picture of data diode with the circuit.
-
Added TFC CEV properties to abstract
-
Added CEV to the chapter on ciphers and self-audit.
- Upgraded according to updates on software.
-
Updated Keccak library from 2.0 to 3.0 which has new padding scheme.
-
Every function now uses isistance() input type validation.
-
Every safety-critical error now causes a descriptive graceful exit.
-
Added docstrings for most functions with descriptions about the functionality and parameters.
-
Improved structure and readability of source code in general, removed typos etc.
-
Added threads that send a constant stream of noise commands and messages randomly (1:1 ratio) to hide metadata about when communication or command sending is actually taking place. The feature will exhaust OTP keys rapidly so the use of CEV version is recommended. Some XMPP servers might ban users for 'spamming', so using low repeat rate is recommended.
-
RandomSleepvariable also affects the constant transmission setting. -
For now, paste mode, contact changing and multicasting of messages are disabled during constant transmission to protect users against timing attacks against the system.
-
Added self-test functions for Keccak hash function, Keccak CTR, XSalsa20, Twofish CTR and AES-GCM
-
Fixed binascii.hex() NameError in cases where import of Crypto.Random.random fails: AES-GCM nonce (512 bits) is now generated using Kernel CSPRNG (/dev/urandom).
-
Removed code included in the libraries of Twofish and Salsa20 algorithms.
-
Added double assertion for Twofish CTR that checks each IV used was unique.
-
Changed Twofish IV generation from XORing nonce with the hash of a counter to XORing nonce with a zero-padded counter which is closer to standard.
-
Added self-test functions for Keccak hash function, one-time pad, and one-time MAC function.
-
Fixed an infinitesimally unlikely vulnerability where after reducing int('one-time key') % M521, either of the MAC keys would be zero and thus vulnerable. In the event this would occur (probability = 2/2^521), Tx.py will now exit.
-
When changing keys, checks that keys have been shredded and new keyfile is in place before reporting on successful key change.
- Defined proper values for packet max and min size to prevent errors.
-
Fixed the confusing xmpp variable to always mean the XMPP-address, without tx. prefixes.
-
Improved code structure significantly: the main loop is now much shorter and functions are more autonomic.
-
/group rmwithout specified XMPP-addresses now overwrites and deletes group file. -
/group <group name>now shows specified group members. -
/msg <group name>is used to select group. -
/group add <group name> <xmpp>now asks to create new group if not one already exists. -
/store listcommand now asks RxM to display the list of temp files it has. -
/aboutprovides clickable URLs (for local testing as TCB has no network connectivity.)
-
User can now select a contact by typing the recipient XMPP to contact selection menu, tab-complete supported.
-
Automatically removes placement instruction for all tx.xmpp.e files.
-
Pressing
<Enter>instead of giving nick now parses the name side from XMPP-address and capitalizes it.
-
Added self-test functions for Keccak hash function, Keccak-CTR XSalsa20, Twofish CTR and AES-GCM cascading crypto
-
Fixed failure to create a proper log of replayed packets.
-
Changed Twofish IV generation from XORing nonce with a hash of counter to XORing nonce with zero padded counter which is closer to standard. (Edit 03/2018: Which in hindsight was a great idea as that's the way TLS1.3 creates IV)
-
Removed code included in the library of Twofish and Salsa20 encryption functions.
-
Added double assertion for Twofish CTR that checks each IV used was unique.
-
Added an option to require manual acceptance of packets they key ID of which suddenly increased enough to DoS Rx.py or even crash it. When rejected, Rx.py makes an automatic event log to
syslog.tfc. The user can also set the value of how large difference is required to trigger this. For constant transmission mode, this should be disabled.
- Added self-test functions for Keccak hash function, one-time pad, one-time MAC and constant time MAC comparison function.
-
Fixed crash where missing keyfile
rx.xmpp.ecauses an error in key ID loading. -
Added clean exit when sending KeyboardInterrupt during contact nick input.
-
Changed UnboudLocalError to graceful exit when there is no me.xmpp.e file the moment Tx.py sends a message.
-
Fixed issue where malformed base64 padding caused TypeError and crash. Tampering event is now created.
-
Fixed issue where missing keyfile
rx.xmpp.ecaused get_key_id() to unnecessarily gracefully exit Rx.py. -
Rx.py now prints a warning when it can't find keyfile or key ID in
rxc.tfc. -
Removed double warning from MAC failure.
-
Fixed whitespace after time stamp in
syslog.tfc.
- Fixed issue where MAC fail crashes on Twofish input parameter type error.
- Moved handling of encrypted commands to a function reducing the length of the main loop.
