11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 1/17

Chat, p2p Email, e*IRC.

8 public/priv. RSA-Keys.

Secure End-to-End-Encryption (AES).

SSL-Connections.

Authentication (optional).

Distant-Chat.

Encrypted FileSharing.

GoldBug V 0.9.07

Secure MessagingCommunicate with strong multi encryption.

Learn more about GoldBug »

What is GoldBug?

GoldBug is a secure Instant Messenger. You

can be sure with using GoldBug (GB), that no

third party can look into your chat

communication. Private user-to-user

communication remains private. GoldBug

therefore uses strong multi-encryption with

different layers of modern encryption

technologies of well known and revised crypto

libraries (like libgcrypt (GnuPG) and OpenSSL).

The app offers as well decentral and encrypted

Email and decentral public E*IRC-Chat.

Tweet Read GoldBug-Whitepaper-PDF.»

Why encryption matters:

Today mostly every WIFI is protected with a

password. In a few years as well every plaintext

message or email to friends over the internet will

be encrypted too. It is not a question to

have something to hide or not, it is a question to

control by yourself the security of your

communications - or having it controled by

others. Strong-Multi-Encryption ensures the

declaration of human rights in broad

constitutional consensi and is a digital self-

defense, everyone needs to learn and utilize.

GoldBug is the easy to use tool for that.

Encypted 1:1 ChatGoldBug encrypts your private chat

to a friend with RSA-Keys, SSL

and end-to-end encryption.

Encrypted GroupchatWith all your friends you can

create a group chat to all your

friends just by selecting all.

StarBeam FileShareShare files over the echo: Transfer

a file using a one time magnet link

to a crypto channel.

IP-less Key:In regard to other web of trusts the

key has no relation to an IP-

Address. WOT 2.0.

Public/Priv. RSA KeysGoldBug uses public/private RSA

keys. The public key must be

exchanged between friends.

Repleo:Either you send your key in

plaintext or you use the Repleo,

which encrypts your key itself.

GeminiThe Gemini is an AES-end-to-end

encryption for chat and an

additional layer of encryption.

GoldBug-PassphraseSecure your GB-Emails with a

passphrase per each email. This is

called a GoldBug-Phrase.

p2p EmailNext to Chat: GoldBug offers you

serverless p2p Email without data

retention. Integrated BitMail.

e*IRCPublic Chat is provided with e*IRC,

which is echo-ed IRC: Groupchat

on AES Channels.

MELODICAThe MELODICA Button provides

instant forward secrecy. Renew

your Gemini in a second!

Instant Fwd SecrecySession AES-keys are inde-

pendent from longterm RSA-keys.

Use MELODICA often!

Opt. AuthenticationGB provides optional use of

signatures, for authenticated Chat

& Emails. Trust, when needed.

Chat over Tor-ProxyYes, GoldBug can be used over

the Tor-Proxy. It is a new TorChat

Application.

Echo Protocol Half Echo Modus

GoldBug Features GoldBug.sf.net

Secure Instant Messenger

Testserver - DNS:

tulip.cloud.tilaa.com

Home Download Project Source SVN

English German Chinese Spanish French Russian

Like Share

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 2/17

Next to encryption & f2f Email:

Echo is a new algorithm, that

makes GB resistant to tracking.

Half Echo sends messages only

directly to one friends IP.Exclude

others to ever get your message.

Simulacra-ScramblerThe simulacra sends out random

fake messages from time to time.

And No, it´s not the Mona Lisa.

WoT-DeniabilityThe Half Echo Modus creates a

deniability for a web-of-trust (f2f) in

a p2p-environment.

Is GoldBug really secure?

How to install ?

Why the Name?

What is StarBeam FileSharing?

FAQ

GoldBug uses modern technology based on open source libgcrypt libraries to encrypt the data. Not

only the communication over the internet is encrypted several times with different methods, as well the

application stores your data in an encrypted database. Even if Online-Banking (HTTPS) would be

regarded not as secure anymore, GoldBug still will be: therefore it uses a mixture of a kind of

public/private-PGP-Key/RSA-encryption - optionally with e.g. AES encryption. So it is additionally

assured with (hash-salted) session keys and AES end-to-end encryption. Instead of AES you can of

course choose some other given ciphers. It is your choice. Last not least, all that multi-encryption is

sent over a secured SSL connection. The SSL connection is not founded on any central certificates of

a server, which could be backdoored, instead SSL is used the p2p way, so that there is no central

instance, which could sell your trusted certificate to third party. The SSL-certs are self-signed.

Furthermore you can sign every message and email. This is an option, as well unsigned messages

can be sent. OpenSSL is used for key derivation and encryption for each socket. The personal keys

that you own (chat, email, url) are made by libgcrypt and are independent of OpenSSL. There are a

total of six pairs of keys that this app generates at the beginning of the initial setup.

(1) Download the zip-Installer and unzip.

(2) Settings Tab: Create a password.

(3) Settings-Tab: Check, if pathes to kernel and GeoIP.dat are green. If not, set the pathes.

(4) Settings-Tab: Activate the kernel.

(5a) Add-Key-Tab: Copy out your key with the big copy-key-button and exchange key with a friend

(e.g. email).

(5b) Add-Key-Tab: Paste the key of your friend and press the add-button.

(6) Connect-Tab: Add IP+Port of your friend or of a chat-server.

(7) Create-Listener-Tab: Choose the IP of your device (or localhost) and press the button "Set" and

then "Go Live"

(8) Status-Bar: See, if all 3 LEDs are green. If the Neihbours LED (middle) will not be green, try to add

another IP or delete the file "neighbors.db" in the subpath ".spoton" and restart adding an IP into a

fresh neighbors-database.

(9) Chat-Tab or E*IRC-Tab: See, if chat friends are online.

" 'The GoldBug' is a short story by Edgar Allan Poe about cryptograms in 1843. The plot follows

William LeGrand, who recently discovered a gold-colored bug. His companion, Jupiter, fears LeGrand

is becomming now obsessed with searching for treasure, knowledge and wisdom after being in

contact with the GoldBug - and goes to LeGrand's friend, an unnamed narrator, who agrees to visit his

old friend. After LeGrand has deciphered a secret message the three start an adventure as a team.

'The Gold-Bug' - as one of the few pieces of literature - incorporates ciphers as part of the story. Poe

took advantage of the popularity of cryptography as he was writing 'The Gold-Bug' in 1843, and the

success of the story centers e.g. on one such cryptogram and the search for the Philosopher's Stone.

'The Gold-Bug' was an instant reviewed story and was the most popular and most widely evaluation of

Poe's works during his lifetime. His ideas also helped to popularize secured writing and cryptograms."

- Wikipedia.

StarBeam is the new FileSharing protocol provided by libspoton and GoldBug Messenger. While other

filesharing applications like Emule (since 2002) with Edonkey-links, ShareAza (since 2004) and Vuze

(since 2003) with Bit-Torrents and Magnets (in the old standard) are well known for their Weblinks to

download files - Ten years later the StarBeam filesharing protocol renews the FileTransfer and the

Magnet-URI Standard. Magnets from StarBeam can be linked on any website, because they are not

6 Milestones of Security(1) Open Source

The GoldBug Messenger is open

source: with BSD-license. Use Open

Source Linux instead of Windows.

(2) Decentral SSLIt uses the echo protocol with de-

central SSL deployed by Qt &

OpenSSL. Read about (half/full)

echo below.

(3) End-to-End EncryptionGoldBug integrated the Gemini,

Email-Passphrase- and MELODICA-

features based on AES-end-to-end-

encryption. Read below.

(4) Multi-Encryption

GoldBug uses (1) the public/private-

Key-Method (asymmetric encryption

with RSA-Key) (2) with e.g. AES-

Cipher (symmetric-end-to-end encryption) over (3)

decentral, self-signed SSL.

(5) Strong Encryption

GoldBug uses 2048-RSA-Keysize

and up with AES-256.

(6) Clientside EncryptionYou cannot log into a central

website, instead you install the

GoldBug client on the local device in

your hand. Define yourself options like: key-sizes,

ciphers, salt-length etc.

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 3/17

Who can set up a server?

Multi-Encryption: What technology do you use?

How to compile myself for windows?

How to compile for Linux, OS X Mac, Raspberry Pi, OS/2, Android?

related to any specific file. Instead, they are links to a crypto channel in the echo p2p-network. Only a

so called "One-Time-Magnet" (OTM) is related and used only one time for the transfer of a specific file.

That means it is fully ok to publish a StarBeam (SB) directory with magnets on your website. SB-

Magnets are deniable: in no case it is guaranteed, that only a specific file or even two files are

transmitted over this channel. No one can proof, is a OTM has ever been used or is used twice.

