BitTorrent develops secure, decentralized chat program using public-key crypto

The program will use the BitTorrent DHT peer finding protocol to locate contacts without a central server

BitTorrent Chat encrypts communications directly between users

BitTorrent Chat encrypts communications directly between users

BitTorrent, the company behind the popular file sharing protocol with the same name, is developing a secure chat application that will encrypt all communications between users and won't use any central server to route messages.

The company announced that it planned to develop the secure messaging product, called BitTorrent Chat, in September. However, at that time there were no technical details available about it's possible implementation.

The product is still far from a stable release, but the BitTorrent developers have made progress since the original announcement and revealed more about the program's architecture in a series of blog posts Thursday.

The most fundamental difference compared to many existing chat programs is that BitTorrent Chat won't rely on a central server to deliver messages from the sender to their recipients. The encryption will be done directly among clients, not between the clients and a server.

Chat applications that rely on centralized, cloud-based servers are vulnerable to hackers or "NSA's dragnet surveillance sweeps," Christian Averill, BitTorrent's director of communications said in a blog post. "While we're hearing legislative calls to curb domestic spying, and corporate assurances regarding user privacy, we can't rely on these systems. Statements like 'just because we can, doesn't mean we should' don't guarantee user privacy."

In the absence of a central server to route messages between users, BitTorrent Chat users will find each other through the same mechanism that many BitTorrent clients use to locate file-sharing peers -- a Distributed Hash Table (DHT).

"In essence, the DHT is a web of peers cooperating," Abraham Goldoor, a software engineer on the BitTorrent Chat team explained in a separate blog post. "You ask your closest neighbor if they know of the person you are looking for. You then ask their neighbors, and their neighbors' neighbors, and so on. Eventually, you'll get to a peer (neighbor) who knows the address of the person you're looking for. They return this address to you. This is done in such a way that only you know who you are looking for."

In order to accommodate BitTorrent Chat's requirements, the DHT protocol itself has been updated to support encryption.

With BitTorrent Chat users will be identified by their public keys, which is part of a public-private key pair used for encrypted communications. Two users only need to exchange their public keys with each other to be able to chat securely.

Since there will be no traditional usernames and users will be identified by their keys, the infrastructure will also provide some level of anonymity.

However, even when used directly between users and not between users and a central server, public-key-based encryption does not protect against all types of attacks. For example, in most common implementations, if a private key is stolen, it can be used to decrypt all past and future messages encrypted with its corresponding public key.

To counter that, the BitTorrent Chat developers will implement a cryptographic feature known as forward secrecy. "Every time you begin a conversation with one of your contacts, a temporary encryption key will be generated," Goldoor said. "Using each of your keypairs, this key will be generated for this one conversation and that conversation only, and then deleted forever."

BitTorrent Chat is still in alpha stages of development, but users can apply to become early testers.

Join the CSO newsletter!

Error: Please check your email address.

Tags bittorrentInternet-based applications and servicesinstant messagingonline safetysecurityencryptionprivacy

More about NSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts