A couple of questions!

[Anon-xyz]

Hello Bernd, Hello world (and anybody who would be able to help),

first of all, thank you very much for your brilliant work on TorChat - I really like the idea behind this messenger!

Since a couple of months i'm using TorChat for private and sensitive communication. I am just an ordinary internet-user and not very firm with cryptographic issues. Nevertheless i've read a lot in the last days, trying to go through the documentation and the published issues here on this and on other pages. I'm stuck with a bunch of important questions and i hope you can spare the time to help me out (also in german, if you like).

1. Is it fine to use TorChat at the same time as Tor Browser Bundle? AFAIK, there should then be two instances of tor running and they should'nt have any influence on each other, so traffic would be completely seperated. Is this correct?
2. Why have you stopped to publish checksums/hash values for the uploaded zip-files? I found this very useful to verify the download.
3. If i download and start a fresh copy of Torchat, it always takes a really long time (> 15 min) for my own icon to become green (to get connected). Sometimes it doesn't work at all. But if i shut down Torchat and start it again, it always works and is connected in only a couple of minutes. I assume that this is due to the first initialisation of the hidden service and not a security issue. Correct?
4. In my first days with Torchat, i sometimes had the situation that my own buddy icon remained grey while i got the handshake and after that the green icon for some of my buddies. Is this a bug or malfunction? Do i have to be concerned that my conversation or identity could be revealed or can i be sure that everything is routed through tor/encryption in every possible situation (i have neither changed any settings nor modified files in the tor directory).

And now for some possible attack scenarios:

1. As far as i understand, TorChat uses entry nodes/guards like any other tor service. Assuming that i am connected to a bad entry node under the control of a potential adversary, the attacker would still not be able to see the content of what i am sending/retrieving because everything is end-to-end encrypted. Correct?
2. Concerning the encryption itself: AFAIK Tor hidden services and therefore TorChat uses AES-128 bit to encrypt the message content and RSA-1024 bit for the exchange of the symmetric keys. Is this correct? Lets assume a potential adversary that is sniffing and recording my traffic at ISP level and interested in cracking/decrypting the content. What would be the most plausible attack scenario? Cracking RSA-1024 to obtain the symmetric keys? I read a lot about RSA-1024 and it seems to be not very future-proof (RSA-2048 is recommended at least for sensitive data).

In other words: How easy would it be for an potential advesary at state level to decrypt the content of my TorChat messages with reasonable time/financal effort? Lets assume i want to be safe until at least 2020.

Thank you very much in advance, Anon

[doll1]

Anon-xyz [email protected] hat am 21. August 2013 um 12:17 geschrieben:

Hello Bernd, Hello world (and anybody who would be able to help),

first of all, thank you very much for your brilliant work on TorChat - I really like the idea behind this messenger!

Since a couple of months i'm using TorChat for private and sensitive communication. I am just an ordinary internet-user and not very firm with cryptographic issues. Nevertheless i've read a lot in the last days, trying to go through the documentation and the published issues here on this and on other pages. I'm stuck with a bunch of important questions and i hope you can spare the time to help me out (also in german, if you like).

1. Is it fine to use TorChat at the same time as Tor Browser Bundle?

AFAIK, there should then be two instances of tor running and they should'nt have any influence on each other, so traffic would be completely seperated. Is this correct?

correct!

1. Why have you stopped to publish checksums/hash values for the uploaded

zip-files? I found this very useful to verify the download.

Bernd?

1. If i download and start a fresh copy of Torchat, it always takes a

really long time (> 15 min) for my own icon to become green (to get connected). Sometimes it doesn't work at all. But if i shut down Torchat and start it again, it always works and is connected in only a couple of minutes. I assume that this is due to the first initialisation of the hidden service and not a security issue. Correct?

don't know. But you only need your own icon becoming green if you want to chat to yourself ;) In other words, the buddy you like to chat with has to become coloured before. Then you can be sure, your icon on his side of the tunnel is coloured also.

1. In my first days with Torchat, i sometimes had the situation that my

own buddy icon remained grey while i got the handshake and after that the green icon for some of my buddies. Is this a bug or malfunction? Do i have to be concerned that my conversation or identity could be revealed or can i be sure that everything is routed through tor/encryption in every possible situation (i have neither changed any settings nor modified files in the tor directory).

see above.

And now for some possible attack scenarios:

1. As far as i understand, TorChat uses entry nodes/guards like any other

tor service. Assuming that i am connected to a bad entry node under the control of a potential adversary, the attacker would still not be able to see the content of what i am sending/retrieving because everything is end-to-end encrypted. Correct?

correct!

1. Concerning the encryption itself: AFAIK Tor hidden services and

therefore TorChat uses AES-128 bit to encrypt the message content and RSA-1024 bit for the exchange of the symmetric keys. Is this correct? Lets assume a potential adversary that is sniffing and recording my traffic at ISP level and interested in cracking/decrypting the content. What would be the most plausible attack scenario? Cracking RSA-1024 to obtain the symmetric keys? I read a lot about RSA-1024 and it seems to be not very future-proof (RSA-2048 is recommended at least for sensitive data).

In other words: How easy would it be for an potential advesary at state level to decrypt the content of my TorChat messages with reasonable time/financal effort? Lets assume i want to be safe until at least 2020.

Thank you very much in advance, Anon

you'r welcome

—Reply to this email directly or view it on GitHub https://github.com/prof7bit/TorChat/issues/41 .