StarBeam-Magnets can be private or public, in case they are public, you should use an account to a

trusted neighbour. In case you don't have an account to a neighbour, even this is not needed, just

transmit an encrypted zip/rar-file and share the password in a different channel or at a later point of

time than you share the magnet. StarBeam Peers are able to record the stream and decrypt it later,

when the Zip-Password is public. A recorded stream is called "mosaic", as you collect the chunks

and puzzle the encrypted pieces thgether like in a mosaic. Once you have a part of a mosaic, you

can play it again back to others. Sattelites of the Source make a StarBeam-Stream sustainable. Even

XORed Files (offsystem) can be sent over the echo. Many potentials for the new filetransfer with

StarBeam. Nothing to be curious about, every Instant Messenger allows to transfer a file, here it is

just done over the echo protocol. Think the echo! A StarBeam-Magnet contains the ciphertype (CT),

an encryption key (ek), a MAC Key (MK) (which secures the encryption key a second time) and the

hash type (ht) and looks e.g. like this: magnet:?

ct=aes256&ek=3BRXu+KofMPEjTLkPLEam1Bv9ndoX4nj&ht=sha512&mk=SLGzOi6HoSgYpdraIR39PAvw2pOhiPaWszfEdW03TYLaciawK1OOLoqApE94RAA6vIB75827mrtD6fb9aNW2E8YYhMs556aPlkf5vDPvzyAnO0+RxPTEFB/B4+aCGAMDCq+x3WDwntm0guweqLyI9aXgLD3/lc3rLPmpziWl61NNURR3dxRogR9XH/WUqV0o89PanNy/HZ94AQcWAPTE/1q9BMhgCSn9kVAzEKec18k+IMk4OU1p9kKU6pZnIZy75If0Br0GWU77iel6BOhDOBjdDWFKpq93yBIH/Zula2it77GWxYMF+YrR8N7rtg1GZ831X1F+wo8bqlAR2EKJyizTu5h10uCsRHoJvWfnrbrKrOo9441NMd+u6FPqVIkUvPfUZ233YZkLWqt8tCNvjFkRwaXtkt36v2r8xdhRU42w29n7GvXa/V3pq4dLU/IziU2SVU9XKphWDgTnMjdZdlmKK41jTR80NAXxlU8U5b1divIAcPmcLks6ICANtZJn

Everyone. Everyone can and should setup a chat server for GoldBug. It is quite easy to create a

Listener (listening port) for your friends, if you can manage to make it acessible on your web (which

means often to forward the chosen port in your router/nat or to set it up not at home, but directly on a

webserver. The installation does not provide currently any server IP, so set up one for your friends to

test. Or find server IPs on boards and forums. Some forums, boards or internet service communities

have an own Echo-Server. Just ask at your board. A E*MPP-Server - a server for the "Echoed

Messaging and Presence Protocol" - short: Echo Protocol - connects to only one or many clients.

And servers of course as well. That all means: there is no central server and everything is decentral

like any Jabber chat server. The difference is that this chat server does not allow any plaintext

communication and: chat servers connected to chat servers announce within a p2p network their

existence. Once you are connected, you should be able to connect to one or several chat

servers/listeners of the decentral p2p-net.

Hence, EMPP chat servers define a new state of the art. For that it is highly recommended to think

about jabber server software (and even jabber clients) being hybrid with the echo-protocol of libspot-on,

which GB deploys too.

The technology is most modern, next to libgcrypt and a the pgp-like-method over SSL with optional

AES end to end encryption the whole client is using a new protocol, the Echo. Echo is currently

deployed by the library libspot-on. Spot-On requires Qt 4.8.5 or Qt 5.1.x, libGeoIP 1.5.1,

libcrypto 0.9.8 or later, libgcrypt 1.5.x, and libssl 0.9.8 or later. Qt 4.6.3 is also supported.

Download the source either from SVN or the download section. It is as well included in the win-

installer zip. It might be good, to get compile experience with the spot-on library fist. For GoldBug

read the compiling wiki.

Easily: 1. Install Qt, 2. Install the needed libraries: GB requires Qt 4.8.5 or Qt 5.1.x, libGeoIP 1.5.1,

libcrypto 0.9.8 or later, libgcrypt 1.5.x, and libssl 0.9.8 or later. Further libsqlite3-dev, libgcrypt11-dev,

libssl-dev, libgeoip-dev. The libGeoIP library is optional and may be circumvented by configuring the

appropriate project file.

3. Choose the referring .pro file and compile with Qt Creator (gui and kernel).

You can report your compiling experiences and scripts in the wiki. Help to create a documentation..

Qt 4.8.5 or higher is highly recommended.

If header (h) or interface (ui) files have changed, please perform a distclean before building Spot-On.

Absolute cleaning:

make distclean or mingw32-make distclean

FreeBSD:

qmake -o Makefile spot-on.freebsd.pro

make

Linux:

qmake -o Makefile spot-on.pro

V0.9

Adaptive Echo Example: Hansel & Gretel.

When node A2, E5 and E2 share the same AE-

token, then E6 will not get any message, which A2

(Hansel) and E2 (Gretel) will exchange. Node E5

learns via the token, not to send to E6 (Wicked

Witch).

Ask the server, you connect to, and your friends to

add your tokens. Server admins can share tokens

with other server admins as well.

An "Adaptive Echo" Network does not reveal any

destination informaton (comp. Ants Routing).

Remember: "Half Echo" sends only one hop to the

connected neighbor and "Full Echo" sends the

message to all connected nodes over infinite hops.

Releases & Info

GoldBug V 0.9.07 has been

released on 2014-07-13 (Adaptive

Echo Release):

Changelog 0.9.07: (1) Adaptive Echo (AE)

Released. A new era begins: Hansel and Gretel

can communicate without letting the Wicked

Witch know. Because your network will learn

from connections: Next to "Full Echo"

(messages are sent to every connected

neighbor and hop on and on to further

neighbors, "P2P") and "Half Echo" (message is

sent only to one connected neighbor for one

dedicated hop/transfer, "F2F") and "Echo-

Accounts" (only defined neighbors are allowed

to connect, "Web-of-Trust") now with "Adaptive

Echo" a learning, smart network will be

established based on AE-Tokens. Adaptive

Echo provides exclusiveness between nodes,

knowing the token. That means, a node/kernel

will send the message not to all connected

neighbors, but only to those, who knwo the

token. As the Wicked Witch does not know the

token, Hansel and Gretel are free. See further

explanation inside the Messenger. Please note

that version 0.9.07 (Adaptive Echo release)

removes compatibility with all previous versions.

Hence, please update yourself and your friends

with a new installation and key-exchange. (2)

The App will now join the default common

developer e*IRC/Buzz channel automatically

after startup. (3) Improved StarBeam

FileSharing. (4) Improved the SCTP

implementation with respect to large data

transfers. Added an SCTP listener to spot-on-

neighbors.txt startup-connection-file. (5) Gui

Improvements and Tooltip-Updates. (6) Compile

Flag for GoldBug is now found in: GUI/spot-on-

defines.h. (just replace in the spot-on.sf.net

source the /ui and .pro files for GB) (7)

Upgraded Libraries: Qt to version 5.3.1 on

Windows and OpenSSL to version 1.0.1h on

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 4/17

What is Key, Repleo? Gemini and GB?

How is p2p Email to Offline Friends working?

What can the echo do to secure an encrypted Web of Trust (WOT)?

make

OS X:

qmake -spec macx-g++ -o Makefile spot-on.osx.pro

make

Windows:

qmake -o Makefile spot-on.win.pro

make or mingw32-make

When you want to connect to a friend, you need to send him or her your key , you find it in the

key-tab. Once your friend has added your key, you need to select your friend in the chat tab

(participants list) and copy the so called "Repleo" (of this dedicated friend, so select him first). The

Repleo needs to be sent back to your friend and once it is added there too, you both will get

connected. Furthermore you should of course connect to an IP of your chat server or a third friend,

which has set up a listener in servermode. As long as chat servers are not connected to other chat

servers, it makes sense, that both friends use the same chat-server-IP. Furthermore: The Gemini

is a feature to add another security layer to the chatroom with an AES Key for end-to-end

encryption. The Gemini is additionally secured by a cryptographic hash key (SHA 512), a so called

MAC (Message authentication code). Third: The GoldBug-feature is used in the integrated email client

to add here as well an end-to-end AES-Encryption layer - the GoldBug , or: just a password,

both users use to encrypt their emails once more. So with the Gemini or GoldBug, you need a kind of

password (e.g. AES-string) to open the email of a friend or to be able to chat with him.

You have a chat partner who is offline? No problem, send him an email with the GoldBug Messenger.

Let´s go to the email-tab. The email system based on the echo-protocol has no central servers and

each email to an offline friend is stored in a cache of your other trusted friends. It is not stored on

the network or any foreign nodes, only your direct chat partner take care for your personally encrypted

envelopes and deliver it to the offline friend, when he is coming online. Currently no p2p Email system

allows to send out email using this kind of security architecture. POP3 and IMAP are outdated in

regard of security, as any post box could be created just by everyone with setting up an EMPP chat

server. Test this email-feature with at least 3-5 friends to get the full impression of emailing with

GoldBug in a secure way. Because of the multi-encryption it is more secure than Gnupg and it needs

no central pop or imap server due to the decentral architecture. Data retention is brought back to

private responsibility with the echo-mail.

