~eau/wic

Weechat Irc Crypto
ok let's fix those bugs, need to implement SAS.. but i'll still that from olvid implementation when it's done.
implemented the beginning of load/save for the keys.
updated some docs.

clone

read-only
https://git.sr.ht/~eau/wic
read/write
git@git.sr.ht:~eau/wic

You can also use your local clone with git send-email.

License builds.sr.ht status

#WIC

Weechat Irc Crypto, a simple yet reasonnably safe & secure weechat IRC encryption system.

#Description

It combines a weechat python script (wic.py) driving an external cryptographic "helper" written in go (wic).

In the time of gazillions messengers, I still heavy rely & spend a large amount of time on IRC.
Unfortunately with IRC beside the transport encryption offloaded to the IRC network (TLS), there was/is no integrated mechanism to protect conversations from curious eyes.

IRC is an old protocol and even with v3 around the corner, with limitations and no end to end encryption.

This weechat script try to answer/solves that.

#Design

The design aims at simplicity and usability which derives security.

The irc client (weechat) runs a script (wic.py) that communicates (over stdio) with wic to ask for crypto operations.

Severals type of keys are coexisting for different purposes:

  • identity keys : long term/usage keys for signing key exchanges & public key broadcast.
  • ephemeral keys: ephemeral & used for asymetric key exchange of symmetric keys.
  • symmetric keys: 256 bits AEAD keys used for encrypting channels/queries.

Identity keys are generated locally using the wic crypto helper.

More details on WIC internal are slowly being documented on the wiki

#Requirements

  • golang 1.14+
  • python 3.7+
  • weechat 2.8+
  • weechat python plugin.

#Dev

  • protobuf (syntax2)

#Installation

!REMEMBER! make sure $GOPATH/bin or $HOME/go/bin or $GOBIN is your PATH.

#From Source:

  1. install the wic cryptographic helper (*):

    $ go get git.sr.ht/~eau/wic/cmd/wic
    $ # or depending on your go version.
    $ GO111MODULE=on go get git.sr.ht/~eau/wic/cmd/wic@latest
    
  2. generate your long term keys:

    $ wic -keygen nick
    Identity key Password:
    Retype Identity key Password:
    
  3. start weechat and setup basic auth variables

    /set plugins.var.python.wic.identity mynickname
    /set plugins.var.python.wic.identity_passphrase mySup3rDup3rPassPhrase
    
  4. install the wic.py script for your weechat

    $ cp wic.py ~/.weechat/python`
    $ ln -s ~/.weechat/python/wic.py ~/.weechat/python/autoload/
    
  5. start, configure weechat && connect

#WIC Directory/Files

  • $HOME/.wic/
  • $HOME/.wic/id_ed25519
  • $HOME/.wic/id_ed25519.pub
  • $HOME/.wic/authorized_nicks

#WIC Authorized Nicks

Borrowing the OpenSSH concept, authorized_nicks define the public keys of friends & users you decided to trust.
By default WIC will accept what we call "anonymous" key exchanges.

The authorized_nicks has the following format (one per line):

Example:

	#<nick> <public key>
	eau     27wH6NCKlNI6/zBpON+MJL8f+c2qCsmshTf2rihlDjI=
	oz      UXR/s2DfxpZPahFGOwVF15RvsU5j/N0TDpxzwybZ2zs=

#Weechat Script Config

they may be renamed later... on

  • plugins.var.python.wic.binary

    (string) path to the wic binary (if not in PATH)

  • plugins.var.python.wic.identity

    (string) your identity, your nickname, your name, whatever. (might get removed..)

  • plugins.var.python.wic.identity_passphrase

    (string) your identity key passphrase (see weechat secure to use the weechat provided encrypted storage)

  • plugins.var.python.wic.signed_kex

    (yes/no) ed25519 signed & verified public keys & kex transaction only

  • plugins.var.python.wic.debug

    (yes/no) enable wic binary debug

#Script Key Bindings

These are the default KeyBindings for WIC on weechat

  • Alt + k

    broadcast a new public key on the current buffer.

  • Alt + t

    accept ONLY TRUSTED key broadcast/exchanges.

  • Alt + T

    accept ALL key broadcast/exchanges

#Script Commands

these are the commands once the script is loaded and runs, not all are implemented... work in progress

  • /wic

    toggle wic encryption on the current buffer (on/off) [DONE]

  • /wic status

    show current wic state + identity information. [IN PROGRESS]

  • /wic restart

    restart wic (crashed?)

  • /wic rehash

    re-read authorized_nicks [DONE]

  • /wic save

    save currently created symmetric keys. [IN PROGRESS]

  • /wic load

    load saved symetric keys. [IN PROGRESS]

  • /wic id

    show identity key information (id / public key).

  • /wic newkey

    generate a new symmetric key for the current channel/query buffer. [DONE]

  • /kex

    broadcast a fresh & identity signed ephemeral public key on the current buffer. [DONE]

  • /kex <nickname>

    broadcast a fresh & identity signed ephemeral public key then (create if none &) send the current buffer channel key to nickname (nickname must have /kex before). [DONE]

    if no shared key is present, it will AUTOMATICALLY generate a random symmetric key (like if you had typed /wic newkey) to exchange with nickname.

the other members of an IRC channel, see the public ephemeral broadcast only, the key exchange is sent directly to the peer receiving it. the server can SEE who is sending which key to whom, but cannot interfere as long as plugins.var.python.wic.signed_kex is yes.

#CLIENT SUPPORT

Mainly this was designed with weechat abilities in mind, I have not studied what or how to do similar things with other client, considering wic i/o is a trivial text based protocol, adapting to other clients should be fairly reachable & easy, I just don't have the time and need/energy.

patches are welcome

Could be interesting to use with?

  • irssi
  • swirc
  • hexchat
  • any other..?

#TODO

  • Key Commitment.
  • SAS based secure identity exchange (for online identity key exchange) or TOFU need study..
  • Rekey warning and bar items display.
  • [WIP] Weechat shortcuts for kex and rehash
  • [WIP] ProVerif cryptographic verifier for WIC crypto protocol.
  • Documentation.
  • Load & Save keys (requires a secure blob facility, work in progress with HPKE)
  • In-memory key material wipe/masking.
  • Various cleanups.
  • Verify chmod of identity keys & authorized_nicks.
  • [WIP] Proper IRCv3 support & server detection.
  • [WIP] DCC OAE streaming (using Rogaway STREAM construction).
  • Writing proper documentation.

#Contact

Send patches and questions to ~eau/wic@lists.sr.ht.

Subscribe to announcements, conversations on ~eau/wic, submit bugs/requests here.