description - mihapirnat/gentiandroid GitHub Wiki

Gentian - Encrypted chat

THIS APPLICATION IS BETA, PENDING REVIEW. PLEASE DO NOT RELY ON IT FOR STRONG PRIVACY !!! IMPLEMENTATION MIGHT CHANGE, SO YOUR CONFIG AND LOGS MIGHT NOT BE PERMANENT.

This version only supports SMS encryption.

Uses 3072 bit RSA (encryption) and 256 bit EC (signing) and cascade cipher (Serpent,AES,Twofish), with 256 bit keys.

Parties exchange RSA public keys outside this application, using QR codes (zxing integration) or custom URL. Both parties must add other party's identity before chat.

First message of each party is encrypted by other party's RSA key, contains session keys and ECDSA signature, so it is at least 4 SMS long. Subsequent messages are encrypted with symmetric cascade cipher, so approximatelly half of first SMS is used by protocol(HMAC). Application uses random padding Wikipedia: Superencryption so encrypted text is twice the size of plaintext.

Each party should first send one non-confidential message to complete key exchange. Application displays warning when ECDH is not completed and forward secrecy is not available.

This application does not provide deniable encryption. If that is what you need, you should consider Off-the-Record Messaging.

Configuration and log is encrypted by password encryption and AES, Serpent and Twofish cascade cipher.

====== DETAILS =======

Encoding libraries

Message encoding: Base91 by Joachim Henke (Original version), Benedikt Waldvogel (Modifications), modified to use GSM 7-bit alphabet

Local encoding: Base64 by Mikael Grev, MiG InfoCom AB. (base64 @ miginfocom . com)

Encryption libraries

Spongy Castle - a repackage of Bouncy Castle for Android

Encryption algorithm

symmetric : cascade cipher with 256 bit keys (AES, Serpent and Twofish), CBC mode, with PKCS5Padding; 16 byte IV, HmacSHA256

Two encryption keys are sent by RSA encryption, two are derived from 256 bit ephemeral EC keys using ECDH (two independant EC pairs for each party).

asymmetric: encryption and signing by 3072 bit RSA with OAEPWithSHA256AndMGF1Padding, signature is signed SHA-512 message hash, contains symmetric keys and ephemeral EC public keys for ECDH.

Messages contain timestamps. Older messages are rejected to prevent replay attack.

Password encryption (configuration and logs):

1024 rounds of SHA-512 with 128 byte salt. Resulting hash is used as two AES-256 keys, to decrypt first keypack.

(gentianlib)

Gentian keypack is ZIP file of 2^(i*256 keys), in this case i=1, 256 keys. First keypack is encrypted by password generated AES keys. Subsequent keypacks, config and logs are encrypted by cascade of 4 random keys from keypack (256 bit AES, Serpent and Twofish, cipher picked cyclically), CBC mode, with PKCS5Padding. Second keypack is used to verify password used, by decrypting control code and comparing it to salt.