"First: Hide in the network ."

Bruce Schneier

There are three reasons why Web of Trust (WoT) architectures and even Friend-to-Friend (F2F) so

called "Turtle-Hopping" Networks might be considered insecure.

As trackers are regarded to map everything and analyse a hopping at least of three hops to friends, it

is quite easy to know, who is trusting whom. This can be analysed from outside of a WoT, but also

inside the WoT, as a Web of Trust shows, who is trusting whom by nature. So, if data retention (VDS)

is tracking every social network connection, then a WoT does not provide anonymity on the one hand.

With the echo-protocol everyone has every message - not only your WoT members - and it is highly

complex to map that network. Though - at the same time - you can use a so called "half echo"

modus, which creates a F2F network within the P2P network. Every Node decides, if one or in general

all connections should be full or half echoed. In case a half echo is utilized, your message will be sent

only to the direct connection and stops there. You have created a WoT within the general network.

Deniability: With 'half echo' you cannot determine a private communication within the general echo

network. So second, within a p2p network you have created a plausible deniability of a Web of Trust.

While other networks discuss the pro and cons of p2p and f2f networks, GoldBug deploys both and

creates an individual option to set as slider between two ends: choose either detachement towards

network-mappers or build non-determineable direct trust-connections. YOU define, how to

communicate over the echo with your friends in the GoldBug Messenger.

Third, GoldBug introduces a kind of Distant Chat. With GoldBug you can message as well to friends,

which are outside of your WoT, which are not directly connected to you - but still with the same trust

and signature, as you have exchanged keys (Repleo). Ever tried to disconnect a trusted friend while

keeping the secure communication and trust?

OS X and Windows.

GoldBug V 0.9.05 has been released on 2014-

05-31 (Added Example Project Chat Server

Release):

Changelog 0.9.05: (1) Implemented Project

Chat Server. GlodBug now connects

automatically to a chat server. For that, the file

"spot-on-neighbors.txt" has been added with

server-information of the project test server. The

application will process the contents of the file

after a new installation. Neighbor connections

will be set to connected directly after the login.

Please restart your application after initial key

creation. Please note that the file "spot-on-

neighbors.txt" is expected to reside within the

directory that houses the GB executable. (2)

Added a default E*IRC/Buzz developer's

channel, so you can join and find other users

and developers on the default project chat

server. (3) For E*IRC/Buzz-Channels now salt

values are - next to hash keys - mandatory, in

case you create an own IRC room. In case you

send a magnet to friends for your IRC-room/-

channel, then the hash and salt will be

automatically included. (4) Optimized GUI-

Layout for Windows 8.1. Tablets (e.g. 7"-8").

GoldBug V 0.9.04 has been released on 2014-

04-22 (SCTP & Institution Release):

Changelog 0.9.04: (0) Updated OpenSSL library

to latest. GB had no heartbleed, as the lib was

already the latest and not affected. (1)

Improved, more simplified Gui, which is default

at startup. (2) Added e-mail C/O institutions:

Institutions will now be able to house 3rd-party

e-mail without needing to distribute their public

keys. (Please remove your old email.db.) With

enabling C/O service you create a post office for

your friends. Two methods exist: Define a

common neighbor (e.g Alice and Bob connect

to a common webserver as node, and all three

have email keys shared), then the webserver

stores the emails, even if Alice or Bob are

offline. Second: Create an Institution and add

the email key of a friend to your node. In case

your friend adds the magnet link for the

institution as well to his node, the institution will

save all emails for him (as well from senders,

which are not registered at the virtual

institution). A Magnet Link allows to share the

Institution easily. (3) SCTP implementation and

support for Windows. (4) Public keys of other

participants will now be encrypted. Please

remove friends_public_keys.db. (5) Corrected a

Bug in Rosetta CryptoPad Decryption.

GoldBug V 0.9.02 has been released on 2014-

03-13 (StarBeam Analyzer Release):

Changelog 0.9.02: (1) Added the StarBeam

Analyzer to the tools menu for discovering

missing chunks in the FileSharing function. (2)

Ability to change friends names permanently in

Chat and E-Mail tabs.

(3) Corrected an error with Rosetta text:

Newline characters are now not lost just

because of toPlainText usage. (4) Upgraded Qt

products to version 5.2.1 on Windows..

GoldBug V 0.9.00 has been released on 2014-

02-07 (Tablet Gui Release) :

Changelog 0.9.00: (1) Launch of the public

project server for test purposes: DNS:

tulip.cloud.tilaa.com (2) Massive Kernel and

further improvements. (3) Use a separate key

for computing local keyed hashes: Generating

now more than 8 Keys. (4) Ability to copy e-

mail key pairs of friends. (5) Import and export

of Keys (tools menu). (6) Added menu buttons

for to be build tablet modi. (7) Pop-up Chat

Windows malfunctioning has been corrected:

Sound available. (8) Introduced authentication

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 5/17

How strong are the Encryption-Keys?

Can I run GoldBug over Tor or a Proxy?

GoldBug is Open Source BSD License?

Will GoldBug be released on mobile devices?

Does GoldBug save every message on a server?

You see, a WoT is easily mappable, it is not anoynmous as you cannot disconnect a trusted friend

while keeping the signed trust and communication and third you cannot create a plausible deniability

of having utilized a WoT, if you use a WoT. Adding echo to a WoT brings real added value to the IT

architecture. The future will bring a lot of research to the comparison of web of trust models for chat

based on security, detachment, signatures and encryption.

Fourth: GoldBug has the option for authentication and non-authentication, in case you choose not to

sign your messages, you also have no need for deniability. The wish for "plausible deniability"

(compare analogy of: a-theism) has turn into a "conscious state for no need of deniability" (compare

analogy of: a-gnosticism). In case you combine e.g. authentication within e.g. direct connections

("signatures" as an option with "half echo" as an option and "super echo" as an option) - then you

have a web of trust hidden in the network. This "conscious state for no need of deniability" could be

called "agnostic deniability".

Some serverbased messengers, which are originally not made for a secured connection and

communication, need Addons to encrypt the communication. In a surveilled environment the

connection pathes are still very easy to map: Alice sends to the server and Bob receives it from the

server. It is possible to encrypt the communication with some provided addons, but the graph will not

be hidden. Network analysts know at every time it is: A(lice, plaintext) -> S(server, plaintext) -> B(ob,

plaintext), even if encrypting tools are deployed: A(lice, ciphertext) -> S(server, ciphertext) -> B(ob,

ciphertext).

GoldBug and its underlaying libraries use strong encryption. Public/Private-RSA-Key less than 2048

are regared as insecure and weak. Passphrases should have 16 digits and End-to-End Encryption

keys need at least 32 digits with real random generated charakters like the AES-256 standard.

Of course, that is possible. You can use any proxy of the web or Tor to connect from your GoldBug to

any neighbor or chat server. Due to the fact that the chat protocol uses HTTP, you should be even

able to create a chat server and listener for GoldBug using a so called TOR hidden service. But this

has not yet been tested and would be a task for the Tor-community to run the chat and echo over Tor.

As well firewalled environments are not a problem, as long as you are able to do online banking and

have an accessible chat server within your IT-environment/country.

Yes, GoldBug is open source with the BSD license (for the deployed Libraries see here). That means

you can revise the code and use it to create your own application. In a time in which you cannot be

sure if operating systems, communication applications or drivers of hardware like network switches

and keyboards, who knows, or even anti-virus-software updates might send you backdoors onto your

machine or send out private data or email passwords, open source code has become a milestone in

security. Dont trust closed source operating systems, applications, drivers or updates. It is highly

appreciated that GB source code is revised and used for the development of your own client. Y0u find

the source as an own Zip in the download section, as a subpath in the installer-Zip of the Application

or in the SVN repository libspoton. LibSpotOn uses libgcrypt and OpenSSL as is without modification.

The deployed crypto-libs might not use a BSD license, e.g. libgcrypt is LGPL, but as these are not

modified and there is no "derived code", it is possible to deploy these libs in the BSD licensed App

(with BSD license for for Gui and Kernel).

Currently GoldBug is provided as a release version for the Windows 7 operating system. The source

code provides as well Mac OS X and several Linux compiling settings. A mobile compile is intended,

hence the drafted(!) sketches for a mobile design at this site, but not yet released. Android should be

possible, as well as linux operating systems like sailfish or ubuntu mobile. Developers with dedicated

devices and compiling skills are requested to provide binaries for GoldBug and join the project or set

up a mod-project on their own. however, the encrpytion will alwayse be done on your device -

clientsided. There is no browserbased webservice which offers that for you, as this is regarded as

compromisable. You have to install a client, the app.

GoldBug has no central sever, so nothing is saved on a corporate server. Everything is userbased and

decentral. In case you email to an offline friend, the message is stored in your trusted chat friend,

which are currently online. So have a few friends in your GoldBug: The decentral approach requires of

course that you maintain at least a small network of users, you are connected with. If you do not want

to use these decentral approach, you can set up your own dedicated server or use the 'half echo' -

modus, so that your message is sent only to one participant over one dedicated connection.

