GoldBug (software)

GoldBug
	File:Goldbug-neuland.png
	"Add Friend-Key" dialog showing plain text of PGP key and "Add" button Key exchange in GoldBug as a mean of adding contacts
Developer(s)	GoldBug-Project
Initial release	June 27, 2013; 11 years ago
Written in	C++
Engine
Operating system	Windows, OS X, Unix-like
Available in	English
Type	Instant Messenger
License	BSD License
Website	goldbug.sf.net

Search GoldBug (software) on Amazon.

GoldBug secure instant messenger is an open-source multi-platform instant messaging client, based on a protocol called echo and a kernel named spoton. GoldBug therefore uses strong multi-encryption (see: Hybrid cryptosystem) with different layers of modern encryption technologies of well known and revised crypto libraries (like libgcrypt (know from GnuPG) and OpenSSL).^[1] The app offers as well decentral and encrypted Email and decentral public e*IRC-Chat, which is based on the echo protocol - a kind of echoed IRC.^[2]

The application allows to set your own encryption components with RSA, EL Gamal and DSA, customizing key size, cipher, hash, salt and iteration.^[3]

The Name "GoldBug Messenger" refers to the novel Gold Bug of Edgar Alan Poe: The plot follows William LeGrand, who recently discovered a gold-colored bug. His companion, Jupiter, fears LeGrand is becoming now obsessed with searching for treasure, knowledge and wisdom after being in contact with the GoldBug - and goes to LeGrand's friend. After they have deciphered a secret message all three start an adventure as a team. Edgar Alan Poes short story and ideas on cryptography also helped to popularize secured writing and cryptograms since 1843. The software application name refers in a symbolic way to this old story.

GoldBug (software) is a front-end gui for the spot-on echo kernel and application [2] and is written in c++ using the Qt framework. The compiling files are available for Windows, MacOSX, Linux, especially FreeBSD, Debian and OpenSUSE.

Connection Modi[edit]

The Echo protocol offers three modi to operate: Full Echo, Half Echo, Adaptive Echo.

Full Echo[edit]

The Full Echo modus or just Echo sends each encrypted message to every neighbour, Every neighbour does the same. In smaller entworks the message reaches every peer in time. Nodes can be servent, client or server with a set up listener.

Half Echo[edit]

The Half Echo sends the message only for one hop. That means two neighbours can chat with each other and the message is not delivered to any further nodes. Thouh always encrypted, the chatters can exclude others from knowing about the chat^[4]

Adaptive Echo[edit]

The Adaptive Echo sends the message - in case of given ecnrytion tokens - eclusively to only those connected nodes, which also know the encrypted token. The graphic at the side shows the communication example of Hansel and Gretel. Referring to the old fairy tail both highlight the trees with either "whithe pebbles" or "bread crumbs" to find out of the forrest. They want to leave the destination without the wicked witch knowing. How can Hansel and Gretel communicate without letting the wicked witch knowing? the nodes use in this exampel the encrypted key string "white pebbles". The Message is sent then not to the node of the wicked witch (Node E6).^[5]

Echo Accounts[edit]

Accounts just define the exclusiveness for connecting to a neighbour. Node A and B might connect only, if they agreed upon certain accoutn details. This allows to establish a web of trust without exposing the public encryption key and without attachig the encryption key to a certain IP address.

Standards and Libraries for Encryption[edit]

Next to RSA, ElGamal and DSA the Application uses the libraries libgcrypt and Openssl. The message of a user is encrypted in this format: SSL (AES (RSA (Message))). That means the encrypted message is sent though a p2p self signed SSL channel to the peer. Using several layers of encryption makes it hard to decrypt the messages. At the same time the SSL channel can be used to send symmetric, e.g. AES keys to the chat partner, to avoid recordings of plaintext keys (Multi-Encryption).^[6]^[7] The p2p selfsigned ssl connection is secured by several means to aviodi intermediate attackes like adding optional the IP-Address to the SSL Certiicate of the neighbors or having a permanent ssl certificate, so that a replaced node would not be able to connect.^[5]

As the application uses OpenSSL, which had issues for some older versions with a need for the Heartbleed code corrections and thus "potentially several projects like Tor" ^[8] and RetroShare (comp. RetroShare-Release V 0.5.5c / April 11, 2014 (with Heartbleed fix)) could have been harvested, the GoldBug project could point out, that the at that time a current and patched OpenSSL version has been deployed in GoldBug and thus no Heartbleed issue had to be announced (compare release notification for GoldBug V 0.9.04 on 2014-04-22) - as the release stated this already in April 2014, the ZD-Net Author Steven J. Vaughan-Nichols categorized the OpenSSL-issue in relation to an potential issue for the Messenger in his article in March on wrong facts.

