Skip to content

Adding Cwtch.im

Pseudo Nym requested to merge github/fork/sharp-tailed/cwtch-addition into master

cwtch

Add complete documentation for Cwtch

Cwtch is a cryptographically secure messenger capable of group messages (experimental), file transfer and compartmentalization.

Like Briar, it uses E2EE and is completely decentralized. It uses Tor for signup and is metadata resistant.

It allows a user to create different profiles. Profiles are stored locally on disk and encrypted using a key derived from user-known password (via pbkdf2). Profiles can be easily exported and, as I have found through my own independent research, it is not possible to derive different profiles of a user:

"The only way to recover a profile is by rederiving the password - as such it isn't possible to provide a full list of profiles a user might have access to until they enter a password."

It uses authenticated encryption to create these profiles, using libsodium secret-box. Information used to derive the encryption key used to save all sensitive data to the file system cross the boundary between the UI front-end and the App backend. Intercepting this information requires a privileged position on the local machine.

  • Messages cannot be truncated, removed, reordered, duplicated or modified without this being detected by the decryption functions.
  • The same sequence encrypted twice will produce different ciphertexts.
  • An authentication tag is added to each encrypted message: stream corruption will be detected early, without having to read the stream until the end.
  • Each message can include additional data (ex: timestamp, protocol version) in the computation of the authentication tag.
  • Messages can have different sizes.
  • There are no practical limits to the total length of the stream, or to the total number of individual messages.
  • Ratcheting: at any point in the stream, it is possible to "forget" the key used to encrypt the previous messages, and switch to a new key.

References:

FOSS project: https://git.openprivacy.ca/cwtch.im/cwtch High level overview: https://cwtch.im/#how-it-works Ecosystem breakdown: https://docs.openprivacy.ca/cwtch-security-handbook/components.html Encrypted streams & file encryption: https://doc.libsodium.org/secret-key_cryptography/secretstream Connectivity through Tor: https://docs.openprivacy.ca/cwtch-security-handbook/connectivity.html Zero-trust model: https://docs.openprivacy.ca/cwtch-security-handbook/server.html

Merge request reports