V0.8

V0.7

V0.6

...

V0.1

timers (15 seconds) to secure D/H exchanges.

(9) Upgraded to Qt 5.2.0 and OpenSSL 1.0.1f

on Windows.

GoldBug V 0.8. (Rosetta CryptoPad

Release) has been released:

Changelog 0.8: (1) Release of the

Rosetta CryptoPad Tool.

GoldBug V 0.7 (StarBeam

Filesharing Release) has been

released on 2013-12-19:

Changelog 0.7: (1) Added FileSharing:

Introduced the StarBeam Transfer Protocol.

Magnet Links are related to Crypto-Channels in

the network, and are not related to files. One-

Time-Magnets ("OTM' s") are a Crypto-Channel

to one dedicated file-transfer. Magnets of

StarBeam are linkable on any homepage, as

they are not associated to a file. The "Rewind"

function starts the seed again. Seeders within

these kind of "Crypto-Torrent"-like Magnets as

trackers keep anonymous. Chunks are

Encrypted. Keep Magnets private or use

Accounts for Neighbours you trust or provide

the file-rar/zip-encryption key after the Transmit.

(2) e*IRC: Added hash keys and types to Buzz

channels. (3) Transport: Added UDP transport

as Option next to regular TCP transport. (4)

GoldBug now deploys 6 RSA keys for

Scrambler with faked Impersonator chat

Messages (install fresh; in case you upgrade:

please delete ./spoton path and generate a new

profile). (5) Added support for TLS 1.1 and TLS

1.2, where available. (6) Introduced sequence

numbers and UTC times to chat protocol (in

regard of UDP commmunications). (7) Gui

Improvements.

GoldBug V 0.6 (El-Gamal Release)

has been released on 2013-10-24:

Changelog 0.6: (1) Introduction of

ElGamal encryption key pairs (as alternative to

RSA-Keys). (2) Signature key pairs are

extended to a choice of: DSA and RSA. (3)

Added Accounts for chat-servers/neighbors-

connections: Create a dedicated connection on

your EMPP-Chat-Server for friends only with a

password. (4) Added pop-up windows per 1:1-

friend-chat (doubleclick on a friend to open it).

(5) Allow neighbors to be defined such that

(non-ssl)-plaintext connections are prohibited

(HTTPS-Only-Connections, Default: enabled -

For that reason, please remove neighbors.db. in

case you overtake your ".spoton"-datapath). (6)

Introduced threaded peers: Go parallel with your

processes! (7) Added Magnet-Uri Scheme for

e*IRC/Buzz-Chat Channels as kind of

Booksmarks for your echoed IRC-like-

Chatrooms!

V0.5: Signature-Keys Release on

2013-09-16 / V0.4: Kernel-

Improvement Release on 2013-09-03

/ V.03: Geo-IP-Release on 2013-08-26 / V0.2:

SSL-Release on 2013-08-22.

GoldBug V 0.1 has been released

on 2013-07-27 based on same day

release of Spot-on.sf.net, ascending

from the research project Ne.R.D.D. (

https://sf.net/projects/nerdd/ , registered on

06/27/2010)

The echo protocol library and compiling source

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 6/17

Does the network scale?

What about authentication and forward secrecy?

What is the Echo Protocol of LibSpot-On?

GB has a new encrypted IRC Chat implemented?

End-to-End-Encryption: What is the MELODICA Function?

Yes. There is no need to think theoretically. Set up a chat-server for your university or community and

you see, you will be able to handle any chat like any other chat server. In case you want to join

several neighbors, while you are not knowing to which neighbor your friend is connected to, there have

been good tests so far with other p2p applications. Every email uses several servers, so can you do

the messaging as well with the echo protocol. In case we speak of several hundred-thousands of

users there are of course some fast machines needed and your friends should use some

countrybased or institutional-based chat severs. The small world phenomen has the paradigm, that

you are connected to everyone over seven hops. So just test it out in practice.

GB guarantees with the implemented signature for authentication that the sender is who you think it

is. If you receive a message from a contact whose fingerprint you verified, you are sure it can not have

been sent by someone else. Furthermore GB offers a way to additionally encrypt all messages using

a instant-shared symmetric-key (the “Gemini”). The MELODICA feature guarantees a proper

management of these keys (changing them often) with instant forward secrecy. Obtaining someone’s

private RSA-key is not enough to decrypt their past conversations.

The echo protocol means in simple words, you send only encrypted messages, but you send the one

message to all of your connected friends. They do the same. You maintain your own network,

everyone has every message and you try to decrypt every message. In case you can read and unwrap

it, it is a message for you. Otherwise you share the message with all your friends and the message

remains encrypted. If you use the modus "half echo", then your message is not shared with other

participants. Echo is very simple and the principle is over 30 years old - nothing new. As echo uses

HTTP as a protocol, there is no forwarding or routing of messages, as you send your message e.g.

from your home laptop to your webserver. That is similar as if you send an encrypted zip from your

home to your own webserver. The process starts at each destination new - as you define it. With

echo, you start not only a new protocol, but also a new dimension of networking and thinking. Echo is

not p2p nor is it f2f, it adds a third category into the net world, which of course can bridge p2p to f2f

and create not-determined WoTs connections with the half echo. The super-echo is an option to

forward a message even in that case, that you could have read it. This will make analysis (in a simple

environment, so called "triangulation of the destination") senseless, in which two nodes as an anylizer

are connecting to one other node and a forth node is sending a message: With the GB- option "Super-

Echo" every analyzing node is getting the message in every case (readable messages are as well

processed to neighbors).

Next to the implemented private chat and implemented offline email, GoldBug Messenger integrates

as well an IRC chat for public channels and IRC rooms. The IRC protocol has been defined new with

the echo, as the chat is not based on the irc protocol, the poper name would be E*IRC = Echo*IRC.

GoldBug has currently implemented only one channel - how could it be, it is: goldbug (in small

letters). All people, connected to one IP, just need to enter the room name, e.g. "goldbug" and they

are connected within the room. The advantage is, that this channel is created based on an AES-key.

Every connection to this room is encrypted and cannot be read by any ISP - as long as the channel

name is not known. Example: Two friends at a party or at the online chat can agree to find a common

word as a channel name, they only both know. Ask your girlfriend: "What is the pet we both like

most?" - She thinks: "Dalmatian". And you connect now within this room. Qt-IRC clients (like Quassel

or KVIRC) are kindly requested to implement the echoed IRC. One client, which already declared to

add E*IRC functionality will be http://netsplit.sf.net - Qt-Developers are appreciated to join. Netsplit is

in oldstyle IRC a well known phenomen: if several IRC servers are disconnected, the room members

are splitted. Which means on the opposite: When different server IPs have the same room name

hosted, and both servers connect - all the members of the same room behind the milky way will join

the same named channel. With GolbBug E*IRC servers, which connect as well to E*IRC servers, the

netsplit is transcended: two rooms are bridged into one. For the 'goldbug' channel-room you get more

users, when you add several chat servers to your messenger.

With the MELODICA button or (right mouse click) context menu you call your friend and send

him a new Gemini (AES-256-Key). The Key is sent over your asymmetric encryption of the RSA key.

This is a secure way like the sneakernet to transfer end-to-end keys, as all other plaintext transferals

like email, spoken over phone or in other messengers have to be regarded as unsafe and recorded.

MELODICA stands for: Multi Encrypted LOng DIstance CAlling. You call your friend even over a long

distance of the echo protocol and exchange over secure asymmetric encryption a Gemini (AES-256

key) to establish an end-to-end encryted channel. As the Gemini is a shared secret, how will your

transfer it over the insecure internet? How to transfer a symmetric key safe and secure? Just use

MELODICA, which provides a key transport based on public key encryption. You can press the button

Echois downloadable here:

Qt-COMPILING:

1. Use source of http://spot-on.sf.net

:

https://sf.net/p/spot-on/code/HEAD/tree/

2. replace:

- path /UI with /UI files of GB,

- use .pro-files of GB

https://sf.net/p/goldbug/code/HEAD/tree/

3. GUI/spot-on-defines.h: set GB = 1 and Name

= GoldBug

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 7/17

What are de-magnetized e*IRC-Chat rooms?

Can I join the development or contribute ?

Has the code been revised?

How can John see, what is transferring?

at any time when your friend is online and quickly generate a new Gemini unique at both sides.

MELODICA has been introduced with GoldBug libspoton version V02 (which is not backwards

compatible with kernel and gui of V01 - please update).

A public e*IRC-Chat room can be linked on a website with a Magnet-Link. These rooms are encrypted

with an AES key, only those participants can join and decode the chat, who know the key. This

keeps your ISP out of public chat. The rooms are defined by the roomname, by a salted hash and a

frequency value. These values are summarized in the Magnet-Uri. These Magnet-Links in GoldBug

follow the Magnet-URI standard. That means, you can add a GoldBug IRC Room on your website with

the Magnet Link. Users can copy the Magnet, add it in GB and de-magnetize the Link and join the

room. Some similar function like "irc//:". The magnet has the following structure:

magnet:?dn=goldbug&xf=10000&xs=&ct=aes256

DN = roomname / xf = exact frequency / xs = exact salt / ct = ciphertype. Changing one value

creates a new (private) room you can share with one person or the public.

