forked from falsovsky/FiSH-irssi
-
Notifications
You must be signed in to change notification settings - Fork 0
/
FiSH-irssi.txt
198 lines (136 loc) · 6.3 KB
/
FiSH-irssi.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
FISH v0.98 for irssi
********************
This is an encryption addon for irssi, it is based on blowfish and is
fully compatible to original 'blowcrypt' script. It supports private
chat and channel encryption. A secure key-exchange system is included
aswell. Please read the whole document, especially the 'Installation'
section, before installing it!
FiSH v0.98 has been tested with irssi v0.8.9!
==============
FiSH commands:
==============
- /notice+ <nick/#channel> <notice message>
/notfish <nick/#channel> <notice message>
Send a notice message encrypted to someone. You have
to specify the target.
- /topic+ <your topic>
Set encrypted topic for current channel. Keep in mind:
topic size SHRINKS drastically to about 60%!
- /key [<nick/#channel>]
Show key for target. If no target specified, the key
for current window will be shown.
- /setkey [<nick/#channel>] <sekure_key>
Set key for target to sekure_key. If no target
specified, the key for current window will be set
to sekure_key.
- /delkey <nick/#channel>
Delete key for target. You have to specify the target.
- /keyx [<nick>]
Perform DH1080 KeyXchange with target. If no target
specified, the KeyXchange takes place with the current
query window.
- /setinipw <sekure_blow.ini_password>
Set a custom password to encrypt your key-container
(blow.ini) - you will be forced to enter it each time
you load the module.
If you do not set a custom blow.ini password, a default
password will be used. *insecure*
*NOTE* Take care of all your keys when using this
feature, they should get re-encrypted when changing
the blow.ini password, but nothing is guaranteed :)
- /unsetinipw
Change back to default blow.ini password
=============
Installation:
=============
- copy libfish.so to irssi's module directory and use
"/load fish" or "/load /path/to/libfish.so"
This is a plug-in, not a script - do NOT use /script to load it
- locate your blow.ini in ~/.irssi/ (or wherever your irssi
config file is stored)
- Blow.ini options explained:
---------------------------
[FiSH]
process_incoming=1 --> decrypt incoming messages?
process_outgoing=1 --> encrypt outgoing messages?
mark_encrypted=" ·" --> see below
mark_position=0 --> 0=append mark at the end, 1=prefix
plain_prefix="+p " --> messages starting with +p will be
sent plain-text
-------------------
- If you want to mark INCOMING encrypted messages, add mark_encrypted
to blow.ini, in [FiSH] section.
Suffix Examples:
mark_position=0
mark_encrypted=" *" --> ...end of message *
mark_encrypted=" ·" --> ...end of message ·
mark_encrypted=" 12·" --> ...end of message ·[blue+bold]
mark_encrypted= --> disabled
Prefix Examples:
mark_position=1
mark_encrypted="12> " --> [blue+bold]> start of message...
mark_encrypted="12· " --> [blue+bold]· start of message...
mark_encrypted="· " --> · start of message...
- Set mark_broken_block=0 (in blow.ini) if you want to disable the
"mark broken block" feature, which indicates whether a broken block
was cut, meaning the message arrived incomplete (enabled by default)
- Set mark_encrypted=0 for #yourchan (in blow.ini) if you don't want
the crypt-mark to be shown there
- Set auto_keyxchange=0 (in blow.ini) if you want to disable the
auto-KeyXchange for new queries
- 'NickTracker' allows seamless conversations in the case your chat
partner suddenly changes his nick. This feature will simply copy the
old key to use with his new nick. It affects nick changes for running
queries only! (enabled by default, to disable set nicktracker=0 in
blow.ini)
==============
Security Info:
==============
What happened to DH1024 key-exchange you may ask. To make it short: An
implementation flaw in the code has been found and a new key-exchange
using Diffie-Hellman 1080 bit has been introduced. The implementation
flaw is NOT about a remote vulnerability, it is rather about maths :)
The analysis of a friend has come to the conclusion: The old DH1024
key-exchange was probably still as secure as 991 bit. We cannot say
for sure. The characteristic of the implementation flaw makes it hard
to analyze, as not many material about this subject is available.
I was very angry when this problem was discovered, but I can't change
what happened now. Such a stupid mistake, unnoticed almost a year.
Well, everyone learns from mistakes ...
Make sure you NEVER exchange keys plain-text over IRC/ftp/email! If
you ever do that, or someone else who owns that key, you can also just
keep talking plain-text.
Use the new Diffie-Hellman (1080 bit) keyXchange function!
You might think this is crazy, but keep in mind: You are using IRC
encryption because you think someone might be able to read your
conversations. Such a person may not only have enough skills for
that, but also for defeating your weak encryption mechanism, including
passwords sent in plain-text and maybe even using DH-128.
While rewriting the Diffie-Hellman key-exchange, it was discovered
that the used 128bit numbers in DH.dll (written by sinner?) are far
not enough for secure key-exchange!
It would take just approx. 3 hours to calculate someones private key
by having only the transmitted public key, on a 1.7 GHz machine with
256 MB RAM!
Now half of the time is used for pre-computation, which needs to be
done only once. And from that point you can calculate any private key
generated with the DH.dll in only 1.5 hours!
This applies to *all* DH key-exchange plug-ins using 128bit keys! It
is suggested to use at least 512bit for Diffie-Hellman.
Therefore keyXchange with Diffie-Hellman in this addon was upgraded
to 1080bit. It is not compatible to the old DH keyXchange with 128bit!
The DH routines have been completly rewritten using MIRACL. (Thanx to
mac for discovering the weakness of DH128 and helping me!)
================
Technical notes:
================
For Diffie-Hellman key-exchange a 1080bit germain prime is used, the
generator g=2 renders a field Fp from 1 to p-1. Therefore breaking it
means to solve a discrete logarithm problem with no less than 1080bit.
Base64 format is used to send the public keys over IRC.
The calculated secret key is hashed with SHA-256, the result is converted
to base64 for final use with blowfish.
Comments and suggestions are welcome!
Enjoy
16. December 2004
FiSH URL: http://fish.sekure.us/