Towards a More Transparent Security Model
We’ve taken a few steps in order to improve the Cryptocat project’s transparency concerning its decisions on security:
Improvements regarding security transparency:
- We have released version 1.2c of the Cryptocat protocol, which replaces our custom safe Diffie-Hellman prime with a prime taken from RFC 3526. Seeing as the primes in the RFC are all derived from π, we hope this will mitigate any theoretical concerns regarding possible hidden properties in our choice of prime constants. Google Chrome App users should update their copies of Cryptocat immediately in order to reflect these changes.
- We have updated the HTTPS headers for crypto.cat to include HTTP Strict Transport Security data. We have also submitted crypto.cat for inclusion in Google Chrome’s embedded HSTS list. Strict Transport Security adds an extra layer of forced HTTPS to connections directed to crypto.cat, in addition to the server being configured to refuse all HTTP connections and redirect them to HTTPS instead.
- We have updated both the Cryptocat README and configuration file to include stricter warning against deploying Cryptocat without HTTPS, with mentions on using Cryptocat as a Tor Hidden Service.
Towards an open threat model:
Upcoming revisions of the Cryptocat specification will include a detailed threat model that we hope will clarify what Cryptocat is designed to protect against and what it cannot. While we find that the current specification’s Introduction section does briefly cover this issue, we have determined that a more thorough threat model is required and will be included in an upcoming revision of the specification.
Donate via Bitcoin!
We now accept donations via Bitcoin, the awesome decentralized crypto-currency. Throw some coins at us and help us make Cryptocat better! Our Bitcoin wallet address is:
Our Bitcoin wallet is also listed on the donate page.
Message Authentication Bug Fixed
We’ve fixed a bug which would cause many users to receive false message authentication failure errors (“Error: message authentication failure”) due to a bug in how message order authentication was being handled. We’ve updated both the code and the specification document in order to reflect this change. The specification is now at version 1.2b as a result.
This bug did not present a security weakness, but simply failed to authenticate some legitimate messages that should have passed authentication. We’re sorry for the inconvenience this bug has caused some users and hope that we’ve had it fixed in this update. Cryptocat Chrome app users should update immediately to benefit from the bug fix.
Protocol Version 1.2a Released
We’ve updated the Cryptocat protocol to version 1.2a. Both the web and Chrome app versions have had their codebases updated to reflect the changes, so Chrome app users will need to update their Cryptocat app in order to be able to use the latest version of the protocol along with those accessing Cryptocat via the web version.
Version 1.2a of the Cryptocat protocol introduces the following enhancements:
- Shared secrets are now hashed with SHA512 instead of SHA256. The resulting 512 bit hexadecimal value is split into a 256 bit value for AES-256 operations and a 256 bit value for HMAC-SHA256 operations. This means that the complexity of both keys for encryption and authentication has been increased from 16^32 to 256^32.
- Fingerprints are now derived using SHA512 instead of SHA256.
You may download the design specification for protocol 1.2a here.
Edit: We’ve fixed some typos, clarified some sentences and tweaked the hash characters used for fingerprinting.
Protocol Version 1.2 Released
We’ve updated the Cryptocat protocol to version 1.2. Both the web and Chrome app versions have had their codebases updated to reflect the changes, so Chrome app users will need to update their Cryptocat app in order to be able to use the latest version of the protocol along with those accessing Cryptocat via the web version.
Version 1.2 of the Cryptocat protocol introduces the following enhancements:
- We’ve added a Definitions section and further clarified some details of the protocol.
- We’ve added a requirement for clients to verify the size of all received public keys (2^4080 < pubkey < p) in order to mitigate against adversarially small public keys.
You may download the design specification for protocol 1.2 here.
Edit: We’ve corrected the minimum value of public keys (from 2^4092 to 2^4080.)
New Feature: Random Chat Names
We’ve added a new feature that generates a random chat name for you, for those times where you can’t seem to decide on an appropriate chat name and just want to hop into a conversation.
Check out the cool new “?” button:
Clicking it generates a random chat name for you.
Once inside the chat, it’s just a matter of sending the link to friends:
We hope this makes it easier for your to agree on a chat name!
Protocol Version 1.1 Released
We’ve updated the Cryptocat protocol to version 1.1. Both the web and Chrome app versions have had their codebases updated to reflect the changes, so we strongly recommend that Chrome app users update their copies of Cryptocat immediately in order to be able to use the latest version of the protocol along with those accessing Cryptocat via the web version.
Version 1.1 of the Cryptocat protocol introduces the following enhancements:
- Message ciphertext and HMACs no longer use the same key, but use two separate keys derived from the Diffie-Hellman shared secret.
- Cryptocat now detects if messages have been dropped, delayed, or sent to the recipient in a different order than the sender intended.
- The protocol design specification sheet is now more detailed concerning the handling of nicknames, and includes other clarifications and typo fixes.
- Addendum: We’ve added an addendum to version 1.1 (on February 26, 2012) that improves the way fingerprints are generated.
You may download the design specification for protocol 1.1 here.
Protocol Design Specification Published
The first revision of the Cryptocat Protocol Design Specification has been published and is available for download and review. We invite everyone to submit your comments on the specification. The specification describes the Cryptocat chat protocol in full detail, and is intended to allow third parties to study and implement the protocol.
Special thanks to Jacob Appelbaum, Meredith L. Patterson and Marsh Ray for their helpful comments and insight.