Of course you can: spread the word, add a notice to your blog, test the software, download the source

code, invite friends, add translations, evaluate the code, contribute code to the given echo projets or

create your own client based on the echo or implement it hybrid or as a plugin into given applications

referring to communication, which should be secured. Most important: create a listener, which is

reachable from the web on your webserver or at home, by proper forwarding your chosen port in your

router/nat. Or write a RFC. Since the libspot-on release echo is open for research and GB-Messenger

added a cool userinterface (ui) to it: Either research echo as is or its way of thinking as added value

for other applications and protocols. As well in the given echo-apps like GoldBug some features might

be of interest: Email currently has no attachement and you might ask about echo beeing a webproxy

between two nodes (á la psiphon) or you think of echo-torrents?! Learn to understand what echo is

and rethink given protocols based on the echo. GoldBug is just a simple design study of the user

interface for the spot-on library, which deploys the echo. Jabber, Torrent, Pop3/IMAP, IRC and are not

up to date anymore in case you consider the echo. Please update.

The code and implementation is under a very high level quality control by the professional development

and it is an open source contribution of several communities for the used and revised libs included. Be

part of this contribution. External evaluations have proven it clean: e.g. "FreewareFiles tested GoldBug

Instant Messenger 0.4 on 2013-09-03 using leading antivirus scanners and found it 100% Clean. It

does not contain any form of malware, spyware, viruses, trojans, etc. We will re-test each updated

version." Or: "This product was last tested in the Softpedia Labs on

19th of September 2013 by Andreea Matei. Softpedia guarantees that GoldBug Instant Messenger

0.5.1903 is 100% Free, which means it does not contain any form of malware. This software product

was tested thoroughly and was found absolutely clean. GoldBug Instant Messenger V 0.5 -

SOFTPEDIA "100% CLEAN" AWARD: We are impressed with the quality of your product and

encourage you to keep these high standards in the future. To let your users know about this

certification, you may display this award on your website!"

Either use Whireshark or you just set up a non-ssl Listener on 127.0.0.1 and connect your browser to

http://127.0.0.1:4710/ and you will see all transferred http code like this:

POST HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Length: 5098

content=WDV5a2Q2RTFvS0lhcE5LKzJrMXpjWmxMMTdycVFZbzE5eVhxdXBLdE5LdFNlNFZ6RFd

BSzVoYjNqQWFRcEJ4SHNqeEVEb3hKcHg4OG1aUG5BZnBHcEx0WGFDT3BOM2VDL0RMTXI1

c5VitoWm9EOUt1NkEwY082byt6QjkrZzdrYWVrVkdjUVR4RVNLWnhFSTQwdjAzUEN2YktNaGNZ

UJkMGhvQ2RPZ056cy9x@Soxcheckxoutxmyxmessagextoxyou@UVBQnBzZDZISE1LbzBIenV

NUJZdmkvQit2ODg0S1AxRWxVcq@Asxaxmatterxofxfact@kwRjNadE1Ib28zbVd3WXd5Y1VYNW

1MU4wQTBrU3RVQXZra1@Don'txletxnothingxholdxyouxback@2RVpVSVBqZEJHanNuZm8qwgEWc

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 8/17

Is there a graphic-scheme for the encryption model ?

I want to subscribe to the mailinglist-forum

AES

Authentication

Algorithm

ZyRUN0QTR5QVZReHNOQTNiMV@Ifxthexscatmanxcanxdoxit@Z2djFReGUxblhObGtYZi9kNUt0

UZEeXpUako0eGxub0U4OGNLbkpReXVjN@Soxcanxyou@0gweTRVbHE3RXJYbVVjK3pwRnZr

YTNscEhKNWlyQWRqcnlpellCOU9tdkJ5TFQwU3c3VWt4UGNLL3Z3N2tqU2FXSHpLZ2hQMDJ6W

sK010RtKMGZPzNL@https://www.youtube.com/watch?v=Geiq0FP13uQ@tMWMkRZQlq4gfDS

43QlcrOVFGcGVlOEtVblY2MFNtMks3ZjZuTCtmdUFvQy8yYzduY0tqbmo4Wjlrdm9nZGlXM3hwR

DJSaCsvVmU1bEpJU1dFRjFNRnlTZFk3TEFrTGJBdVZoZUpFY1Ntb1lrRHc1bFVFRWZNN21SUn

ckhTKzFnWnVGVVJZSVRKM3hod0R4RFdZbVZlU0pjQWVvN045enVaR0w5ckNMaXg2OFhuMj...

Subscribe https://lists.sourceforge.net/lists/listinfo/goldbug-forum for new updates.

66 Terms about the Tool

The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data. It is

based on the Rijndael cipher[5] developed by two Belgian cryptographers, Joan Daemen and Vincent

Rijmen. AES has been adopted by the U.S. government and is now used worldwide. It superseded the

Data Encryption Standard (DES) in 2001. Bruteforcing 256-bit keys is simply beyond the capability of

classical computing, and potentially still impossible even after the advent of efficient quantum

computers. To get how long it takes, you divide half the number of total keys by the number of keys

you try per-year, which gives you about 10 2̂2 years, which is pretty much forever since the universe

is only about 10 1̂0 years old. In GoldBug the AES key is deployed by the MELODICA function or set

manually with the Gemini and Email Passphrase-Option.

http://embeddedsw.net/Cipher_Reference_Home.html#AES

Authentication (from Greek: αὐθεντικός; real or genuine, from αὐθέντης authentes; author) is the act of

confirming the truth of an attribute of a datum or entity. This might involve confirming the identity of a

person or software program. Various systems have been invented to allow authors to provide a means

for readers to reliably authenticate that a given message originated from or was relayed by them.

These involve authentication factors like:

- A difficult-to-reproduce physical artifact, such as a seal, signature, watermark, special stationery, or

fingerprint.

- A shared secret, such as a passphrase, in the content of the message.

- An electronic signature; public-key infrastructure is often used to cryptographically guarantee that a

message has been signed by the holder of a particular private key.

In mathematics and computer science, an algorithm is a step-by-step procedure for calculations.

In computer systems, an algorithm is basically an instance of logic to produce output from given input

(perhaps null).

Modern cryptography is heavily based on mathematical theory and computer science practice;

cryptographic algorithms are designed around computational hardness assumptions, making such

algorithms hard to break in practice by any adversary. It is theoretically possible to break such a

More Screenshots

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 9/17

Base-64

BitMail

Buzz

c/o

Call

Congestion Control

Decentral

Deniability

system but it is infeasible to do so by any known practical means. These schemes are therefore

termed computationally secure; theoretical advances, e.g., improvements in integer factorization

algorithms, and faster computing technology require these solutions to be continually adapted. There

exist information-theoretically secure schemes that provably cannot be broken even with unlimited

computing power—an example is the one-time pad.

Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII

string format by translating it into a radix-64 representation. The term Base64 originates from a

specific MIME content transfer encoding.

Base64 encoding schemes are commonly used when there is a need to encode binary data that

needs to be stored and transferred over media that are designed to deal with textual data. This is to

ensure that the data remains intact without modification during transport. Base64 is commonly used

in a number of applications including email via MIME, and storing complex data in XML.

BitMail is the name used in GoldBug for the Email client.

Buzz is the name of the libspoton to provide echoed IRC (e*IRC). So Buzz is another word for IRC,

respective e*IRC, used by the library.

"Care of", used to address a letter when the letter must pass through an intermediary (also written

c/o). Neighbors are often asked to care of your postal letters, in case you live with them in one house

or have a relationship to them. As well parcel stations, letter boxes or just persons e.g. at you home

or in the neighborhood provide a local delay of your envelopes and parcels, in case you are at work

and want to receive the parcel or letter in the evening. The included Email Function of GoldBug

provides such a feature.

A call is new defined by the library libspoton. A "Call" with the MELODICA feature of GoldBug means,

to transfer over a public/private key encrypted environment a symmetric key (e.g. AES) - a password

for the session talk, only the two participants know. With one click on the MELODICA button you can

instantly renew the end-to-end encryption password for your talk.

Congestion Control provides a cache, so that messages, you already are aware of, are not processed

to neighbors anymore. This helps especially for mobile devices and webservers running GoldBug to

reduce redundancy and process messages faster.

Decentralized computing is the allocation of resources, both hardware and software, to each individual

workstation, or office location. Decentral means, there is no central server nor a webinterface, you can

lof into a service. A client needs to be installed and adjusted locally on your device. Another term is:

Distributed computing. Distributed computing is a field of computer science that studies distributed

systems. A distributed system is a software system in which components located on networked

computers communicate and coordinate their actions by passing messages. Based on a “grid model”

a peer-to-peer system, or P2P system, is a collection of applications run on several local computers,

which connect remotely to each other to complete a function or a task. There is no main operating

system to which satellite systems are subordinate. This approach to software development (and

distribution) affords developers great savings, as they don’t have to create a central control point. An

example application is LAN messaging which allows users to communicate without a central server.

