- SEE ALSO
- LICENSE AND COPYRIGHT
unsnoopable.pl - Completely unsnoopable messaging
$Revision: 1.008 $ $Date: Sun Dec 10 01:36:27 PST 2017 $
unsnoopable.pl (Unsnoopable) is a simple application for end-to-end completely unsnoopable messaging. It is intended to be run on air-gapped devices that are never connected to any networks and have no wireless networking hardware. Unsnoopable uses one-time pads (OTPs) for completely unbreakable encryption.
Unsnoopability goes further than unbreakability of encryption, as a compromised device can leak plaintext even when the encryption used to transmit the message is unbreakable. This is the reason Unsnoopable is designed for use on an air-gapped devices, with a screen, text input capability, and a camera, such as the Noodle Unsnoopable http://www.noodlepi.com/.
A new one-time pad can be generated by clicking the 'Generate' button, and providing a name for the pad. The OTP can then be exported by clicking the 'Export' button, which will cause it to be displayed on the device's screen as a QR code. It can then be imported into the corresponding device of the person one wishes to communicate unsnoopably with, by clicking 'Import' on that device and then scanning it with its camera.
Unsnoopable currently implements QR code scanning only on the Noodle Unsnoopable, using the 'zbar' program. When running unsnoopable on a Noodle Unsnoopable, use the '--noodlepi' command line switch.
To send a message to Bob, Alice selects a pre-shared OTP from the list at the top of the application window, clicks 'Send', and types in a message. The message will be encrypted using the selected OTP, and the ciphertext displayed as a QR code. Alice then scans QR code from the screen of the air-gapped Noodle Unsnoopable using a regular connected smartphone and any mobile QR code scanning app, and sends the scanned string to Bob using any communications medium.
Bob displays the received ciphertext as a QR code on his own smartphone screen, and clicks 'Receive' to scan it into his own Noodle Unsnoopable (which already has the pre-shared OTP on it). The ciphertext is then automatically decrypted and the plaintext message displayed.
This provides not only theoretically unbreakable encryption for the message using OTP encryption, but also air-gapped security for the devices where the plaintext and OTPs are stored. In effect this provides complete unsnoopability for the message over the network both while in transit and from any network-based attacks against the devices where plaintext is processed.
As with all security systems, though, there are still some caveats:
Obviously Unsnoopable can't and doesn't protect against physical attacks where the attacker has access to any of the devices on which the OTPs are stored, or visual access that would enable them to view the messages or pads on the device screens, or proximity access that would enable attacks based on leakage via electromagnetic radiation, or audio access via bugs / smartphone microphones (if the message is spoken out aloud), etc.
Physical access to the OTPs can be protected by storing them on MicroSD cards, which are small and relatively easy to keep physically secure. Noodle Unsnoopable features a MicroSD card reader and boots off the MicroSD card itself, which is also important as it enables keeping the boot disk physically secure. An attacker with access to the air-gapped machine's boot disk could put in trojans to surreptitiously save OTPs or plaintexts for later retrieval.
The current implementation uses the Bytes::Random::Secure module to source random numbers for the one-time pads. This module uses a CSPRNG to generate random numbers, and isn't a truly random source. For really unbreakable encryption, a source of true random numbers should be used. A few devices that generate true random numbers are available commercially. It's also easy to generate random numbers in a secure and low-tech way by rolling dice.
The pad length is currently set to a fixed size that is communicable in a single QR code. This limitation will be removed in future versions of the app.
<crypt-unsnoopable at hash.neo.tc>
Please report any bugs or feature requests to
bug-crypt-unsnoopable at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Crypt-Unsnoopable. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.
You can find documentation for this command with the perldoc command.
You can also look for information at:
RT: CPAN's request tracker
AnnoCPAN: Annotated CPAN documentation
Copyright (c) 2017 Ashish Gulhati.
This program is free software; you can redistribute it and/or modify it under the terms of the Artistic License 2.0.
See http://www.perlfoundation.org/artistic_license_2_0 for the full license terms.