Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ProjectTox: Free as in freedom Skype replacement

AZ Huang
April 11, 2014
Programming
1
2k

ProjectTox: Free as in freedom Skype replacement

OSDC.tw 2014
Speaker: Wei-Ning Huang (http://azhuang.me)

http://osdc.tw/schedule.html

AZ Huang

April 11, 2014
Tweet

Other Decks in Programming

See All in Programming
Anthropic Cookbook のおすすめレシピ
schroneko
7
980
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
380
Goのエラースタックトレースの歴史と今後
sonatard
9
1.5k
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
210
"config" ってなんだ? / What is "config"?
okashoi
0
240
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
780
二郎系ラーメンのコールで学ぶ AST 解析
memory1994
PRO
7
1.7k
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
710
Code Reviews
bkuhlmann
4
890
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
230
効率化に挑戦してみたらモバイル開発が少し快適になった話
ryunakayama
0
130
Ruby Pattern Matching
bkuhlmann
0
930

Featured

See All Featured
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Why Our Code Smells
bkeepers
PRO
331
56k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
121
39k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
Web Components: a chance to create the future
zenorocha
305
41k
Designing the Hi-DPI Web
ddemaree
276
33k
Art, The Web, and Tiny UX
lynnandtonic
289
19k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
Testing 201, or: Great Expectations
jmmastey
28
6.4k
Optimising Largest Contentful Paint
csswizardry
8
2.4k
Rebuilding a faster, lazier Slack
samanthasiow
73
8.2k

Transcript

  1. ProjectTox Free as in freedom Skype replacement Wei-Ning Huang (AZ)

  2. About the Speaker • 正在水深火熱中的碩二學生 • 熱愛Python及Open Source • Involved

    open source projects: o Gummi LaTeX Editor o cppman o PyTox o ProjectTox-Core o Toxic o jToxcore o … • More info: http://azhuang.me

  3. Outline • What is Tox? • Functionality • Architecture and

    Design • Pitfalls and Solutions • In Progress Features • Client and Bindings • Live Demo

  4. What is anyway?

  5. What is anyway? • FOSS messaging network, supports A/V (GPLv3)

  6. What is anyway? • FOSS messaging network, supports A/V (GPLv3)

    • Decentralized architecture

  7. What is anyway? • FOSS messaging network, supports A/V (GPLv3)

    • Decentralized architecture • End-to-end encryption

  8. What is anyway? • FOSS messaging network, supports A/V (GPLv3)

    • Decentralized architecture • End-to-end encryption • Configuration free (does not require registration)

  9. What is anyway? • FOSS messaging network, supports A/V (GPLv3)

    • Decentralized architecture • End-to-end encryption • Configuration free (does not require registration) • Secure and easy to use

  10. What is anyway? • FOSS messaging network, supports A/V (GPLv3)

    • Decentralized architecture • End-to-end encryption • Configuration free (does not require registration) • Secure and easy to use • A Skype replacement

  11. Why are we doing this?

  12. Why are we doing this?

  13. Why are we doing this?

  14. Why are we doing this? 4chan/g/

  15. Why are we doing this? 4chan/g/

  16. Why are we doing this?

  17. Why are we doing this?

  18. Why are we doing this? 馬卡茸表示:如果沒做錯事,就不用怕監聽! 圖片來自插畫家謝立聖

  19. Why are we doing this? 馬卡茸表示:如果沒做錯事,就不用怕監聽! 圖片來自插畫家謝立聖 ???

  20. Why are we doing this? 馬卡茸表示:如果沒做錯事,就不用怕監聽! 圖片來自插畫家謝立聖 ???

  21. Why are we doing this? 馬卡茸表示:如果沒做錯事,就不用怕監聽! 圖片來自插畫家謝立聖 憲法第十二條:「人民有祕密通訊之自由」 ???

  22. Why are we doing this?

  23. Why are we doing this? • We want a free(as

    in Freedom) and secure alternative for , since it is “Microsofted”....

