Frontpage          Newsfeed          Search     

AnoChat v. 1.0 released
(Please note that this software is now upgraded to v. 1.1)

AnoChat v. 1.0 was released today, and is optimized for portability and easy setup.

And design - you can now choose from more than twenty different skins when you log on to converse in private with your friends, and if you want to add a new skin, it's easy with the help of the skin design page and the included templates.

AnoChat is software for chat using 3DES encryption.
Published: 04.12 - 2007 03:43Printer version    
Knut Møgster

This software is meant for encrypted group conversations in form of a chat room.

The purpose was to provide a reasonable chance of a private conversation on the internet in a webpage, without traces or logs, and with the content of the conversation encrypted.
It should be done in a simple and easy distributable way, so that people can download the scripts and install on their own web servers and domains, without specially installed software for encryption.

To implement this, we just need a Javascript capable browser, a web server running a ordinary php-distro, and the AnoChat scripts. A basically out-of-the-box configuration, and still: with considerable capability for obscuring data.

The idea is that a group of people creates and updates one chat-file on a server with encrypted content for a given moment of time, then deletes the file. It is a private conversation and nobodys business. The file can be accessed by all from any PC, there's no software needed to install. All they need to know is a token phrase and the address to a server where AnoChat runs, and which time to log on.

The security lies in the fact that all content is encrypted by Javascript before it leaves the user's browser, and only those with foreknowledge of the key can decrypt the message as that key never is transmitted over the internet.

The conversation will not be entirely without traces as the sent encrypted hashes is stored in the webserver log, but the key to decrypt them will not be known.

Test the AnoChat here

Now the chat has been upgraded from v. 1.0 to v. 1.1, with more improved security and useability. Please read this article to check out the upgrade:

--> AnoChat v. 1.1 released

Download the AnoChat here:
AnoChat version 1.1 (mlk)

See also the new AnoBBS:
AnoBBS - encrypted bulletin board system v. 1.0

How to create a chat
Go to the AnoChat main page and search for the phrase you have agreed upon. If the chat exists, it will let you log on. If it does not exist, you can create the chat.

This phrase is the only thing you need to know.
Here's an example:

The new search in version 1.0 returns a row of skins to choose from.
The user clicks on the preferred skin to start the chat window.

The chat windowOnce the window starts, the user logs in using the same code phrase as was used for the search, and a random nickname.
The nickname is encrypted with the MD5-digest of the code phrase.

The room starter also must set a topic for the chat, the subsequent users won't have to. The topic is encrypted before sent to the server.

Once inlogged, the user waits until other users logs on. The conversation in this window is encrypted and decrypted by Javascript only, and no userdata leaves the browser before it is encrypted.

The user Pitus has access to the same chat room and content after logging in, but with different colors and graphics as he has chosen another skin.

The chat has text color formatting functions, and you can use smiles. It also autoconvert links to clickable links, and create images from image url.
Every chat line is encrypted on send, and appended the chat file on the server.
The co-chatters and their level of activity will be visible on the right side as they log on.

The Chat FunctionsAuto-refresh
The auto-refresh has a fairly advanced system of adjusting itself to the users activity. One of the problems with chat hosting is the constant refresh of new content from the server. Let's say you have a refresh rate programmed into your chat client of 5 seconds. It will then poll the server for new content every 5th second. OK, any server can cope. But then if you have 50 clients online, each pinging the server every 5th second, the server will be pinged many times a second.

But if there should be any point in chatting at all, you must refresh from time to time, else it is too quiet. The solution is to tune the refresh to the user activity.
This can be changed in the anochat.js, but with the auto refresh as it's set as default, you get the following degradation when the user is inactive (does not post):

You get 10 sec. refesh rate for 4 refreshes, then it drops to 20 sec. refresh rate for 4 refreshes and 30 sec. refresh rate for the next 4. Next level is 1 minute, where it stays for 10 refreshes, before it drops to refresh every 5 minutes for 4 refreshes. Next again is every 30 minutes, which it does 4 times before dropping to a ping every hour, where it stays.