In computer networks, deniability often refers to a situation where a person can deny transmitting a

file, even when it is proven to come from his computer. Normally, this is done by setting the computer

to relay certain types of broadcasts automatically, in such a way that the original transmitter of a file

is indistinguishable from those who are merely relaying it. In this way, the person who first transmitted

the file can claim that his computer had merely relayed it from elsewhere, and this claim cannot be

dis-proven without a complete decrypted log of all network connections to and from that person's

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 10/17

DNS

e*IRC

Echo

Echo, Full

Echo, Half

Encryption, asymmetric

computer.

In cryptography, deniable encryption may be used to describe steganographic techniques, where the

very existence of an encrypted file or message is deniable in the sense that an adversary cannot prove

that an encrypted message exists. In this case the system is said to be Fully Undetectable, FUD.

Some systems take this further, such as MaruTukku, FreeOTFE and (to a much lesser extent)

TrueCrypt, which nest encrypted data. The owner of the encrypted data may reveal one or more keys

to decrypt certain information from it, and then deny that more keys exist, a statement which cannot

be disproven without knowledge of all encryption keys involved. The existence of "hidden" data within

the overtly encrypted data is then deniable in the sense that it cannot be proven to exist.

The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services,

or any resource connected to the Internet or a private network. It associates various information with

domain names assigned to each of the participating entities. Most prominently, it translates easily

memorized domain names to the numerical IP addresses needed for the purpose of locating computer

services and devices worldwide.

Dyn (aka DynDNS) is an infrastructure as a service company (like many others) that provides Internet

DNS and email delivery services for commercial and private users.

It originally provided a free dynamic DNS service, which allowed users to have a subdomain that points

to a computer with regularly changing IP addresses, such as those served by many consumer-level

Internet service providers.

The IRC protocol has been defined new with the echo protocol, as the chat is not based on the irc

protocol, the poper name would be E*IRC = Echo*IRC. GoldBug has currently implemented only one

channel - how could it be, it is: goldbug (in small letters). All people, connected to one IP, just need to

enter the room name, e.g. "goldbug" and they are connected within this group chat room. The

advantage is, that this channel is created based on an AES-key. Every connection to this room is

encrypted and cannot be read by any ISP - as long as the channel name is not known.

The echo protocol means from an operational view: you send only encrypted messages, but you send

your to-be-send-message to all of your connected friends. They do the same. You maintain your own

network, everyone has every message and you try to decrypt every message. In case you can read

and unwrap it, it is a message for you. Otherwise you share the message with all your friends and the

message remains encrypted. Echo is very simple and the principle is over 30 years old - nothing new.

As echo uses HTTP as a protocol, there is no forwarding or routing of messages: no IPs are

forwarded, e.g. like it is if you send your message e.g. from your home laptop to your webserver. The

process starts at each destination new - as you define it. The echo protocol provided by libspoton has

nothing to do with RFC 862. The new echo protocol RFC has to be written new. With or without that

number.

With the modus "full echo" your message is forwarded from friend to friend and so on, until the

recipient could decrypt the envelope and read the message. It requires a few connections to neighbors

in a p2p network.

If you use the modus "half echo", then your message is not shared with other, third participants

(Model: A -> B -> C) . Only direct connections are used (Model A -> B). It requires only one direct

connection to one friend.

Public-key cryptography refers to a cryptographic system requiring two separate keys, one of which is

secret and one of which is public. Although different, the two parts of the key pair are mathematically

linked. One key locks or encrypts the plaintext, and the other unlocks or decrypts the ciphertext.

Neither key can perform both functions by itself. The public key may be published without

compromising security, while the private key must not be revealed to anyone not authorized to read

the messages.

Public-key cryptography uses asymmetric key algorithms. A public key algorithm does not require a

secure initial exchange of one (or more) secret keys between the sender and receiver. Public-key

cryptography is widely used. It is an approach used by many cryptographic algorithms and

cryptosystems. This method underpins such Internet standards as Transport Layer Security (TLS),

PGP, G(nu)PG and libspoton, which is used for GoldBug. Diffie–Hellman key exchange is the most

widely used public key distribution system.

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 11/17

Encryption, clientside

Encryption, Multi-

Encryption, strong

Encryption, symmetric

End-to-End

Client-side encryption is the cryptographic technique of encrypting data before it is transmitted to a

server in a computer network. Usually, encryption is performed with a key that is not known to the

server. Consequently, the service provider is unable to decrypt the hosted data. In order to access the

data, it must always be decrypted by the client. Client-side encryption allows for the creation of zero-

knowledge applications whose providers cannot access the data its users have stored, thus offering a

high level of privacy.

Multiple encryption is the process of encrypting an already encrypted message one or more times,

either using the same or a different algorithm. Multiple encryption (Cascade Ciphers) reduces the

consequences in the case that our favorite cipher is already broken and is continuously exposing our

data without our knowledge. When a cipher is broken (something we will not know), the use of other

ciphers may represent the only security in the system. Since we cannot scientifically prove that any

particular cipher is strong, the question is not whether subsequent ciphers are strong, but instead,

what would make us believe that any particular cipher is so strong as to need no added

protection. Folk Theorem: A cascade of ciphers is at least as diffcult to break as any of its component

ciphers. When a cipher is broken (something we will not know), the use of other ciphers may

represent the only security in the system. Since we cannot scientifically prove that any particular

cipher is strong, the question is not whether subsequent ciphers are strong, but instead, what would

make us believe that any particular cipher is so strong as to need no added protection.

Strong cryptography or cryptographically strong are general terms applied cryptographic systems or

components that are considered highly resistant to cryptanalysis. An encryption algorithm is intended

to be unbreakable (in which case it is as strong as it can ever be), but might be breakable (in which

case it is as weak as it can ever be) so there is not, in principle, a continuum of strength as the idiom

would seem to imply: Algorithm A is stronger than Algorithm B which is stronger than Algorithm C,

and so on. Examples: PGP is generally considered an example of strong cryptography, with versions

running under most popular operating systems and on various hardware platforms. The open source

standard for PGP operations is OpenPGP, and GnuPG is an implementation of that standard from the

FSF.

The AES algorithm is considered strong after being selected in a lengthy selection process that was

open and involved numerous tests. The SSL protocol, used to secure Internet transactions, is

generally considered strong. Standards of today.

There are two basic types of encryption schemes: Symmetric-key and public-key (asymmetric)

encryption. Symmetric-key encryption is often as well called end-to-end-encryption. In symmetric-key

schemes, the encryption and decryption keys are the same. Thus communicating parties must agree

on a secret key before they wish to communicate. Symmetric-key encryption can use either stream

ciphers or block ciphers. Stream ciphers encrypt the digits (typically bytes) of a message one at a

time. Block ciphers take a number of bits and encrypt them as a single unit, padding the plaintext so

that it is a multiple of the block size. Blocks of 64 bits have been commonly used. The Advanced

Encryption Standard (AES) algorithm approved in December 2001 uses 128-bit blocks. A symmetric

structure used in the construction of block ciphers is in cryptography a Feistel cipher, named after the

German-born physicist and cryptographer Horst Feistel who did pioneering research; it is also

commonly known as a Feistel network.

The end-to-end principle is a classic design principle of computer networking,[nb 1] first explicitly

articulated in a 1981 conference paper by Saltzer, Reed, and Clark.

The end-to-end principle states that application-specific functions ought to reside in the end hosts of a

network rather than in intermediary nodes – provided they can be implemented "completely and

correctly" in the end hosts. In debates about network neutrality, a common interpretation of the end-

to-end principle is that it implies a neutral or "dumb" network. End-to-end encryption (E2EE) is an

uninterrupted protection of the confidentiality and integrity of transmitted data by encoding it at its

starting point and decoding it at its destination. It involves encrypting clear (red) data at source with

knowledge of the intended recipient, allowing the encrypted (black) data to travel safely through

vulnerable channels (e.g. public networks) to its recipient where it can be decrypted (assuming the

destination shares the necessary key-variables and algorithms). An end-to-end encryption is often

reached by providing an encryption with the AES Passphrase.

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 12/17

Forward Secrecy

Friend

Gemini

Get

GoldBug

GUI

Hash

Https

In public key cryptography, perfect forward secrecy (PFS) is a property of the key-agreement protocol

that ensures that a session key derived from a set of long-term public and private keys will not be

compromised if one of the (long-term) private keys is compromised in the future. The key used to

protect transmission of data must not be used to derive any additional keys, and if the key used to

protect transmission of data was derived from some other keying material, that material must not be

used to derive any more keys. Thus, compromise of a single key will permit access to only data

protected by a single key. Forward secrecy has been used as a synonym for perfect forward secrecy,

[1] since the term perfect has been controversial in this context. FS has also been used to describe

the analogous property of password-authenticated key agreement protocols where the long-term

secret is a (shared) password.

