Our project is to build upon an existing browser extension (for chrome), grdme, that provides encrypted communication across any web platform over text channels. Grd Me (/ɡärd mē/) is an open source browser plugin that provides encrypted communication across any web platform. Whether you're writing an email, chatting on Facebook, or anything else really, Grd Me keeps your communication secure and completely private.
Specifically, our primary goal is to re-implement the encryption protocol that is being used currently, and replace it with a system that implements perfect forward secrecy (PFS).
Perfect forward secrecy (PFS) is important in part of modern security. Asymmetric crypto was the last major step and it allowed people that did not know one another to talk securely without sharing any prior secrets. PFS takes this one step further by tackling a major flaw in standard crypto: key leakage. If a key is ever leaked or bruteforced, all past messages and, if the user is unaware, future messages too can be vulnerable. One solution to this is to use larger and stronger keys to prevent attacks, but accidents will always happen. PFS adds an extra key exchange onto every message to increase the difficulty of an adversary compromising messages. This way because every message has a unique session key, you must brute force all of them. Going one step further, since these keys are meaningless after use, one time then done, PFS implementations delete the session keys to prevent leakage. This model of messaging has one more benefit, it mimics physical human conversations much better. Because like when you are talking to someone, it is not persistent like a facebook chat or email, PFS can actually give a more intuitive interface to a new user than these other technologies.
We will also need to address the following questions when implementing PFS: In the case that someone joins a group chat with PFS, will they be able to view messages sent before they joined? Will key exchanges be done in a centralized or decentralized way?
If we achieve PFS before the semester is over, our reach goal is to hide public encryption keys in pictures, focusing on .png files, using stenography. Hiding keys in pictures would allow users to display their public keys in profile pictures on various websites (i.e. twitter and github), which would offer other users a decentralized way of verifying key ownership.
Steganography is a technique of storing data in pictures. It uses the least significant bit of information in the colour channels, so as to be imperceptible to the human eye. With this technique, we can leverage existing trust networks to tie together a coherent user profile. The current key-server model for technologies like pgp has little notion of trust instead relying upon a web of trust generated by the cross-signing of various user keys. This technique is outside of the scope of this document, however it is important to note that this method is not without its flaws. Steganography will allow us to instead place trust in services like Facebook, Twitter and Github and allow a much more robust and decentralized network that can survive losing services in a way that the current Grd Me key-server cannot.