In cleartext:
10 sec refresh / 40 seconds
20 sec refesh / 80 seconds
30 sec refresh / 120 seconds
1 min refresh / 10 minutes
5 min refesh / 20 minutes
30 min refresh / 2 hrs
1hr refresh - forever, or for 2000 refreshes

When the user posts, the timer drops to refresh every 10 sec again, and the pattern repeats. The auto refresh can also be turned off. Default is On.

Show time
A preference; show or hides time in the chat rows. Default is Off.

Smiley insert with a click
I am a smiley man. I'm sorry, but that's how it is
The smilies can be inserted with a click on the smiley you want. Pure rocket science.

Color formatting of post text
The user can format the text with colors by selecting from the dropdown.

Auto conversion of links and images
There's no point in advanced formatting in a chatroom where all content will be deleted shortly, but simple conversion of links and images are performed on the text. To post a link, you post an url. To post an image, you post the url to the image.

Room list with activity status
The users in the room list will have indicators of their last activity, and change color as they drop down the list.

The login and logout
The login and logout on this system is not an authentication, it is a service for your co-chatters to see whether you are there or not. Remember, nothing leaves the users browsers without being encrypted, so the server has no data with which to perform an authentication. The authentication lies in the fact that only the group knows the key to decrypt, others don't.
The last person in the room to logout will delete the chat file.

Tip: To post messages without clicking Send:
Ctrl+Enter in Internet Explorer
Arrow up in all other browsers

NOTE: The chat room inhabitants is operating in a total democracy. There are no admins, no ban functions or auto scripts. Due to the nature of how the AnoChat works, it's no point. If you don't want a person in the chat room, don't give him the code phrase. If somebody annoys the chat room, drop it and create another.

How to installUnzip and copy the contents of the 'root' directory to your web root, or where you want to have the chat.

The anochat.php and the acinstall.php need to be executable for the webserver user.
This worked for me in linux:
chmod 755 anochat.php
chmod 755 acinstall.php

You can then access the install.html page by your browser, and check the progress of the installation while you do the rest.

Next, you need to upload the 'progs' directory to a secret location, preferrably outside the web dir.
Inside the 'progs' directory is the directory for the chat files, called 'chats'. This must be world writable (777) or owned by the server user (Apache: often 'nobody'). Try:
chmod 777 chats

The dir setup, suggested:
- img
- js
- skins
- smiles
- chats

Edit the file config.php in the 'root' directory, and set the correct paths:

## Absolute path to progs (includes) dir. No trailing slash ##
$prog_dir = "/path/to/progs dir";
## Absolute path to web root dir. No trailing slash ##
$root_dir = "/path/to/root dir";

You can also change the directories for chats and skins, but the default values will work fine.
Use the install.html file to verify your installation when you're done. All values should be blue or green,
and you should see a table with the installed skins as thumbnails.

Once you have installed the chat, delete the install.html and the acinstall.php.

Install textfile:


How to design/redesignTo redesign the main page:
Edit the anochat_iterapi.css and index.html to redesign the main page.
The index.html can be renamed to something else, or the code for searching/creating chats be moved to another page.
You will need the search form and the layer named 'esca', and the included javascripts in the index.html head section
for it to run. Look in the code for comments of how to port it.

To create a new skin:
Each skin has a style sheet in the skin folder, called anochat.css. You can edit all values for each chat window in that stylesheet.
In addition to the style sheet, each skin usually has a background image, and to make it visible: a thunbnail called:
The skin won't show up without that thumbnail, which size is w150xh137.
There are two transparent gifs to help you design a new skin in the folder design_templ. There is also the page designchat.html (show to the left), which is made to help you design skins.