-
Warn about missing keyfile pair. Automatically removes placement instruction for all
me.xmpp.eandrx.xmpp.efiles. -
Pressing
<Enter>instead of giving nick now parses the name side from XMPP-address and capitalizes it. -
Swapped Nick storing and loading from
rx.xmpp.etome.xmpp.eso the user can store the contact's nickname before receiving therx.xmpp.ePSK: The latter keyfile will be added automatically torxc.tfc. -
Rx.py now reports on encoded files not yet stored when the file is rejected or improper temp file name is provided. (User can query Rx.py for a list of pending temp files with the command
/store list.) -
Automatically removes placement instruction for all
me.xmpp.eandrx.xmpp.ekeyfiles.
- Hides noise messages/commands sent by Tx.py programs automatically.
- Fixed issue in Rx.py OTP where a maliciously crafted packet with high keyID causes an OverflowError and crash.
- NH.py now lets the user know which account TFC uses to send messages. The user can change the account by dragging it to the topmost account in 'Manage Accounts' section in Pidgin.
- Automatically analyses whitened entropy with Ent and does graceful exit if obtained key data does not have high enough entropy (7.85 bits/byte by default)
- Increased sampling time from 30000 to 50000.
-
genKey.py now takes parameters [FLAG] [CONTACT_XMPP] [USER_XMPP]
-
if the user specifies both XMPP-addresses, genKey.py generates a triplet of the key for both TxM and RxM of user and RxM of contact.
-
If the user does not specify one or either, genKey.py asks the user to input them manually (interactive) mode.
-
When key generation generates one key or triplet:
tx.xmpp.eis given instruction and moved to foldermove_to_TxMunless Tx.py exists in the same directory as genKey.py. -
me.xmpp.eis given instruction and moved to foldermove_to_RxMunless Rx.py exists in same directory as genKey.py. -
rx.xmpp.eis given instruction, and it is moved to foldercontact_keys? -
Tx.py and Rx.py automatically remove instructions from file names, the user no longer has to do that.
-
Giving the output file name
lor{,tx.,rx.}local{,.e}now asks if user wants to generatetx.local.eandrx.local.efiles as a pair.-
tx.local.eis given instruction and moved to foldermove_to_TxMunless Tx.py exists in same directory as genKey.py.-
rx.local.eis given instruction and moved to foldermove_to_RxMunless Rx.py exists in the same directory as genKey.py. -
Initializing software with command
python genkey [FLAG] 'l'or{,tx.,rx.}local{,.e}also switches to local. -
Setting boolean
instructionstoFalsein genKey.py disables generation of all instructions.
-
Installer is now provided with pre-installed SHA512 hashes of the latest version that are used to verify the integrity of files.
-
Created an RSA public key to sign the installer files, the public key is available at
https://cs.helsinki.fi/u/oottela/TFC-pub.key https://pgp.mit.edu/pks/lookup?op=get&search=0x4064F05A4D17DE97
-
Since exfiltration of private signing key is a serious issue, this requires some transparency:
-
The private key is handled only in unidirectionally separated TCB, protected with cascading crypto and undisclosed tricks.
-
Installers to be signed are moved via data diode to an RxM-like environment, from which the signature is read as a QR-code before it's decoded and uploaded to GitHub.
This will slow down the rate at which updates are published excluding cases where a vulnerability has been found.
Unfortunately, there is NO high assurance way for the user to verify TLS-MITM didn't take place and that a nation-state actor didn't change the public signing key on-the-fly to one the private pair of which was used to sign tampered files.
-
- Created functions for each installation subroutine.
- Improved instructions that are provided.
-
Added separate exit_with_message() function
-
Expanded group management help codes
- Split into TFC-CEV and TFC-OTP
-
file-transfer
-
OTP: One-time MACs
-
Multicasting of messages
-
Local testing
-
Help menu scales to the terminal size
-
Attempt to relocate printable strings for easier translation
-
Remove need to run TFC as superuser
-
Evaluate OTP keyfiles with DieHarder batter of tests
-
Combine TN.py and NR.py to NH.py
-
UTF-8 encoding, OTP with XOR over binary data over modulo-arithmetics and printable ASCII
-
Long messages with multiple packets
-
Improved keygen
-
Create installer
-
user manual
-
Swap OTP-keyfile with
/newkf
- Forward secrecy by overwriting of OTP keys after use.
- OTP encrypted Keccak MACs
- Counter for remaining messages
- ASCII OTP + OTP-encrypted CRC32 signature*
*In retrospect this home-brew implementation was horrible but then again, I had only started with crypto and didn't know what a MAC was.