WIC
Weechat Irc Crypto, a simple yet reasonnably safe & secure weechat IRC encryption system.
Description
It combines a weechat python script (wic.py
) driving an external cryptographic "helper" written in go (wic
).
In the time of gazillions messengers, I still heavy rely & spend a large amount of time on IRC.
Unfortunately with IRC beside the transport encryption offloaded to the IRC network (TLS), there was/is no integrated mechanism to protect conversations from curious eyes.
IRC is an old protocol and even with v3 around the corner, with limitations and no end to end encryption.
This weechat script try to answer/solves that.
Design
The design aims at simplicity and usability which derives security.
The irc client (weechat
) runs a script (wic.py
) that communicates (over stdio) with wic
to ask for crypto operations.
Severals type of keys are coexisting for different purposes:
- identity keys : long term/usage keys for signing key exchanges & public key broadcast.
- ephemeral keys: ephemeral & used for asymetric key exchange of symmetric keys.
- symmetric keys: 256 bits AEAD keys used for encrypting channels/queries.
Identity keys are generated locally using the wic
crypto helper.
More details on WIC internal are slowly being documented on the wiki
Requirements
- golang 1.14+
- python 3.7+
- weechat 2.8+
- weechat python plugin.
Dev
Installation
!REMEMBER! make sure $GOPATH/bin or $HOME/go/bin or $GOBIN is your PATH.
From Source:
-
install the wic
cryptographic helper (*):
$ go get git.sr.ht/~eau/wic/cmd/wic
-
generate your long term keys:
$ wic -keygen nick
Identity key Password:
Retype Identity key Password:
-
start weechat and setup basic auth variables
/set plugins.var.python.wic.identity mynickname
/set plugins.var.python.wic.identity_passphrase mySup3rDup3rPassPhrase
-
install the wic.py script for your weechat
$ cp wic.py ~/.weechat/python`
$ ln -s ~/.weechat/python/wic.py ~/.weechat/python/autoload/
-
start, configure weechat && connect
WIC Directory/Files
- $HOME/.wic/
- $HOME/.wic/id_ed25519
- $HOME/.wic/id_ed25519.pub
- $HOME/.wic/authorized_nicks
WIC Authorized Nicks
Borrowing the OpenSSH concept, authorized_nicks define the public keys of friends & users you decided to trust.
By default WIC will accept what we call "anonymous" key exchanges.
The authorized_nicks has the following format (one per line):
Example:
#<nick> <public key>
eau 27wH6NCKlNI6/zBpON+MJL8f+c2qCsmshTf2rihlDjI=
oz UXR/s2DfxpZPahFGOwVF15RvsU5j/N0TDpxzwybZ2zs=
Weechat Script Config
they may be renamed later... on
-
plugins.var.python.wic.binary
(string) path to the wic binary (if not in PATH)
-
plugins.var.python.wic.identity
(string) your identity, your nickname, your name, whatever. (might get removed..)
-
plugins.var.python.wic.identity_passphrase
(string) your identity key passphrase (see weechat secure to use the weechat provided encrypted storage)
-
plugins.var.python.wic.signed_kex
(yes/no) ed25519 signed & verified public keys & kex transaction only
-
plugins.var.python.wic.debug
(yes/no) enable wic binary debug
Script Key Bindings
These are the default KeyBindings for WIC on weechat
-
Alt + k
broadcast a new public key on the current buffer.
-
Alt + t
accept ONLY TRUSTED key broadcast/exchanges.
-
Alt + T
accept ALL key broadcast/exchanges
Script Commands
these are the commands once the script is loaded and runs, not all are implemented... work in progress
-
/wic
toggle wic encryption on the current buffer (on/off) [DONE]
-
/wic status
show current wic state + identity information. [IN PROGRESS]
-
/wic restart
restart wic (crashed?)
-
/wic rehash
re-read authorized_nicks [DONE]
-
/wic save
save currently created symmetric keys. [IN PROGRESS]
-
/wic load
load saved symetric keys. [IN PROGRESS]
-
/wic id
show identity key information (id / public key).
-
/wic newkey
generate a new symmetric key for the current channel/query buffer. [DONE]
-
/kex
broadcast a fresh & identity signed ephemeral public key on the current buffer. [DONE]
-
/kex <nickname>
broadcast a fresh & identity signed ephemeral public key then (create if none &) send the current buffer channel key to nickname
(nickname
must have /kex
before). [DONE]
if no shared key is present, it will AUTOMATICALLY generate a random symmetric key (like if you had typed /wic newkey
) to exchange with nickname
.
the other members of an IRC channel, see the public ephemeral broadcast only, the key exchange is sent directly to the peer receiving it.
the server can SEE who is sending which key to whom, but cannot interfere as long as plugins.var.python.wic.signed_kex
is yes.
CLIENT SUPPORT
Mainly this was designed with weechat abilities in mind, I have not studied what or how to do similar things with other client,
considering wic i/o is a trivial text based protocol, adapting to other clients should be fairly reachable & easy, I just don't have the time and need/energy.
patches are welcome
Could be interesting to use with?
- irssi
- swirc
- hexchat
- any other..?
TODO
- Rekey warning and bar items display.
- [WIP] Weechat shortcuts for kex and rehash
- [WIP] ProVerif cryptographic verifier for WIC crypto protocol.
- Documentation.
- Load & Save keys (requires a secure blob facility, work in progress)
- In-memory key material wipe/masking.
- Various cleanups.
- Verify chmod of identity keys & authorized_nicks.
- [WIP] Proper IRCv3 support & server detection.
- [WIP] DCC OAE streaming.
- Writing proper documentation.
Send patches and questions to ~eau/wic@lists.sr.ht.
Subscribe to announcements, conversations on ~eau/wic, submit bugs/requests here.