Tabs and Basic Functions[edit]

Next to the "login"-tab, to log into the user interface with an at least 16 characters long passphrase, and the "add friend"-tab, to add the encryption-key of the friend, the GoldBug application has several tabs for different functions, among them: Chat, Email, Groupchat (e*IRC/Buzz) and File Transfer (so called: StarBeam). ^[9]

Chat[edit]

The Chat of Goldbug is always encrypted. Next to the RSA or ElGamal encryption a symmetric key (e.g. AES) can be provided. The symmetric key can be manually entered (like e.g. the name of the city in which we married) or automatically generated in the AES Standard. The Symmetric key is additionally assurded by a MAC hash. One user using the ElGmal key and one user using the RSA key are able to chat with each other.^[5]

Email[edit]

GoldBug contains a small Email Client.^[10] This allows to send emails in a p2p method without the need for a central pop3 or imap server. ^[5]

e*IRC / Buzz as Groupchat[edit]

The Group Chat is always encrypted too. It is called e*IRC ( echoed IRC) or Buzz, which is the original name of the Spot-on Client, Kernel and source code. This kind of group chat does not requirte private and public keys nor the swap of them. The e*IRC is based on the magnet URI standard and everyone knowing the Magnet, can decipher and join the chat. (See below for the explanation of the Magnet URI Standard for encryption.).^[5]

StarBeam File Transfer[edit]

StarBeam is the function and tab to send a file as encrypted packets over the internet. Here as well the Magnet URI Standard is used, Everyone knowing the Magnet, will be able to decrypt the file. For prevent giving away magents to the public a so-called "Nova"-Password can be additionally set on the file, so the Nova-Password can be given away later or after the transfer has been done. It is a second encryption layer besides the introduced Magent URI Standard for Encryption.^[5]

Rosetta CryptoPad[edit]

The Rosetta CryptoPad is another tabbed function as pop-up-tool to encrypt plaintext to chipertext. Based as well on a pair of public and private keys users can exchange the ciphertext over oldfashioned plaintext-protocols like in @-email or over any other non-encrypting instant messenger, even on boards or pastebins the crypto-text can be posted and grabbed from the friend for de-cryption. It establishes a kind of slow-chat, as you manually need to crypt and decrypt the message.^[5] The name is based on the Stone of Rosetta, which was a kind of translation-"book" for the hieroglyphs. This small encryption-pad was first introduced in V0.8 as a christmas-release in 2013.

Selected Features, Standards and Methods[edit]

Goldbugs has a variety of features like using multiple ciphers, also known as multiencryption. The program further main features are encrypted groupchat, sending of encryption keys encrypting them, end to end encryption, public IRC channels with encryption, integrated BitMail (p2p email), chat over Tor, instant forward secrecy, sending of random fake messages to confuse eavesdroppers, authenticated chat and many others.^[3] App-Wikia rates the feature richness by 8.2 of 10 Points: "Overall it is a great application for users who really would like to have a secure communication over chats with friends."^[11]

Repleo[edit]

GoldBug has the capability, to send the own public keys as well encrypted back to the friend, in case the friend shared already his public key. this is called a Repleo. Furthermore the integrated p2p Email client allows also to send the chat encryptionkey in an encrypted way.^[12]

Email Institutions[edit]

The Email function of GoldBug is based on a pure p2p Email. Messaging to offline email partners is possible within the peer network over two methods: Either both friends have a common third friend, and all have shared their encryption keys - e.g. Alice and Bob use a common Webserver and share the encryption keys, then the webserver will cache the email for the friend, who is currently offline; Or, second method: an so called Email Institution is created. This instance has a special encryption Magnet URI. If this Magnet is known by users, and the institution has added the encryption user-key of the users, then the emails are stored in this kind of virtual institution. The user-key of the instititonal node needs not to be given away, just the Magnet URI of the created Email Institution.^[5]

Magnet URI Encryption Standard[edit]

The Magnet URI standard has been elablorated into an format to carry encryption values. An Magnet URI used in GoldBug, respective for the Spot-On developer channel lookes like this format:

magnet:?rn=Spot-On_Developer_Channel_Key&xf=10000&xs=Spot-On_Developer_Channel_Salt&ct=aes256&hk=Spot-On_Developer_Channel_Hash_Key&ht=sha512&xt=urn:buzz

and the categories are shortend like follows:

rn=Spot-On_Developer_Channel_Key& = Room Name
xf=10000& == Exact Frequency
xs=Spot-On_Developer_Channel_Salt& = Exact Salt
ct=aes256& = Cipher Type
hk=Spot-On_Developer_Channel_Hash_Key& = Hash Key
ht=sha512& = Hash Type (e.g. SHA or Whirlpool)
xt=urn:buzz = Extension is Buzz, a new word for e*IRC or Group Chat room based on the echo protocol

This standard is used to share symmetric keys for groupchat or email institutions and file transfer processes.^[5]

Comparison to similar Chat tools[edit]

Comparison to OTR[edit]

OTR offers as well over the XMPP chat protocol end-to-end symmetric encryption. In comparison here the encryption key is chosen once per session while for the echo applications the symmetric key can be renewed or randomized very second. The perfect forward secrecy has been developed to an instant perfect forward secrecy (IPFS). While OTR is a plugin, the echo protocol provides native encrypted messaging wihtout the need of plugin development.

