June 14, 2001

CryptoBox project: Making the Web more anonymous

Author: JT Smith

- By Grant Gross -

A quiet project hosted on SourceForge.net is attempting to give Internet users a level of anonymity that hasn't yet been achieved. Founders of the CryptoBox project are dedicating it to Internet users in censorship-happy countries who face getting prosecuted for sharing their beliefs.

The CryptoBox developers are working on an ultra-secure, decentralized instant messaging application that could also be used to encrypt other types of online transmissions, such as email and file sharing. Project founder Nikola Bobic, a graduate student and part-time instructor at the University of Ottawa's School of Information Technology and Engineering, makes no guarantees that his software will be perfectly secure --- like many security experts, he admits there is no such thing -- but his goal is to make the program as secure as humanly possible.

"An attacker would need extraordinary resources to read your messages," he writes in the project FAQ.

"Anonymity, when talking in CryptoBox's context, refers to the fact that no one is able to tell with a certain degree of certainty, whether you are sending messages or receiving them."

Unlike email using PGP or anonymous remailers, where the identity of the person receiving the message can be seen by snooping parties, CyptoBox uses two-way anonymity. "When you send an encrypted message to someone (using email with PGP), an attacker maybe can't break the message, but she sure knows that you are communicating with that other person," Bobic writes. "If that other person is someone who the government does not like, this fact alone can be enough, in some countries, to imprison you for conspiracy and treason against a regime."

Bobic started CryptoBox as a research project, an extension of his research into wireless networking. CryptoBox's peer-to-peer foundation is similar to the ad-hoc networks that serve as the basis for wireless communication, Bobic says.

"Another influence was the general lack of any quality security
toolkit out there as well as the social and political issues," he says. "Since we
firmly believe in freedom of speech, it is disheartening to see how
many people are imprisoned around the world simply because they have
conflicting views and ideas from the regime currently in charge. We
would like to provide those people with means of safe, private and
effective communication so that they can disseminate their views freely
with the rest of the world and finally bring democracy to their people."

CryptoBox is a security layer that "can be interfaced with any application that needs to communicate securely," according to the project's about page. It uses its own XML-based Internet protocol, which is relayed to a transport, which can be TCP/IP, SSH, etc., and it can be piggybacked onto communication protocols of other applications, such as Freenet. Most of the protocols and standards in CryptoBox use public key infastructure.

The infant project, started in late 2000, is concentrating right now on instant messaging functions, but developers plan to offer other plug-ins for functions such as sharing small files and voice over IP. Bobic does not plan to write a plug-in to trade MP3s. "You can, if you want to spend 45 minutes of your time, build one quickly on your own," he writes.

The two-person (at least until recently) CryptoBox team has switched the programming language for CryptoBox from MS DCOM architecture in C++ to Java. [For an explanation of why MS DCOM, see the FAQ.] Since then, the team has been working on some problems with the code.

"Since then, we have managed to solve a vast majority of [the problems] and the only
thing left now is to optimize node optimization and connection
protocols," he says. "One of the most complex parts of the system is the dynamic
optimization algorithm which is the heart and soul of the mobile
network agent and it is extremely tricky to specify it completely. We
have a lot of code which was written for testing and simulation
purposes and that will have to be converted slowly over to Java."

The project, which has only released the old C++ version of the code, got a recent boost from a posting on InfoAnarchy.org. The post generated some questions and criticisms -- Bobic says he wasn't quite ready for the exposure yet -- but since the article, he says he's gotten offers to help from eight developers and one person has already started working on the project documentation. The post also generated about 30 encouraging emails, he says.

One of the next projects for the CryptoBox team is picking which Open Source/Free Software license they want to use. Bobic says he's considering the GPL, but he doesn't want to require programmers who make derived work from CryptoBox to also release that work under the GPL. "Since we would like the protocols/layers that we
implement to be useable in any commercial application as well (without any
royalties), we run into some conflicts," he says. "The solution would then be to
release it under LGPL; however, we then have to separate the layers and
protocols into one section (LGPL) and applications (plug-ins) into the
GPL section. This can be very tricky and could dictate the development
plan as well (something that we'd like to avoid at all costs)."

Another licensing hurdle, Bobic says, is what to do if the project wants to patent a particular algorithm.

"We would like the patent to be free for everyone who releases code under GPL and
charge those who would like to use it for commercial applications," he says. "I
see the uncertainty of what exactly has the higher authority: GPL or a
patent law and I am unsure at this point what would be the best step to

The project's design philosophy states that the "whole application (or at least the most critical parts of it) has to be open-sourced. This is the ONLY way to give users complete confidence of app's inner workings."

Bobic says he has several goals for the young project, most of all to provide a "thin, easy-to-use security and anonymity" for the Internet. "The main goal
is to provide a commercial-quality and strength API which anyone who wants
to add to their application will be able to do so. There are a
lot of anonymity and security related applications out there but none
of them are extensible and are tuned for a particular task such as
emailing and file sharing, for example. We wanted to ...
create something that requires very little to none user input and is
also general enough so that it can be used for any specific purpose."


  • Programming
Click Here!