Skin How-to:
- create a folder inside the skins directory for the skin
- edit the chatdesign.html and set the skin folder as variable in the javascript function:
- upload the chatdesign.html to the chat root directory and point to it with your browser
- copy a stylesheet from one of the other skins to the new directory, preferrably one that's close to the styles you want for the new skin.
- start your favourite graphic program, and open the files in the design_templ directory. Use them as guide or as is.
- copy in the image you want as background and save the file as bg.jpg (you can of course change this in the stylesheet)
- edit the stylesheet and refresh the chatdesign.html until you're satisfied
- use the thumbnail template to create a thumbnail and save it as skinthumb.jpg
- upload to the skin directory, and the new skin will be available for use

The scriptsThe index.html and the main window javascript anochat_mainwin.js
The index has the search function for finding/creating chats. It need to have the anochat_mainwin.js and the anochat_system.js, and also the style sheet anochat_iterapi.css, in the head code for it to run. In addition, it needs the md5/3DES libraries below.


The chat window and related files
The chat window uses the main javascript, anochat.js and the anochat_system.js to run. It also uses the MD5/3DES scripts. It is style-formatted by a stylesheet (anochat.css) in each skin directory.
(skin dir)/anochat.css

The chat window is created from the index.html and does not have it's own url.

Key/ID generation and 3DES encryption

The Javascript 3DES encryption and the md5 hash generation is two scripts I've used for a while as authentication tools. The 3DES function were developed by Paul Tero, a very splendid programmer, I think I downloaded it first in 2002. He has some other great scripts too, you oughta check it out if you like javascript.


Encryption example
var xKey = 'i love my thick fleece jacket';
xKey = MD5(xKey);
var xmessage = 'This is the secret message for encryption';
var thash = des(xKey, xmessage, 1, 0);
var phex = printHex(thash);

Returns phex for transfer over the net, while never submitting the value xKey or xmessage in any form.
The functions for encryption and digest production does empower Javascript to generate a key from a string, and 3DES encrypt a message. The piece of code needed is not extensive once these libraries are included.

The PHP scripts

"Cheat" Ajax
var url = 'anochat.php?c=sal';
var doUsercrypt = des(doKeyx, nickfieldval, 1, 0);
var phex = printHex(doUsercrypt);
var jsel = document.createElement('SCRIPT');
jsel.type = 'text/javascript';
jsel.src = url+'&q='+doCode+'&x='+phex;
document.body.appendChild (jsel);

It appends the javascript return from the anochat.php to the body of the document, after sending a batch of encrypted material.
The PHP scripts are the motor in the chat, fetching the chat file contents and returning the content as ready javascript, which is included in the chat window. The PHP scripts does not encrypt or decrypt content and does not have the key to do so.
The PHP script anochat.php runs a switch which responds to the variables sent from javascript in the cheat Ajax routine.

There are only two php scripts needed to run, the anochat.php is the main script, while the various functions are included from cFunctions.php.
New in version 1.0: the config is moved out to a standalone script; config.php


New in AnoChat 1.0
The new version has some new scripts to help design new chat windows, and also a check installation script, to help you get it all right. There are also some transparent gifs to help design the windows.



BreakdownColor codes:
Private key
Public key
Encrypted string

The auth code is generated from the token phrase, and it looks like this:
Clear text code (private)
MD5 once code (private)
MD5 twice code (public)

MD5 is not reversible, it is a digest, not encrypted data, meaning that anybody having access to the md5twice cannot use it to get the other versions 'decoded' in any way. All encryption is performed as triple DES with the md5once version as key.

The md5twice is used as the chat id when sending data to the server, and a file on the server is created by php, which does another md5 on the md5twice before using it as the chat file name, for security reasons.

Routine for sending data:
Your clear text phrase is used to generate two keys, let's use an example:

The phrase is 'i love my thick fleece jacket'

The MD5 digest of that phrase would be:
This is your key for encryption. It is never transmitted over the network.

Twice MD5 of that phrase would be:
This becomes the chat id, and subsequently, the group id. It is in the public domain.

