Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/simcap/instantroom

Ephemeral private and secured group chat room
https://github.com/simcap/instantroom

Last synced: 28 days ago
JSON representation

Ephemeral private and secured group chat room

Awesome Lists containing this project

README 

          
# InstantRoom



InstantRoom is a simple, private and secure group chat application.



Although they are many existing group chat application, InstantRoom is different in that

it avoids complexity by putting back the responsibility of the security back

into the user's hands.



Indeed it is the responsibility of group members to initially transmit the group secret key to other members.



InstantRoom makes that easy with:

- _a secret key with mini format for easy sharing_

- _or a secret key as QR code for direct phone to phone sharing_



InstantRoom does not persist any messages on the server nor can it decrypts any messages since the secret key is only

generated and managed from the user's client application side.



InstantRoom abides by the Kerckhoffs's principle:



> _A cryptosystem should be secure even if everything about the system, except the key, is public knowledge_



## Features



- Secret keys have a mini format for easy sharing

- Secret keys can be displayed as a QR code for phone to phone sharing

- Rooms auto expire. One can choose a 1 hour room, 1 day room, 1 week room, etc...

- Messages are only local on the client side. You can chooses to delete some or all of them at anytime

- The application's code is in the open and inspectable by anyone

- The server does not store any messages

- The server cannot decrypt any messages. It only relays them

- Avoid mpOTR (Multi-party Off-the-Record Messaging) complexity



## Upcoming features



- Local access to secret keys on the client side will be password protected

- Your own InstantRoom! Executables will be available to install your own InstantRoom server. The client applications will allow to point to any server's url



## Attack scenarios



InstantRoom is based on the secrecy of your private key generated through the _Public Key Infrastructure_. So leaving aside advanced implementation attacks scenario, here is the only way your group chat can be compromised:



- the attacker gets hold of your secret key!



How?



- if you leave your phone unattended (although in the future the access of the secret key on your phone will be password protected)

- if you have transmitted the secret key to other members through a potentially insecure channel



## Sharing the secret key



Here would be common way to give the secret key to other members and the associated risk:



Method | Attack | Risk

--- | --- | ---

Orally | being heard by third party | unlikely (as can be easily circumvented)

Direct contact reading through QR code |  side channel | unlikely (as very elaborate and spottable)

Remote webcam reading through QR code | insecure channel | possible



## Kerckhoffs's six design principles



We believe InstantRoom stands by those principles



Principles| Status

---|---

The system must be practically, if not mathematically, indecipherable|✓

It should not require secrecy, and it should not be a problem if it falls into enemy hands|✓

It must be possible to communicate and remember the key without using written notes, and correspondents must be able to change or modify it at will|✓

It must be applicable to telegraph communications|✓

It must be portable, and should not require several persons to handle or operate|✓

The system must be easy to use and should not be stressful to use or require its users to know and comply with a long list of rules|✓



##  Technicalities



- Private and public keys are generated through ECDSA P-256

- The mini private key format is done through the Bitcoin's 30 characters format

- The encryption is done through AES using the private key as the cypher key. The key size is therefore 256 bits.