Ashish Gulhati
and 1 contributors

NAME

unsnoopable.pl - Completely unsnoopable messaging

VERSION

 $Revision: 1.009 $
 $Date: Tue Oct 16 20:45:55 PDT 2018 $

SYNOPSIS

  unsnoopable.pl [--noodlepi]

DESCRIPTION

unsnoopable.pl (Unsnoopable) is a simple application for end-to-end completely unsnoopable messaging. It is intended to be run on air-gapped devices that are never connected to any networks and have no wireless networking hardware. Unsnoopable uses one-time pads (OTPs) for completely unbreakable encryption.

Unsnoopability goes further than unbreakability of encryption, as a compromised device can leak plaintext even when the encryption used to transmit the message is unbreakable. This is the reason Unsnoopable is designed for use on an air-gapped devices, with a screen, text input capability, and a camera, such as the Noodle Air http://www.noodlepi.com/.

A new one-time pad can be generated by clicking the 'Generate' button, and providing a name for the pad. The OTP can then be exported by clicking the 'Export' button, which will cause it to be displayed on the device's screen as a QR code. It can then be imported into the corresponding device of the person one wishes to communicate unsnoopably with, by clicking 'Import' on that device and then scanning it with its camera.

Unsnoopable currently implements QR code scanning only on the Noodle Air, using the 'zbar' program. When running unsnoopable on a Noodle Air, use the '--noodlepi' command line switch.

To send a message to Bob, Alice selects a pre-shared OTP from the list at the top of the application window, clicks 'Send', and types in a message. The message will be encrypted using the selected OTP, and the ciphertext displayed as a QR code. Alice then scans QR code from the screen of the air-gapped Noodle Air using a regular connected smartphone and any mobile QR code scanning app, and sends the scanned string to Bob using any communications medium.

Bob displays the received ciphertext as a QR code on his own smartphone screen, and clicks 'Receive' to scan it into his own Noodle Air (which already has the pre-shared OTP on it). The ciphertext is then automatically decrypted and the plaintext message displayed.

This provides not only theoretically unbreakable encryption for the message using OTP encryption, but also air-gapped security for the devices where the plaintext and OTPs are stored. In effect this provides complete unsnoopability for the message over the network both while in transit and from any network-based attacks against the devices where plaintext is processed.

As with all security systems, though, there are still some caveats:

Obviously Unsnoopable can't and doesn't protect against physical attacks where the attacker has access to any of the devices on which the OTPs are stored, or visual access that would enable them to view the messages or pads on the device screens, or proximity access that would enable attacks based on leakage via electromagnetic radiation, or audio access via bugs / smartphone microphones (if the message is spoken out aloud), etc.

Physical access to the OTPs can be protected by storing them on MicroSD cards, which are small and relatively easy to keep physically secure. Noodle Air features a MicroSD card reader and boots off the MicroSD card itself, which is also important as it enables keeping the boot disk physically secure. An attacker with access to the air-gapped machine's boot disk could put in trojans to surreptitiously save OTPs or plaintexts for later retrieval.

The current implementation uses the Bytes::Random::Secure module to source random numbers for the one-time pads. This module uses a CSPRNG to generate random numbers, and isn't a truly random source. For really unbreakable encryption, a source of true random numbers should be used. A few devices that generate true random numbers are available commercially. It's also easy to generate random numbers in a secure and low-tech way by rolling dice.

The pad length is currently set to a fixed size that is communicable in a single QR code. This limitation will be removed in future versions of the app.

SEE ALSO

http://www.unsnoopable.org

http://www.noodlepi.com

Crypt::Unsnoopable

AUTHOR

Ashish Gulhati, <crypt-unsnoopable at hash.neo.tc>

BUGS

Please report any bugs or feature requests to bug-crypt-unsnoopable at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Crypt-Unsnoopable. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.

SUPPORT

You can find documentation for this command with the perldoc command.

    perldoc unsnoopable.pl

You can also look for information at:

LICENSE AND COPYRIGHT

Copyright (c) Ashish Gulhati.

This software package is Open Software; you can use, redistribute, and/or modify it under the terms of the Open Artistic License 2.0.

Please see http://www.opensoftwr.org/oal20.txt for the full license terms, and ensure that the license grant applies to you before using or modifying this software. By using or modifying this software, you indicate your agreement with the license terms.