  24. Why are we doing this? • We want a free(as

    in Freedom) and secure alternative for , since it is “Microsofted”.... • "We don't want to be the next secure chatting program, we want to be the next secure chatting program that people actually use." - Someone on IRC

  25. Why are we doing this? • We want a free(as

    in Freedom) and secure alternative for , since it is “Microsofted”.... • "We don't want to be the next secure chatting program, we want to be the next secure chatting program that people actually use." - Someone on IRC • Current secure chat programs aren't easy to use, at least not for our parents and grandparents normal people

  26. Who started this?

  27. Who started this? • irungentoo o Real identity is a

    mystery :P o Most of the code is implemented by him

  28. Who started this? • irungentoo o Real identity is a

    mystery :P o Most of the code is implemented by him • Project started up Jun 23, 2013

  29. Who started this? • irungentoo o Real identity is a

    mystery :P o Most of the code is implemented by him • Project started up Jun 23, 2013 • There are currently about 10 active tox.im developers, including me.

  30. Architecture and Design

  31. Architecture and Design • Separated core and client, Tox is

    a library.

  32. Architecture and Design • Separated core and client, Tox is

    a library. • Current implemented features in core:

  33. Architecture and Design • Separated core and client, Tox is

    a library. • Current implemented features in core: o Text messages • Read receipt • Typing status

  34. Architecture and Design • Separated core and client, Tox is

    a library. • Current implemented features in core: o Text messages • Read receipt • Typing status o File transfer (way faster than Skype)

  35. Architecture and Design • Separated core and client, Tox is

    a library. • Current implemented features in core: o Text messages • Read receipt • Typing status o File transfer (way faster than Skype) o Group chat (IRC-like, currently invitation only)

  36. Architecture and Design • Separated core and client, Tox is

    a library. • Current implemented features in core: o Text messages • Read receipt • Typing status o File transfer (way faster than Skype) o Group chat (IRC-like, currently invitation only) o Audio / Video call support • Currently only 1-to-1 call supported • 1-to-many and many-to-many support on the way!

  37. Architecture and Design • Separated core and client, Tox is

    a library. • Current implemented features in core: o Text messages • Read receipt • Typing status o File transfer (way faster than Skype) o Group chat (IRC-like, currently invitation only) o Audio / Video call support • Currently only 1-to-1 call supported • 1-to-many and many-to-many support on the way! o All communication between clients are encrypted.

  38. DHT

  39. DHT • Distributed Hash Table similar to BitTorrent

  40. DHT • Distributed Hash Table similar to BitTorrent • Hash

    table contains ID to IP-Port mapping

  41. DHT • Distributed Hash Table similar to BitTorrent • Hash

    table contains ID to IP-Port mapping Bootstrap Server Client NAT Client Client LAN Discovery Client Client Boostrap Hole punching NAT

  42. Friend Requests

  43. Friend Requests • Friend requests are routed between clients

  44. Friend Requests • Friend requests are routed between clients •

    Client list or a list of clients whose ID are mathematically (XOR) closest to us

  45. Friend Requests • Friend requests are routed between clients •

    Client list or a list of clients whose ID are mathematically (XOR) closest to us Alice Jack Lucy Bob Request Request Got Alice’s IP_Port

  46. Using the UDP Protocal • Using UDP, easier for hole

    punching

  47. Using the UDP Protocal • Using UDP, easier for hole

    punching • A Lossless UDP protocol on top of UDP

  48. Using the UDP Protocal • Using UDP, easier for hole

    punching • A Lossless UDP protocol on top of UDP • Allow packet drop for A/V data packet

  49. Using the UDP Protocal • Using UDP, easier for hole

    punching • A Lossless UDP protocol on top of UDP • Allow packet drop for A/V data packet • NAT Traversal: Most NAT works, but symmetric NAT are problematic for now