A friend-to-friend (or F2F) computer network is a type of peer-to-peer network in which users only

make direct connections with people they know. Passwords or digital signatures can be used for

authentication.

Unlike other kinds of private P2P, users in a friend-to-friend network cannot find out who else is

participating beyond their own circle of friends.

The Gemini is a feature in GoldBug Secure Instant Messenger to add another security layer to the

chatroom with an AES Key for end-to-end encryption.

The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative,

hypermedia information systems. HTTP is the foundation of data communication for the World Wide

Web. The first version of the protocol had only one method, namely GET, which would request a page

from a server. The response from the server was always an HTML page. GET requests a

representation of the specified resource. Requests using GET should only retrieve data and should

have no other effect.

The GoldBug-feature is used in the integrated email client to add here as well an end-to-end AES-

Encryption layer - the GoldBug, or: just a password, both users use to encrypt their emails once

more. So with the GoldBug, you need a kind of password (e.g. AES-string) to open the email of a

friend or to be able to chat with him.

In computing, graphical user interface (GUI, sometimes pronounced 'gooey') is a type of user interface

that allows users to interact with electronic devices through graphical icons and visual indicators such

as secondary notation, as opposed to text-based interfaces, typed command labels or text navigation.

Qt (/kjuːt/ "cute", or unofficially as Q-T cue-tee) is a cross-platform application framework that is

widely used for developing application software with a graphical user interface (GUI) (in which cases

Qt is classified as a widget toolkit). Qt uses standard C++.

A hash function is any algorithm that maps data of variable length to data of a fixed length. The values

returned by a hash function are called hash values, hash codes, hash sums, checksums or simply

hashes. A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary

block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that any

(accidental or intentional) change to the data will (with very high probability) change the hash value.

The data to be encoded are often called the "message," and the hash value is sometimes called the

message digest or simply digest. Cryptographic hash functions have many information security

applications, notably in digital signatures, message authentication codes (MACs), and other forms of

authentication. They can also be used as ordinary hash functions, to index data in hash tables, for

fingerprinting, to detect duplicate data or uniquely identify files.

Hypertext Transfer Protocol Secure (HTTPS) is a communications protocol for secure communication

over a computer network, with especially wide deployment on the Internet. Technically, it is not a

protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer Protocol

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 13/17

Iteration Count

Kernel

Key, Public

Key, Pivate

Key-Exchange

Key-Size

(HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard

HTTP communications.

In mathematics, an iterated function is a function which is composed with itself, possibly ad infinitum,

in a process called iteration. In this process, starting from some initial number, the result of applying a

given function is fed again in the function as input, and this process is repeated.

In computing, the kernel is a computer program that manages input/output requests from software and

translates them into data processing instructions for the central processing unit and other electronic

components of a computer like the graphical user interface (GUI). Kernels are a fundamental part of a

modern computer systems.

Public-key cryptography, also known as asymmetric cryptography, refers to a cryptographic algorithm

which requires two separate keys one of which is secret (or private) and one of which is public.

Although different, the two parts of this key pair are mathematically linked. The public key is used to

encrypt plaintext or to verify a digital signature; whereas the private key is used to decrypt ciphertext

or to create a digital signature. The term "asymmetric" stems from the use of different keys to perform

these opposite functions, each the inverse of the other – as contrasted with conventional

("symmetric") cryptography which relies on the same key to perform both. Public-key algorithms are

based on mathematical problems which currently admit no efficient solution that are inherent in certain

integer factorization, discrete logarithm, and elliptic curve relationships. It is computationally easy for

a user to generate their public and private key-pair and to use them for encryption and decryption. The

strength lies in the fact that it is "impossible" (computationally infeasible) for a properly generated

private key to be determined from its corresponding public key. Thus the public key may be published

without compromising security, whereas the private key must not be revealed to anyone not

authorized to read messages or perform digital signatures. Public key algorithms, unlike symmetric

key algorithms, do not require a secure initial exchange of one (or more) secret keys between the

parties.

In cryptography, a key is a piece of information (a parameter) that determines the functional output of

a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In

encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa

during decryption. Keys are also used in other cryptographic algorithms, such as digital signature

schemes and message authentication codes. Encryption algorithms which use the same key for both

encryption and decryption are known as symmetric key algorithms. A newer class of "public key"

cryptographic algorithms was invented in the 1970s which uses a pair of keys, one to encrypt and one

to decrypt. These asymmetric key algorithms allow one key to be made public while retaining the

private key in only one location. They are designed so that finding out the private key is extremely

difficult, even if the corresponding public key is known. A user of public key technology can publish

their public key, while keeping their private key secret, allowing anyone to send them an encrypted

message.

Key exchange (also known as "key establishment") is any method in cryptography by which

cryptographic keys are exchanged between users, allowing use of a cryptographic algorithm. If sender

and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to

be sent and decrypt messages received. The nature of the equipping they require depends on the

encryption technique they might use. If they use a code, both will require a copy of the same

codebook. If they use a cipher, they will need appropriate keys. If the cipher is a symmetric key

cipher, both will need a copy of the same key. If an asymmetric key cipher with the public/private key

property, both will need the other's public key. The key exchange problem is how to exchange

whatever keys or other information are needed so that no one else can obtain a copy. Historically, this

required trusted couriers, diplomatic bags, or some other secure channel. With the advent of public

key / private key cipher algorithms, the encrypting key (aka public key) could be made public, since

(at least for high quality algorithms) no one without the decrypting key (aka, the private key) could

decrypt the message. Diffie–Hellman key exchange: In 1976, Whitfield Diffie and Martin Hellman

published a cryptographic protocol, (Diffie–Hellman key exchange), which allows users to establish

'secure channels' on which to exchange keys, even if an Opponent is monitoring that communication

channel. However, D–H key exchange did not address the problem of being sure of the actual identity

of the person (or 'entity').

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 14/17

libgcrypt

libSpot-On

Listener

MAC: Message authentication code

MELODICA

Status, online

Neighbor

OpenSource

In cryptography, key size or key length is the size measured in bits[1] of the key used in a

cryptographic algorithm (such as a cipher). An algorithm's key length is distinct from its cryptographic

security, which is a logarithmic measure of the fastest known computational attack on the algorithm,

also measured in bits. The security of an algorithm cannot exceed its key length (since any algorithm

can be cracked by brute force), but it can be smaller. An RSA key length of 3072 bits should be used

if security is required . NIST key management further suggest that 15360-bit RSA keys are equivalent

in strength to 256-bit symmetric keys.

libgcrypt is a cryptographic library developed as a separated module of GnuPG. It can also be used

independently. It provides functions for all cryptographic building blocks: symmetric ciphers (IDEA,

AES, DES, 3DES, Blowfish, CAST5, Twofish, Arcfour, Serpent, Camellia, SEED a.k.a. RFC4269,

RFC2268), hash algorithms (MD4, MD5, RIPEMD-160, SHA-1, SHA-224, SHA-256, SHA-384, SHA-

512, HAVAL, Tiger-192 as used by GnuPG <= 1.3.2, Tiger, and TIGER2), MACs (HMAC for all hash

algorithms), and public key algorithms (RSA, ElGamal, DSA, Elliptic Curve DSA).

Spot-On is an anonymous and encrypted distributed, confidential messaging library in the forms of e-

mail and near-instant communications.

In computer networking, a port is an application-specific or process-specific software construct serving

as a communications endpoint in a computer's host operating system. A port is associated with an IP

address of the host, as well as the type of protocol used for communication. The purpose of ports is to

uniquely identify different applications. Applications implementing common services often use

specifically reserved, well-known port numbers for receiving service requests from client hosts. This

process is known as listening and involves the receipt of a request on the well-known port and

establishing a one-to-one server-client connection, using the same local port number; other clients

may continue to connect to the listening port. This works because a TCP connection is identified by

the tuple {local address, local port, remote address, remote port}.

In cryptography, a message authentication code (often MAC) is a short piece of information used to

authenticate a message and to provide integrity and authenticity assurances on the message.

Integrity assurances detect accidental and intentional message changes, while authenticity

assurances affirm the message's origin. A MAC algorithm, sometimes called a keyed (cryptographic)

hash function (however, cryptographic hash function is only one of the possible ways to generate

MACs), accepts as input a secret key and an arbitrary-length message to be authenticated, and

outputs a MAC (sometimes known as a tag). The MAC value protects both a message's data integrity

as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any

changes to the message content.

With the MELODICA feature in GoldBug Secure Messenger you call your friend and send him a new

Gemini (AES-256-Key). The Key is sent over your asymmetric encryption of the RSA key. This is a

secure way, as all other plaintext transferals like email, spoken over phone or in other messengers

have to be regarded as unsafe and recorded. MELODICA stands for: Multi Encrypted LOng DIstance

CAlling. You call your friend even over a long distance of the echo protocol and exchange over secure

asymmetric encryption a Gemini (AES-256 key) to establish an end-to-end encryted channel.

Description will follow.

Description will follow.

