project-proposal-2024

Pigeon: serverless E2EE instant messenger

Abstract

Encryption is now a requirement for any traffic travelling through the internet, and this is especially true for private instant message (IM) conversation. Some IM connections still occur in plain text, and others only employ encryption in transit, which means your IM app can decrypt and store your messages before they reach you, and can do whatever they want with them. End-to-end encryption (E2EE) is the solution to this. With E2EE, messages are encrypted by the sender and can only be decrypted by the reciever, meaning it is impossible for anyone else to read them (technically). Most IM applications (e.g. WhatsApp, Signal) use a server-client architecture, but this is not the gold standard of privacy, as there is no guarantee of what happens to the messages once they reach the server. A serverless architecture (e.g. peer-to-peer) allows a text conversation to take place between the users with no intermediaries. Pigeon is a serverless E2EE instant messenger application, the ultimate messaging app for all your super secret communications.

Author

Name: Kaitlyn Lake

Student number: 46426372

Functionality

• Registeration - users will register as a Pigeon user through a simple and quick process, where they will only need to choose a username and setup their authentication process. No other data will be collected about them for optimal privacy.
• Send and receive messages - users can send and recieve messages one-to-one or form group chats of many users. Messages can consist of text or standard multimedia data supported by most instant messaging apps, such as image, GIF, voice recording, etc.
• Contact management - users can add new friends to their contact list through QR or other code, as well as remove them.
• MFA & passkey access - a password will be mandatory for access, but users can opt in to MFA and/or passkey access.
• Account & data deletion - users can delete the chat history of any chat they are a part of, and this is enforced on all other users in the same chat. Users can also delete their account and all associated data instantly. Since all of it is stored locally on their device, this not leave any trace of them besides any un-removed chat history.
• Abuse & misuse management - users can block other users, and the blocked user will be completely unable to interact with them.
• Protection from cyberattacks - simple mechanisms to prevent common cyberattacks will be implemented, such as maximum pasword attempts to prevent brute-force attacks, message authentication to defend from spoofing, etc.
• Network control - users can configure how their traffic is routed, such as through TOR, a VPN or a proxy.
• Personalisation - users can optionally set a profile picture, and different themes, colours and styles for their chat UI.

Scope

The functionality and features required for an MVP:

Architecture

• The application should use a serverless or peer-to-peer architecture
• Messages must be E2EE with the most feasible and powerful encryption (this is built into the tools seen below)
• Peer-to-peer E2EE messaging can be accomplished using one of the following (slightly experimental) tools and protocols:
  • Tox (https://github.com/TokTok/c-toxcore)
  • Bitmessage (https://en.wikipedia.org/wiki/Bitmessage)

Data & storage

• All user app data and chat history should only be stored locally and encrypted with the most feasible and powerful encryption (e.g. 4096-bit RSA)
• Messages should not contain any unnecessary metadata and telemetry required for sending and recieving messages, other than a timestamp

UI

• The UI should be minimal, clean and intuitive. The following user interfaces must be present:
  • Registration page
  • Login page
  • Chat list page
  • Contact list page
  • Chat page
  • Settings and configuration page

Basic functionality

• Manual addition of contact, through a QR code or some other type of code/link
• One-on-one chat capability
• Sending and recieving text data
• Store and view chat history
• Register as Pigeon user. This should require as little information about the user as possible, such as only a username

Compatibility & deployment

• The application should be platform independent if possible, and if not, then designed for a Linux desktop environment

Quality Attributes

Security - the point of Pigeon is that it is as secure and private as possible, so security is the most important quality attribute. Messages should be sent peer-to-peer to enhance privacy and encrypted both at rest and in transit with the greatest feasible encryption. The Pigeon application should follow the principle of least privilege, meaning the application should store as little data possible about its users, and have as little access as possible to the OS. Where necessary, security should be chosen over all other quality attributes.

Reliability - users need to be able to rely on their messages being sent and recieved without error, as Pigeon is designed to maintain the privacy and integrity of communication. Also, any security and software error could also potential lead to a security event.

Availability - users should be able to message their contacts whenever they like, wherever they have a reliable enough internet connection. The ability to text wherever and any time of day is crucial, such as during emergency situations. Reliability and availability are equally important and trade-offs considered on a case-by-case basis.

Scalability - it is important the application is able to handle a large volume of users, since instant messengers are designed to connect as many people as possible. But due to the principles and motivation behind Pigeon - an application users can trust and rely on the integrity of - reliability and availability should take priority over scalability.

Evaluation

Unit tests - unit tests will be written as the app develops to test the logical components of the system and their integration, i.e. UI, storage and persistence, sending and recieving functionality, etc. There will be >100 unit tests.

User tests - the UI and UX design for all UI components outlined in Scope should be simple enough for a user with no technical training, to make the app as accessible as possible. >=5 user tests will be conducted with each round of testing, and the UI will be revised until all users are able to accomplish the basic functions of the app.

Security tests - the application will be tested if it meets the security quality attribute by attempting to launch cyberattacks against it. Packet analysers like Wireshark will be used to collect application packets, and will be analysed for the following features:

• No identifying metadata or telemetry
• Strong encryption standard

Spoofing and Man-in-the-Middle attacks will be attempted, and if neither succeed, the application will be deemed secure.

Reliability and availability tests - the app will be tested for reliability and availability attributes, by messenging between two users at up to 40km distance from each other. If they are able to send and recieve text messages with less than 10 seconds of latency and without error, the application will have met the reliability and scalability requirement.

Scalability - if the application can tolerate up to 100 users without a reduction in security, reliability or availability, it will have met the scalability requirement. This may be tested with a tool similiar to Grafana k6. If no tool exists that can test this, five pairs of users will repeat the reliability and availability tests instead.