  50. Encryption • Using Elliptic Curve Cryptography o Short key length,

    but still secure

  51. Encryption • Using Elliptic Curve Cryptography o Short key length,

    but still secure • Using NaCl (Networking and Cryptography library)

  52. Encryption • Using Elliptic Curve Cryptography o Short key length,

    but still secure • Using NaCl (Networking and Cryptography library) o libsodium is prefered

  53. Encryption • Using Elliptic Curve Cryptography o Short key length,

    but still secure • Using NaCl (Networking and Cryptography library) o libsodium is prefered o crypto_box: curve25519xsalsa20poly1305 • curve25519 for Key exchange • xsalsa20 for encryption • poly1305 for message authentication

  54. Encryption • Using Elliptic Curve Cryptography o Short key length,

    but still secure • Using NaCl (Networking and Cryptography library) o libsodium is prefered o crypto_box: curve25519xsalsa20poly1305 • curve25519 for Key exchange • xsalsa20 for encryption • poly1305 for message authentication • ID == Public Key o Example ID: 4E9D1B82DEE3BD3D4DDA62190873EA40737251A4 3445E4D517E66230BC4507233533EDD01F24

  55. Pitfalls and Solutions

  56. Pitfalls and Solutions • Attack against DHT o Sybil attacks:

    attacker with large resource (e.g. governments) can create a large number of pseudo nodes that does nothing or disrupt network.

  57. Pitfalls and Solutions • Attack against DHT o Sybil attacks:

    attacker with large resource (e.g. governments) can create a large number of pseudo nodes that does nothing or disrupt network. • Metadata Leaking o When routing friend requests, nodes leaks information about the request’s ID and IP mapping. o Possible to identify a users’s real identity with IP

  58. Pitfalls and Solutions • Attack against DHT o Sybil attacks:

    attacker with large resource (e.g. governments) can create a large number of pseudo nodes that does nothing or disrupt network. • Metadata Leaking o When routing friend requests, nodes leaks information about the request’s ID and IP mapping. o Possible to identify a users’s real identity with IP • How do we safely exchange ID (Public Key) o Key being swap by a MITM?

  59. Solutions • Attack against DHT o Periodically check all client’s

    behavior to see if it’s a bad node. o The criteria of a good node is strict.

  60. Solutions • Attack against DHT o Periodically check all client’s

    behavior to see if it’s a bad node. o The criteria of a good node is strict. • Metadata Leaking o Don’t use their long term keypair in DHT, generate a temporary one when sending friend requests. o Onion routing for friend requests

  61. Solutions • Attack against DHT o Periodically check all client’s

    behavior to see if it’s a bad node. o The criteria of a good node is strict. • Metadata Leaking o Don’t use their long term keypair in DHT, generate a temporary one when sending friend requests. o Onion routing for friend requests • How do we safely exchange ID (Public Key) o DNS lookup!

  62. DNS User Discovery

  63. DNS User Discovery • Use DNS TXT record to store

    the ID, for example: o tox://[email protected] will be mapped to at TXT record ‘tox1._tox.azhuang.me’

  64. DNS User Discovery • Use DNS TXT record to store

    the ID, for example: o tox://[email protected] will be mapped to at TXT record ‘tox1._tox.azhuang.me’ o ‘v=tox1;id=4E9D1B82DEE3BD3D4DDA62190873EA40 737251A43445E4D517E66230BC4507233533EDD01F2 4’

  65. DNS User Discovery • Use DNS TXT record to store

    the ID, for example: o tox://[email protected] will be mapped to at TXT record ‘tox1._tox.azhuang.me’ o ‘v=tox1;id=4E9D1B82DEE3BD3D4DDA62190873EA40 737251A43445E4D517E66230BC4507233533EDD01F2 4’ • To prevent DNS poisoning or MITM, use the tox2 protocol (requires a extra pin): o 'v=tox2;pub=4E9D1B82DEE3BD3D4DDA62190873EA407372 51A43445E4D517E66230BC450723;check=1F24‘

