Open RealJosephKnapp opened 10 months ago
Hi @RealJosephKnapp Thanks for the detailed ticket. We've considered end to end encryption in the past. The main reason we haven't built it yet is because a core part of our value proposition is the SEO friendliness. Moving the end to end encryption didn't seem to make sense since it felt like targeting a different audience
We'd be happy to prioritize this if there are enough users interested in this use case. Can you help us understand how you would like to use Linen and how it would be different than tools like Signal?
Also I'd love to learn about what you enjoy about Linen over other chat applications. It would help us when conveying our core value proposition.
I think that this is pretty much the perfect chat app, all it needs is end to end encryption.
What should the e2ee protocol do?
Let us start with the identity key. We will start with crystals-kyber-1024 as a key encapsulation algorithm. To get to 4096 bits, four seperate Crystals-Kyber-1024 keys will be used one after another. As a check each key will be verified with Crystals-Dilithium-5, FalconSign-1024 and SPINCS+-Shake256 to verify its legitimacy. Each key server the key complete public key and signature is uploaded to will verify each of the signatures and then attach its own signature so that the propagation of the identity through the global keyserver network can be verified. Now let us cover the assymetric keys protected by the Key Encapsulation Mechanism. We will use 4 separate keys, four in a row. NTRU-32768(RSA-32768(Quadruple-NIST-P521(Quadruple NIST-B571(plaintext))))) Each certificate shall list no less than 16 but all implementations must be able to parse up to 42 public keys generated using this method. Each Public key will be triple signed using NTRUsign-32768, RSAsign-32768, ECDSA-32768 and then hashed with SHA3-512, Keyed Blake3-512, Keyed Skein-512 with an internal state size of 1024 and Keyed MD6-512 for message integrity. What about symmetric keys? When symmetric keys need to be exchanged, they are sent over the same protocol that messages are sent over. The required symmetric Ciphers are AES-256, Anubis-320, Kalyna-512, Threefish-1024 and verified with SHA3-512, Keyed Blake3-512, Keyed MD6-512 and Keyed Skein-512 an internal state size of 1024. No symmetric key may be used more than once and must be depreciated once the session, whether audio, video call, file transfer or secure drop is over. How do we look up keys? For this purpose we use a keyserver. Each keyserver is part of the fediverse and must support Activitypub, Ostatus, Zot and Diaspora, of which the specifications are listed at https://www.w3.org/TR/activitypub/, https://github.com/OStatus, https://zotlabs.org/help/en/developer/zot_protocol and https://github.com/diaspora/diaspora_federation. Support for Matrix, Zsync, CURL, GNU Wget, Authenticated Transfer Protocol, GNUNET and Freenet/Locutus smart contract are recommended but not required. I recommend that all of these be considered, but due to the emerging nature of GNUNET, Authenticated Transfer Protocol and Freenet/Locutus we ought to wait until these networks are stable and audited. Various implementations should implement Matrix, Zsync, CURL and GNU Wget as needed. How do we revoke keys? In order to revoke a key, either the identity's expiration date passes and the keyservers mark it as expired, use with extreme caution or the private key is derived. If the private key is compromised for either the Quadruple Crystals-Kyber-1024 identity, the Digital Signatures, The 16 secondary keys or any other part of the identity is compromised. Once the identity is compromised, anyone with a valid identity can challenge the key. If the private key they submitted to challenge the public key, then the entire identity is revoked and the owner is notified effective immediately. The private key is propagated across the network and every keyserver that receives it must display it as proof that the key is compromised and the key must be treated as