Triple MD5 of that phrase would be:
This the file name and chat ID which php uses.

So, when the button Send is pushed, a Javascript function triggers and triple DES encrypts the content of the post form, then prints an hex string of the encrypted binary for easy transportation. It will look app. like this:


The length of the string will depend on the length of the message sent. It will also encrypt the nickname of the chat user before relay to server.
Once all data is prepared, the encrypted strings is sent to a php-script at the server, where the chat line are stored in the file.

### Chat file 35075230be6ac06a0f6aa137a515a729 start ###
|i|2007-11-23 3:07|/i|
|Conversation below this|

The file lasts as long as the chat are alive (last updated + max session time), there is possibility for adjusting the life time in the anochat.php config.

The residues in the webserver (Here: Apache) log file: - - [23/Nov/2007:03:47:30 +0100] "GET /anonymouschat/anochat.php?c=cac&q=35075230be6ac06a0f6aa137a515a729&
cc=0x78549a78314fba494c37436c681de9c5&x=0xa7357656f2b09fe0 HTTP/1.1"
200 670

Receiving data

The return from the php script is a javascript containing the new content, from the chat file. When loaded into the the respective layers, the encrypted hashes are decrypted by javascript and displayed.

When in chat mode, there are two states that fetches new content; the Send and the Ping. The Send is your action to encrypt and send the message, and the subsequent return of data. The Ping is a read only request for new content, and may be set to auto refresh.

Here are send and return, as seen in Network Active Sniffer:

Security issuesHow secure is secure?
It depends on your needs. This isn't a system for top secrets - if you need transfer of vital critical data, install SSL on your web server. The encryption done here is performed with an algoritm called 3DES, or triple DES. It's fairly tough to break. The keys with which the content is encrypted is never transmitted over the net.

What is encrypted?
The users nickname
The chat topic
The chat conversation

Security by dispersion
The more people who uses encryption software, the better. The dispersion of scripts like this to a number of servers is more secure than having one sentral site where everybody goes to chat with encryption.

Client security versus server security
This routine takes for granted that your PC isn't infected with spyware, virus and such. Security starts at home, and if your PC has a password-sniffer installed, nobody can help you on the server side. The server, in this case, has no responsibility - it just receives the encrypted content and stores it for the set amount of time. I was contemplating to set some kind of password for authentication, but then it would be another system, with user administration and control.

Known bugs / DevelopmentThe auto refresh does not work in Konqueror for Linux and Opera for Windows. Opera had the worst performance in the testing, but the chat still works there too.
Turn off auto refresh in these browsers, as there are some cache issues with the chat ping. I'm looking into that.

In addition to the above, the chat is tested in Mozilla FireFox for Windows and Linux - it performs well.
It is also tested in IE 6 for windows, it performs well there too.

The AnoChat v. 0.8 was released in this article on Nov. 23, 2007.
The AnoChat - 3DES encrypted web chat

fastLogin 2.5 Open Scripted Login Opacity (OSLO)    Backend scripts: PHP    Frontend scripts: Javascript    3DES encryption    MD5 digsests
This software is a derivate of fastLogin 2.5 Open Scripted Login Opacity (OSLO). Code by Knut Møgster - reDesign 2007

NOTE: The author does not garantee for your privacy by publishing this software. The best thing to use if you are
in serious need of privacy is SSL or other fully fledged encryption libraries.
This is an _attempt_ to improve on your privacy under open http protocol.

The AnoChat is released under an open license and you may use it or develop on it as you want.

 facebook    digg    reddit    furl   



Peace demonstrations in the US October 26-28 2007
29.10 - 2007


Large number of US citizens demonstrated against the war in Iraq (and the possible war in Iran) during this October weekend. Massive turnout in Boston and San Fransisco, and also in Chicago, LA and DC people took to the streets.
The message was: NO more war in Iraq! NO to a war with Iran!