Encrirc - IRC encryption proxybecause IRC SSL does not save your from the voyeur sysadmin
IRC is insecure, it's a plaintext protocol. Everyone can sniff your connections. In order to fix this problem, many clients and servers have now support for SSL, so your client will connect and the IRC server via a secure SSL connection, and no one between you and your server can read what is passing.
This have problems too, see this picture:
[Alice] <--- ssl ---> [SERVER] <--- ssl ---> [Bob]Even if the connection is encrypted between Alice and SERVER, like it is between Bob and SERVER, inside the server, i.e. inside the IRCd deamon, the data is passing in plaintext. This means that the sysadmin can read everything you write, regardless of the use of SSL.
If it's a small IRC network, you have to fear about voyeur sysadmins, if it's a big network, you have to fear about government asking about logs to big ISPs and so on... you already know this story.
So what's the solution? To have an IRC client that will send encrypted messages over the IRC protocol, using a well known and belived secure block cipher, and a key that only Bob and Alice know. This is often accomplished thanks to client-specific plugins for xchat, IRSSI, mirc, and other clients, but there are tons of different clients for IRC, and it's not always possible to find a compatible encryption plugin between different clients. Fortunately there is a solution, that's to write an IRC "repeater" or "proxy" that is sit in the middle between the IRC client and the SERVER, of both Alice and Bob:
[Alice] <--> Encrirc <--> [SERVER] <--> Encrirc <--> [Bob]It does not matter if the connection between Encrirc and the Server is secure or not, everything will be encrypted before to pass from the internet. Also the Server administrator will not be able to read nothing, only Alice and Bob have the right key to encrypt/decrypt messages.
Of course, Alice and Bob, need a secure channel to share an Encrirc key, but to do so they just have to use PGP or GPG and the email.
To run encrirc you need a working Tcl installation (8.4 or newer), usually it's installed by default in most Linux distributions. All the istructions are inside the README file of the tar.gz.
The current version is 0.1, download encrirc-0.1.tgz.
The source code is under the GPL license
Every decent program that is about encryption should explain very well how the encryption works, so experts can check if it's just "snake oil", or real security. This is my attempt to explain it.
We use blowfish as block cipher, in CBC mode
the hash function used is MD5
Every message is encrypted using the key relative to the destination nick or channel, with blowfish in CBC mode, using as initialization vector a 64 bit pseudo-random Initialization Vector.
The message is send over the network as:
>encrirc< || KEYID || IV || BLOWFISH(k, P || HMAC(k, P)) k - A 128 bit key >encrirc< - A fixed prefix for every encrypted messages. KEYID - Is the key identifier. The first 64 bits of MD5(k) IV - A pseudorandom 64 bit string P - The plaintext with spaces to be 80 chars longNotes
The padding of 'P' is used so that the ciphertext is always of fixed length, the eavesdropper can't tell the length of the message.
The pseudorandom IV makes sure that the same message will encrypt in a different ciphertext.
The KEYID is used to avoid to brute-force all the keys in the keyring.
The HMAC is checked at every message received to make sure there is no corruption. Corrupted messages are not sent to the user, but instead a warning is sent.
Encrirc was developed by antirez (also known as Salvatore Sanfilippo). More free software from the same author:
hping visitors phpinteractive Tcl IRCd (more free software in my home page).
Sponsored sites: Archivio discussioni business economia e azioni (italian).