compromised and unusable whenever it is requested. How do I prove I own the key? Simple, the keyserver will send you a message encrypted using your key encapsulation key, each of your secondary keys and a direct message using each of the required symmetric encryption algorithms. You will decript the message, verify it, and then send the message back using the identity key of the keyserver for each email address, phone number, RCS, MMS, SMS, Signal, iMessage, Matrix, Activitypub, Ostatus, Zot, Diaspora, Telegram, Nextcloud, Google Drive, Onedrive, ProtonDrive, Mega Cloud Storage, iCloud, S3 Bucket, FTP server, Contact form or any protocol not listed in the other section of your keypair by completing the round robin. What does this identity key look like? """ Begin Universal Dark Internet Identity Information File: RealName:[First_Middle1_Middle2_Middle3_Middle4_Last] Handle:[Handle1, Handle2, Handle3, Handle4, Handle5] Nickname:[Nickname1, Nickname2, Nickname3, Nickname4, Nickname5] House Phone:[+X-XXX-XXX-XXXX--callerID] Protocol[True/False--username--homeserver] Account[True/False--username--homeserver] Activitypub[True/False--handle--homeserver] Ostatus:[True/False--handle--homeserver] Zot:[True/False--handle--homeserver] Diaspora:[True/False--handle--homeserver] Matrix:[True/False--handle--homeserver] Authenticated Transfer Protocol:[True/False--handle--homeserver]Email:[True/False--emailaddress--emailserver] iMessage:[True/False--username--imessageserver] RCS:[True/False--username--rcsserver] MMS[True/False--username--mmsserver] SMS:[True/False--username--homeserver] Signal:[True/False--username--signalserver] Telegram:[True/False--username-telegramserver] Work Phone:Phone:[+X-XXX-XXX-XXXX--callerID] Protocol[True/False--username--homeserver] Account[True/False--username--homeserver] Activitypub[True/False--handle--homeserver] Ostatus:[True/False--handle--homeserver] Zot:[True/False--handle--homeserver] Diaspora:[True/False--handle--homeserver] Matrix:[True/False--handle--homeserver] Authenticated Transfer Protocol:[True/False--handle--homeserver]Email:[True/False--emailaddress--emailserver] iMessage:[True/False--username--imessageserver] RCS:[True/False--username--rcsserver] MMS[True/False--username--mmsserver] SMS:[True/False--username--homeserver] Signal:[True/False--username--signalserver] Telegram:[True/False--username-telegramserver] Smartphone:[+X-XXX-XXX-XXXX--callerID] Protocol[True/False--username--homeserver] Account[True/False--username--homeserver] Activitypub[True/False--handle--homeserver] Ostatus:[True/False--handle--homeserver] Zot:[True/False--handle--homeserver] Diaspora:[True/False--handle--homeserver] Matrix:[True/False--handle--homeserver] Authenticated Transfer Protocol:[True/False--handle--homeserver]Email:[True/False--emailaddress--emailserver] iMessage:[True/False--username--imessageserver] RCS:[True/False--username--rcsserver] MMS[True/False--username--mmsserver] SMS:[True/False--username--homeserver] Signal:[True/False--username--signalserver] Telegram:[True/False--username-telegramserver] VOIP Phone:[+X-XXX-XXX-XXXX--callerID] Protocol[True/False--username--homeserver] Account[True/False--username--homeserver] Activitypub[True/False--handle--homeserver] Ostatus:[True/False--handle--homeserver] Zot:[True/False--handle--homeserver] Diaspora:[True/False--handle--homeserver] Matrix:[True/False--handle--homeserver] Authenticated Transfer Protocol:[True/False--handle--homeserver]Email:[True/False--emailaddress--emailserver] iMessage:[True/False--username--imessageserver] RCS:[True/False--username--rcsserver] MMS[True/False--username--mmsserver] SMS:[True/False--username--homeserver] Signal:[True/False--username--signalserver] Telegram:[True/False--username-telegramserver] Feature Phone:[+X-XXX-XXX-XXXX--callerID] Protocol[True/False--username--homeserver] Account[True/False--username--homeserver] Activitypub[True/False--handle--homeserver] Ostatus:[True/False--handle--homeserver] Zot:[True/False--handle--homeserver] Diaspora:[True/False--handle--homeserver] Matrix:[True/False--handle--homeserver] Authenticated