BitChat

BitChat is inspired by the problem of man-in-the-middle attacks that compromise secure communication. Incase you are not familiar with man in the middle attacks they essentially allow someone such as your ISP to take your data and morph it into something else. Even though you may think you're secure, you can never actually know.

With the recent allegations of the NSA creating spyware to monitor to your computer it is equally as important to have good security and encryption. Our attempt was to portray proof-of-concepts for both.

The way we attempted to tackle the man-in-the-middle problem was via Bitcoin. Bitcoin users have already shown that keeping track and sending their bitcoin address was easily manageable and secure, so why not expand off of that? Bitcoin (for those unfamiliar) is built off of 2 keys a public and private. Typically in bitcoin you make a signature with your private and people can verify it with the public key you give out. Well that wasn't very helpful to us. So we decided to reverse engineer ECDSA, Elliptic Curve Digital Signature Algorithm, which is the public/private key bitcoin uses. Well its predecessor DSA is based off of an encryption called Elgamal. Great! We're in business. So all we need to do is modify elgamal a bit and apply it to the Elliptic Curve and bam you have the encryption of BitChat!

With the encryption covered we sought out ways to improve the basic security of a chat program. A few things we did to help improve overall security were: consistently emulate keys to the keyboard, but only recognizing the legitimate ones while confusing keyloggers and other nasty tools out to get your data. Alongside that we hooked the print screen algorythm and disallow printscreen while our chat program while our program is active. Certain Remote Access Tools consistently remain in the foreground in order to capture data, to prevent this anytime the chat window is not in the foreground all data is hidden.

We hoped to be able to write our own dynamical character(alphabet) to screen(text) algorithm that would avoid nasty tools that look into your RAM and search for ASCII or Unicode values -- but did not have the time to implement this - would be a great idea for the future!

If you want more specific details as to how the encryption of Bitcoin works I'll briefly describe the process. Private key is inputted and from there we are able to get the public key before hashing and compressing. You are then identified by your bitcoin address(public hashed key) that you are familiar with. In the handshake of confirmation you send the publickey in hex signed via ECDSA to confirm that the publickey in hex actually belongs to the bitcoin address you are wanting to speak to (there are mathematical ways to achieve this, but once again time limited us). Once the keys are exchange a Diffie Hellman Key-Exchange begins encrypted via the modified EC-Elgamal encryption. Once a symmetric key has been derived by both parties they continue their encryption on AES, for significant performance increases and allowing for perfect forward security. Even if your bitcoin address and private key are leaked or stole(yikes! hope there weren't many bitcoins there) there is no way for anyone to decrypt your conversations even if stored, ever!

During this process we utilized C# (main GUI), python (scripting language for the modified elgamal encryption) and java for a back-end server.

We would've like to used a web of trust rather than a root of trust, but this is a unique situation where the trust comes from the username is actually how you verify that they are who they appear to be!

I could go on for the massive amounts of scalability this project has, one of the most prominent would be creating a mailserver with the bitcoin address being your email @ a domain name. For example 1E4SKFTSmDSE8H9qx3WShBXy2NZps7fy7j@bitmail.com (I also accept btc =P) where bitmail would be your hosting provider and though the email is sent to them it would be encrypted by the address before it even leaves the senders email! Only you can read your email, no more snooping companies trying to buy and sell your personal data!

TL:DR - We did the encryption that avoids a problem you probably never heard of, but its like water, you're not complaining until you need it.

p.s. - sorry for potato quality phone image. our application doesn't allow you to take printscreens and apparently we programmed it too good for ourselves to figure out how to disable in 10 minutes.