In production and development, open source as a development model promotes a universal access via

free license to a product's design or blueprint, and b) universal redistribution of that design or blueprint,

including subsequent improvements to it by anyone. Generally, open source refers to a computer

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 15/17

OpenSSL

Padding

Participant/User

Passphrase

PGP-Method

Port

program in which the source code is available to the general public for use and/or modification from its

original design.

OpenSSL is an open-source implementation of the SSL and TLS protocols. The core library, written in

the C programming language, implements the basic cryptographic functions and provides various

utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages

are available. OpenSSL is based on SSLeay by Eric A. Young and Tim Hudson.

In cryptography, padding refers to a number of distinct practices. Official messages often start and

end in predictable ways: My dear ambassador, Weather report, Sincerely yours, etc. The primary use

of padding with classical ciphers is to prevent the cryptanalyst from using that predictability to find

cribs[1] that aid in breaking the encryption. Random length padding also prevents an attacker from

knowing the exact length of the plaintext message. Many classical ciphers arrange the plaintext into

particular patterns (e.g., squares, rectangles, etc.) and if the plaintext doesn't exactly fit, it is often

necessary to supply additional letters to fill out the pattern. Using nonsense letters for this purpose

has a side benefit of making some kinds of cryptanalysis more difficult. Most modern cryptographic

hash functions process messages in fixed-length blocks; all but the earliest hash functions include

some sort of padding scheme. It is critical for cryptographic hash functions to employ termination

schemes that prevent a hash from being vulnerable to length extension attacks. Many padding

schemes are based on appending predictable data to the final block. For example, the pad could be

derived from the total length of the message. This kind of padding scheme is commonly applied to

hash algorithms that use the Merkle-Damgård construction. In public key cryptography, padding is the

process of preparing a message for encryption or signing using a specification or scheme such as

PKCS#1 v1.5, OAEP, PSS, PSSR, IEEE P1363 EMSA2 and EMSA5. A modern form of padding for

asymmetric primitives is OAEP applied to the RSA algorithm, when it is used to encrypt a limited

number of bytes.

Description will follow.

A passphrase is a sequence of words or other text used to control access to a computer system,

program or data. A passphrase is similar to a password in usage, but is generally longer for added

security. Passphrases are often used to control both access to, and operation of, cryptographic

programs and systems. Passphrases are particularly applicable to systems that use the passphrase

as an encryption key. The origin of the term is by analogy with password. The passphrase in GoldBug

must be at least 16 characters long, this is used to create a cryptographic hash, which is longer and

stronger.

Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides

cryptographic privacy and authentication for data communication. PGP is often used for signing,

encrypting and decrypting texts, e-mails, files, directories and whole disk partitions to increase the

security of e-mail communications. PGP encryption uses a serial combination of hashing, data

compression, symmetric-key cryptography and finally public-key cryptography; each step uses one of

several supported algorithms.

The Free Software Foundation has developed its own OpenPGP-compliant program called GNU

Privacy Guard (abbreviated GnuPG or GPG). GnuPG is freely available together with all source code

under the GNU General Public License (GPL).

In computer networking, a port is an application-specific or process-specific software construct serving

as a communications endpoint in a computer's host operating system. A port is associated with an IP

address of the host, as well as the type of protocol used for communication. The purpose of ports is to

uniquely identify different applications

Applications implementing common services often use specifically reserved, well-known port numbers

for receiving service requests from client hosts. This process is known as listening and involves the

receipt of a request on the well-known port and establishing a one-to-one server-client connection,

using the same local port number; other clients may continue to connect to the listening port. This

works because a TCP connection is identified by the tuple {local address, local port, remote address,

remote port}.

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 16/17

Post

Proxy

Qt

Repleo

RSA

Scrambler

Salt

Signature

The Hypertext Transfer Protocol (HTTP) is the foundation of data communication for the World Wide

Web. The first version of the protocol had only one method, namely GET, which would request a page

from a server. POST requests are defined like this: Requests that the server accept the entity

enclosed in the request as a new subordinate of the web resource identified by the URI. The data

POSTed might be, as examples, an annotation for existing resources; a message for a bulletin board,

newsgroup, mailing list, or comment thread; a block of data that is the result of submitting a web form

to a data-handling process; or an item to add to a database.

In computer networks, a proxy server is a server (a computer system or an application) that acts as

an intermediary for requests from clients seeking resources from other servers. A client connects to

the proxy server, requesting some service, such as a file, connection, web page, or other resource

available from a different server and the proxy server evaluates the request as a way to simplify and

control its complexity. Today, most proxies are web proxies, facilitating access to content on the

World Wide Web.

Qt (/ˈkjuːt/ "cute", or unofficially as Q-T cue-tee[6][7]) is a cross-platform application framework that is

widely used for developing application software with a graphical user interface (GUI) (in which cases

Qt is classified as a widget toolkit), and also used for developing non-GUI programs such as

command-line tools and consoles for servers. Qt uses standard C++ but makes extensive use of a

special code generator (called the Meta Object Compiler, or moc) together with several macros to

enrich the language. Qt can also be used in several other programming languages via language

bindings. It runs on the major desktop platforms and some of the mobile platforms. It has extensive

internationalization support. Non-GUI features include SQL database access, XML parsing, thread

management, network support, and a unified cross-platform application programming interface (API)

for file handling.

Description will follow.

RSA is an algorithm for public-key cryptography that is based on the presumed difficulty of factoring

large integers, the factoring problem. RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman,

who first publicly described the algorithm in 1977. Clifford Cocks, an English mathematician, had

developed an equivalent system in 1973, but it wasn't declassified until 1997.[1] A user of RSA

creates and then publishes the product of two large prime numbers, along with an auxiliary value, as

their public key. The prime factors must be kept secret. Anyone can use the public key to encrypt a

message, but with currently published methods, if the public key is large enough, only someone with

knowledge of the prime factors can feasibly decode the message.[2] The RSA algorithm involves three

steps: key generation, encryption and decryption. RSA involves a public key and a private key. The

public key can be known by everyone and is used for encrypting messages. Messages encrypted with

the public key can only be decrypted in a reasonable amount of time using the private key.

Description will follow.

In cryptography, a salt is random data that are used as an additional input to a one-way function that

hashes a password or passphrase.[1] The primary function of salts is to defend against dictionary

attacks and pre-computed rainbow table attacks. A new salt is randomly generated for each

password. In a typical setting, the salt and the password are concatenated and processed with a

cryptographic hash function, and the resulting output (but not the original password) is stored with the

salt in a database. Hashing allows for later authentication while defending against compromise of the

plaintext password in the event that the database is somehow compromised. Cryptographic salts are

broadly used in many modern computer systems.

The use of these (public key) algorithms also allows the authenticity of a message to be checked by

creating a digital signature of the message using the private key, which can then be verified by using

11.8.2014 GoldBug: Secure Instant Messenger

http://goldbug.sourceforge.net/ 17/17

Source

SSL

Super Echo

Tor

Web-Of-Trust

the public key. In practice, only a hash of the message is typically encrypted for signature verification

purposes. The Digital Signature Algorithm is the most widely used digital signature system.

Description will follow.

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic

protocols that provide communication security over the Internet. They use asymmetric cryptography

for authentication of key exchange, symmetric encryption for confidentiality and message

authentication codes for message integrity. Several versions of the protocols are in widespread use in

applications such as web browsing, electronic mail, Internet faxing and instant messaging.

Description will follow.

Description will follow.

In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible

systems to establish the authenticity of the binding between a public key and its owner. Its

decentralized trust model is an alternative to the centralized trust model of a public key infrastructure

(PKI), which relies exclusively on a certificate authority (or a hierarchy of such). As with computer

networks, there are many independent webs of trust, and any user (through their identity certificate)

can be a part of, and a link between, multiple webs. The web of trust concept was first put forth by

PGP creator Phil Zimmermann in 1992 in the manual for PGP version 2.0: As time goes on, you will

accumulate keys from other people that you may want to designate as trusted introducers. Everyone

else will each choose their own trusted introducers. And everyone will gradually accumulate and

distribute with their key a collection of certifying signatures from other people, with the expectation

that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence

of a decentralized fault-tolerant web of confidence for all public keys. In simpler terms, you have 2

keys: a public key that you let the people you trust know; and a private key that only you know. Your

private key will decrypt any information encrypted with your public key. In the web of trust you have a

key ring with a group of people's public keys. You encrypt your information with the recipients public

key, and only their private key will decrypt it. You then digitally sign the information with your private

key, so when they verify it with your public key, they can confirm that it is you. Doing this will ensure

that the information came from you and has not been tampered with, and only the person you are

sending it to can read the information (because only they know their private key).

GoldBug source code is open source

and uses LibSpot-On. This w ebsite

w ith content and layout is licensed

under a Creative Commons

Attribution 3.0 License, unless

otherw ise noted.

About GoldBug

Goldbug Project

Dow nload

Contact Us

User Manual

Download &

Get Involved

Donate

Source

GB-Links

Manuals

Installation Guides

Wiki