  66. DNS User Discovery • Use DNS TXT record to store

    the ID, for example: o tox://[email protected] will be mapped to at TXT record ‘tox1._tox.azhuang.me’ o ‘v=tox1;id=4E9D1B82DEE3BD3D4DDA62190873EA40 737251A43445E4D517E66230BC4507233533EDD01F2 4’ • To prevent DNS poisoning or MITM, use the tox2 protocol (requires a extra pin): o 'v=tox2;pub=4E9D1B82DEE3BD3D4DDA62190873EA407372 51A43445E4D517E66230BC450723;check=1F24‘ • tox.se will be available for the public 

  67. In Progress Features

  68. In Progress Features • DHT Hardening o Research for more

    attach patterns

  69. In Progress Features • DHT Hardening o Research for more

    attach patterns • TCP Server o Route traffic for clients behind symmetric NAT or enterprise firewalls o Act like a “Super node” in the Skype network

  70. In Progress Features • DHT Hardening o Research for more

    attach patterns • TCP Server o Route traffic for clients behind symmetric NAT or enterprise firewalls o Act like a “Super node” in the Skype network • A/V improvements o Congestion control and variable bitrate support o A/V synchronization

  71. Clients and Bindings

  72. Clients and Bindings

  73. Clients and Bindings • Support most platforms

  74. Clients and Bindings • Support most platforms o Windows, Linux,

    Mac • Toxic (Ncurses CLI), has audio call support • Venom (Vala with GTK+) • Poison (MacOS only)

  75. Clients and Bindings • Support most platforms o Windows, Linux,

    Mac • Toxic (Ncurses CLI), has audio call support • Venom (Vala with GTK+) • Poison (MacOS only) o Mobile • AnTox (Android), supports QR code scanning • Toxicity (iOS)

  76. Clients and Bindings • Support most platforms o Windows, Linux,

    Mac • Toxic (Ncurses CLI), has audio call support • Venom (Vala with GTK+) • Poison (MacOS only) o Mobile • AnTox (Android), supports QR code scanning • Toxicity (iOS) • Language bindings: o Python: PyTox (full A/V support) o jTorecore: used in Antox

  77. How to use? • Just launch any client, and it

    will generate a public/private key pair for you

  78. How to use? • Just launch any client, and it

    will generate a public/private key pair for you • No login required

  79. How to use? • Just launch any client, and it

    will generate a public/private key pair for you • No login required • Send your public key to you friends

  80. How to use? • Just launch any client, and it

    will generate a public/private key pair for you • No login required • Send your public key to you friends • Add you friends with their public key

  81. How to use? • Just launch any client, and it

    will generate a public/private key pair for you • No login required • Send your public key to you friends • Add you friends with their public key • Start chatting!

  82. PyTox

  83. PyTox • CDD (Conference Driven Developemnt)

  84. PyTox • CDD (Conference Driven Developemnt) • No A/V support

    2 days ago… o The video implementation in core even has some critical bugs

  85. PyTox • CDD (Conference Driven Developemnt) • No A/V support

    2 days ago… o The video implementation in core even has some critical bugs • Full A/V support implemented before OSDC.tw!

  86. PyTox • CDD (Conference Driven Developemnt) • No A/V support

    2 days ago… o The video implementation in core even has some critical bugs • Full A/V support implemented before OSDC.tw! • Leverage the power of Python o An EchoBot can be implement in less than 50 lines of Python code o SyncBot: a PoC of PyTox, syncing messages between Tox groupchat and freenode #tox-ontopic

  87. PyTox

  88. Live Demo

  89. Join Us! • Wiki: o http://wiki.tox.im/ • Github: o ProjectTox-Core:

    https://github.com/irungentoo/ProjectTox-Core o PyTox: https://github.com/aitjcize/PyTox • Freenode IRC o #tox, #tox-dev, #tox-ontopic