Posts

GNUnet Messenger API: July 2025

Image
Hi there, unfortunately I didn’t make it to write a blog post last month. I was quite busy closing open ends of other projects while there were quite some bugs and issues to be solved in the Messenger service of GNUnet . On the bright side this means I have a lot to talk about this month. Most critical issues could be solved already, test cases of libgnunetchat pass again with all latest changes and the end-to-end encrypted chats seem to work as intended. I am still encountering some issues that messages do not get received immediately from chats or the chats can behave somewhat inconsistent. However it’s likely some condition caused by parallel events or a very specific order of events that’s difficult to reproduce. But these issues only seem to appear on reopening old chats from a previous session. The current sessions simply seem to work properly. Invitations do now respond to input feedback all the time and chat types get visualized depending on actual bits in a chat room’s key....
Read more

GNUnet Messenger API: May 2025

Hi again, to decrease complexity in the account system and key management I decided against separating identity keys from chat accounts and epoch keys for forward secrecy will instead be stored locally using GNS . The keys will be encrypted additionally using a key derived from the private identity key. So only the ownert of this key with storage access will be able to access those epoch and group keys to further access encrypted messages of certain epochs in the message graph. With those changes I could get rid of bigger API changes in the Messenger service . Key management is completely automatized now, once you provide a private key to the client API. So that makes further implementation a lot easier and it shouldn’t hurt confidentiality. As next step I want to improve the key exchange in regard to implement perfect forward secrecy. So that in case your long-term identity key gets into hands of an attacker, it’s still impossible to retrieve old epoch keys and access messages exch...
Read more

GNUnet Messenger API: March 2025

Hello again, since last month I tried to optimize the mechanism of forward secrecy further and indeed I was able to reduce the amount of messages required for a whole key exchange in a new epoch. So rather than scaling N scare if N is the amount of epoch members, it seems to scale linear now. That is quite an improvement but there’s still room for more adjustments. For example I realized recently that the current implementation is not providing perfect forward secrecy yet. That means if your long-term private key (the identity key to sign messages) gets compromised, an attacker might still be able to access messages from older epochs by request its keys from others. So to mitigate this, it will require changes that restrict requests of older epoch keys much more. Additionally deriving epoch keys via KDF could be adjusted to make it much more difficult to brute-force any epoch key from messages with HMAC using keys from the KDF. Once that’s done, there’s still work to do for allow...
Read more

GNUnet Messenger API: February 2025

Image
Hi again, My progress on the forward secrecy in the Messenger service of GNUnet is coming to a state where I have proper testing and results. You can find the current state of tests and benchmarks in a development branch of libgnunetchat which utilize a new ping tool for the Messenger service. The tool sends a TEXT message into a selected chat room and waits for other clients using the same tool but acting as receiver to send a TAG message back choosing the TEXT message as target. As a result the sender will measure and print out the delay between sending and receiving the response. Like that it’s possible to measure latency added via the implemented forward secrecy as well as its key exchange mechanism. The results so far are a mixed bag to be honest. Good news is that latency and general cost by symmetric encryption is negligible once the key for an epoch is exchanged. However bad news is that the amount of messages required for a proper key exchange as well as group formation...
Read more

GNUnet Messenger API: January 2025

Hello there, so I got some news for you again regarding my progress on the GNUnet Messenger service as well as the applications. Because there has been a GNUnet release last month which made libgnunetchat and the messenger applications using it incompatible, I needed to implement some changes, fixes and announced a new release . The forward secrecy I’m implementing in the Messenger service of GNUnet is still on development branch though. It will take some time until those changes are ready for release. But I got quite a bit of progress. The members of a chat actually start building groups, exchanging keys to form a tree structure as suggested in my last post from December . If any member of such a group is missing an epoch key, they will delay depending on their position inside their group the appeal for the missing key to then authorize the whole group after gaining access. This way ideally just one member will send an appeal, receive access, send an authorization and the rest of ...
Read more

Development in 2024

Hey everyone, welcome to my yearly recap of the year 2024. What happened? What did I work on? Well, quite a lot actually. So let’s start with the biggest project and continue from there. The GNUnet Messenger got funding from NLnet again as I mentioned in the end of last year. The new goal was to improve usability and add new features. What features are we talking about exactly? My concept was to achieve feature parity with most popular messaging apps but sticking to a decentralized context. For example I wanted to add profile pictures. But we can’t simply upload image files to a profile picture server/provider and poll from there for any new contact we get. So the solution required a bit of hacking around in the back-end. I used reclaimID from GNUnet to allow users sharing personal information with selected contacts of their choice and profile pictures may be such personal information for example. That means we can upload encrypted image files to a decentralized file sharing ser...
Read more

GNUnet Messenger API: December 2024

Hello, last month I’ve started to mention that I began to implement forward secrecy into the Messenger service of GNUnet . The fallback for key exchange in an epoch of messages is already working. Senders of messages will generate a new key just in time and announce it. Other members of that chat epoch will appeal the new key if missing and potentially gain access if allowed. As a way to improve key exchange further I’ve utilized a key derivation function to generate new epoch keys from ones of the previous epoch if and only if all members of the previous epoch are members of the new epoch (for example in case a new member has joined the chat). Otherwise a full exchange of a new and independent key is required to avoid access leakage to previous members that already left the chat. The last remaining step to improve efficiency further requires the setup of groups (or subgroups) inside an epoch. Those groups will either be formed by two members of an epoch or two groups of the same...
Read more