Yo, don't you die on me! Lately I started testing Tox, it's actually usable, voice and video, and file transfers work, it looks neat. Question is (to quote Tolkien, whom I'm sure we all love and cherish): "Is it secret? Is it safe?" So we have this: Dnia sobota, 5 lipca 2014 22:36:50 stef pisze:
afaics there's a traffic analysis weakness in all messages, it discloses both public keys of the peers in public: https://github.com/irungentoo/toxcore/blob/master/docs/updates/Crypto.md#cry pto-request-packets
We also have a brave soul (not me) that attemted writing proper protocol documentation for Tox, and started diving into the code. The docs seem lacking, the only things we've been able to find are: https://github.com/irungentoo/toxcore/tree/master/docs https://jenkins.libtoxcore.so/job/Technical_Report/lastSuccessfulBuild/artif... Not *that* helpful, but look at the Crypto section in the PDF: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Tox uses crypto_box() from the NaCl crypto library for all the cryptography in Tox. Unless otherwise noted, all keys refer to keys generated with crypto_box_keypair(), all encryption is done with crypto_box() and all decryption with crypto_box_open(). For performance purposes the functions to precompute the shared secret and encrypt and decrypt messages with it are used extensively in Tox; however, this is not relevant to this document. The function crypto_box() provides fast public-key authenticated encryption. For exactly how it works read the NaCl docs. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Hmmm... So, the brave RFC-writing soul got some questions. Maybe somebody here has access to some answers? Questions being: - does the transport layer have encryption? (does the middle layer do that all or...?) - where is the documentation of the cryptography? - is there any hmac done at all? - what is the tox id for a seed with all 0? - how does the tox implementation handle different byte alignment? - how does the tox implementation handle different byte endiness? - how well stressed is the tox implementation? benchmarks? - where is the rest of the documentation? - where can I find a full view of how tox works from bottom to top? Anybody? -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147