Transfer Protocol:[True/False--handle--homeserver]Email:[True/False--emailaddress--emailserver] iMessage:[True/False--username--imessageserver] RCS:[True/False--username--rcsserver] MMS[True/False--username--mmsserver] SMS:[True/False--username--homeserver] Signal:[True/False--username--signalserver] Telegram:[True/False--username-telegramserver] Proxy Phone:[+X-XXX-XXX-XXXX--callerID] Protocol[True/False--username--homeserver] Account[True/False--username--homeserver] Activitypub[True/False--handle--homeserver] Ostatus:[True/False--handle--homeserver] Zot:[True/False--handle--homeserver] Diaspora:[True/False--handle--homeserver] Matrix:[True/False--handle--homeserver] Authenticated Transfer Protocol:[True/False--handle--homeserver]Email:[True/False--emailaddress--emailserver] iMessage:[True/False--username--imessageserver] RCS:[True/False--username--rcsserver] MMS[True/False--username--mmsserver] SMS:[True/False--username--homeserver] Signal:[True/False--username--signalserver] Telegram:[True/False--username-telegramserver] Home Email:[emailaddress@emailserver.tld--sendername] Protocol[True/False--username--homeserver] Account[True/False--username--homeserver] Activitypub[True/False--handle--homeserver] Ostatus:[True/False--handle--homeserver] Zot:[True/False--handle--homeserver] Diaspora:[True/False--handle--homeserver] Matrix:[True/False--handle--homeserver] Authenticated Transfer Protocol:[True/False--handle--homeserver]Email:[True/False--emailaddress--emailserver] iMessage:[True/False--username--imessageserver] RCS:[True/False--username--rcsserver] MMS[True/False--username--mmsserver] SMS:[True/False--username--homeserver] Signal:[True/False--username--signalserver] Telegram:[True/False--username-telegramserver] Work Email:[emailaddress@emailserver.tld--sendername] Protocol[True/False--username--homeserver] Account[True/False--username--homeserver] Activitypub[True/False--handle--homeserver] Ostatus:[True/False--handle--homeserver] Zot:[True/False--handle--homeserver] Diaspora:[True/False--handle--homeserver] Matrix:[True/False--handle--homeserver] Authenticated Transfer Protocol:[True/False--handle--homeserver]Email:[True/False--emailaddress--emailserver] iMessage:[True/False--username--imessageserver] RCS:[True/False--username--rcsserver] MMS[True/False--username--mmsserver] SMS:[True/False--username--homeserver] Signal:[True/False--username--signalserver] Telegram:[True/False--username-telegramserver] Personal Email:[emailaddress@emailserver.tld--sendername] Protocol[True/False--username--homeserver] Account[True/False--username--homeserver] Activitypub[True/False--handle--homeserver] Ostatus:[True/False--handle--homeserver] Zot:[True/False--handle--homeserver] Diaspora:[True/False--handle--homeserver] Matrix:[True/False--handle--homeserver] Authenticated Transfer Protocol:[True/False--handle--homeserver]Email:[True/False--emailaddress--emailserver] iMessage:[True/False--username--imessageserver] RCS:[True/False--username--rcsserver] MMS[True/False--username--mmsserver] SMS:[True/False--username--homeserver] Signal:[True/False--username--signalserver] Telegram:[True/False--username-telegramserver] Formal Personal Email:[emailaddress@emailserver.tld--sendername] Protocol[True/False--username--homeserver] Account[True/False--username--homeserver] Activitypub[True/False--handle--homeserver] Ostatus:[True/False--handle--homeserver] Zot:[True/False--handle--homeserver] Diaspora:[True/False--handle--homeserver] Matrix:[True/False--handle--homeserver] Authenticated Transfer Protocol:[True/False--handle--homeserver]Email:[True/False--emailaddress--emailserver] iMessage:[True/False--username--imessageserver] RCS:[True/False--username--rcsserver] MMS[True/False--username--mmsserver] SMS:[True/False--username--homeserver] Signal:[True/False--username--signalserver] Telegram:[True/False--username-telegramserver] Begin Dark Internet Identity Key Encapsulation Mechanism Four Rounds of Crystals-Kyber-1024