Comparison to RetroShare[edit]

RetroShare uses only one key for all the functions of the application, has no messaging to offline friends and correlates the IP address to the key - within a DHT and with a given key the IP easily can be found and attacked. GoldBug has 8 encryption keys for several functions and allows as well to send messages to offline users. The encryption keys are not attached to the IP-Address as the connection-regulations for friends is done over echo-accounts, which also enable to build a web of trust. IP addresses may be even further separated from keys by using Tor.

References[edit]

↑ GoldBug uses crypto libraries (like libgcrypt (GnuPG) and OpenSSL
↑ The program GoldBug includes an encrypted mail component, as well as an IRC chat.
↑ ^3.0 ^3.1 Security Blog: Secure chat communications suite GoldBug, 25 March, 2014
↑ Redakteur Jan Weller: Testbericht zu GoldBug für Freeware, Freeware-Blog
↑ ^5.0 ^5.1 ^5.2 ^5.3 ^5.4 ^5.5 ^5.6 ^5.7 ^5.8 [1] The GoldBug Instant Messenger User Manual, http://goldbug.sf.net
↑ http://www.hacker10.com/tag/goldbug-messenger-review/ Security Blog: GoldBug messenger review, 25 March 2014
↑ http://www.qoop.it/similar/goldbug-instant-messenger-0-9-00__a24af5704129cd68c881f17d7ce6e14c http://www.qoop.it/ Instant Messenger gratuito e sicuro,
↑ http://www.zdnet.com/how-to-recover-from-heartbleed-7000028253 ZDNet http://www.zdnet.com: Steven J. Vaughan-Nichols - How to recover from Heartbleed, April 9, 2014
↑ http://osarena.net/logismiko/applications/goldbug-mia-souita-gia-chating-me-pollapli-kriptografisi.html http://osarena.net: GoldBug - Μια σουίτα για Chating με Πολλαπλή Κρυπτογράφηση - Δημοσιεύτηκε από Constantinos, Latest Articles, Λογισμικό — 25 March 2014.
↑ http://www.ad-hoc-news.de/instant-messenger-und-chatprogramm-das-laut-hersteller-auf--/de/News/33554617 http://www.ad-hoc-news.de/
↑ http://www.appwikia.com/windows-apps/goldbug-instant-messenger-now-no-third-party-can-look-into-your-chat-communication/ http://www.appwikia.com/ - Appwikia: Overall it is a great application for users who really would like to have a secure communication over chats with friends, Appwikia.com provides information about software for Windows operating system. Select and handpick the best apps for our viewers, critically review them and offer practical ratings.
↑ http://www.heise.de GoldBug kann Schlüssel selbst encodiert versenden, Heise Zeitschriften Verlag 2013

External links[edit]

Official website
http://sourceforge.net/projects/spot-on/files/ - Original code and application project page
http://firefloo.sf.net - Another XMPP hybrid client with the echo protocol

This article "GoldBug (software)" is from Wikipedia. The list of its authors can be seen in its historical. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.

[1] GoldBug uses crypto libraries (like libgcrypt (GnuPG) and OpenSSL

[2] The program GoldBug includes an encrypted mail component, as well as an IRC chat.

[hacker2-3] 3.0 ^3.1 Security Blog: Secure chat communications suite GoldBug, 25 March, 2014

[4] Redakteur Jan Weller: Testbericht zu GoldBug für Freeware, Freeware-Blog

[sourceforge1-5] 5.0 ^5.1 ^5.2 ^5.3 ^5.4 ^5.5 ^5.6 ^5.7 ^5.8 [1] The GoldBug Instant Messenger User Manual, http://goldbug.sf.net

[6] ttp://www.hacker10.com/tag/goldbug-messenger-review/ Security Blog: GoldBug messenger review, 25 March 2014

[7] ttp://www.qoop.it/similar/goldbug-instant-messenger-0-9-00__a24af5704129cd68c881f17d7ce6e14c http://www.qoop.it/ Instant Messenger gratuito e sicuro,

[8] ttp://www.zdnet.com/how-to-recover-from-heartbleed-7000028253 ZDNet http://www.zdnet.com: Steven J. Vaughan-Nichols - How to recover from Heartbleed, April 9, 2014

[9] ttp://osarena.net/logismiko/applications/goldbug-mia-souita-gia-chating-me-pollapli-kriptografisi.html http://osarena.net: GoldBug - Μια σουίτα για Chating με Πολλαπλή Κρυπτογράφηση - Δημοσιεύτηκε από Constantinos, Latest Articles, Λογισμικό — 25 March 2014.

[10] ttp://www.ad-hoc-news.de/instant-messenger-und-chatprogramm-das-laut-hersteller-auf--/de/News/33554617 http://www.ad-hoc-news.de/

[11] ttp://www.appwikia.com/windows-apps/goldbug-instant-messenger-now-no-third-party-can-look-into-your-chat-communication/ http://www.appwikia.com/ - Appwikia: Overall it is a great application for users who really would like to have a secure communication over chats with friends, Appwikia.com provides information about software for Windows operating system. Select and handpick the best apps for our viewers, critically review them and offer practical ratings.

[12] ttp://www.heise.de GoldBug kann Schlüssel selbst encodiert versenden, Heise Zeitschriften Verlag 2013

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]