Technitium Bit Chat
Frequently Asked Questions (FAQ)
How do I use Bit Chat to chat with my friends?
Using Bit Chat is quite easy. You and your friends can start chatting using it in just a couple of minutes. Just follow the steps below to kick start!
- Download and install Bit Chat on your computer.
- Start Bit Chat and register for a Profile Certificate.
- Upon successful registration, click create chat on the main window and select Add Private Chat or Add Group Chat.
- Use Private Chat option for one-to-one chat. To do private chat, both peers must enter each other's email address and an optional password/shared secret.
- Use Group Chat option to allow multiple peers to participate in chat. To do group chat, enter a name for chat group and an optional password/shared secret. Inform your friends the chat group name and password combination by phone, email or another instant messenger. Anyone who knows the combination can now connect with you on the group chat.
For more detailed guide, read this blog post to know how to register for a profile certificate and get started with Bit Chat.
Why is registration necessary to use Bit Chat? What is a profile certificate?
Bit Chat uses peer-to-peer technology which means peers connect directly to each other without any server in between. Conventionally, people rely upon identities like username or email address to verify whom they are really chatting to, which is not possible in a pure peer-to-peer technology.
To help users identify their peers, it becomes necessary to use digital certificates (profile certificate) just like the way HTTPS secured websites authenticate themselves to the visitors using SSL certificates.
Without using a digital certificate, the only option a user has, is to physically meet all his peers once and sign each others digital certificates to be used later or to blindly trust the peer on the other end of the network. The digital certificate has to be trusted either by a central registration authority or by each of the peers to avoid man in the middle (MitM) attacks. In a practical world, meeting each peer to sign each other's digital certificate is really a not feasible option and thus, relying on a trusted central registration authority is necessary.
A profile certificate is basically a digital certificate issued by BitChat Certificate Authority. The certificate is issued after verifying email address of the user. This certificate lets other people in your group to read the information that you provided during registration and allows them to rely on the email address for identifying you.
It is difficult in a peer-to-peer network to ensure the identity of the person on the other side. To enable trustworthiness, a digital certificate which provides information on a verified identifer (email address) is essential.
Profile certificate uses RSA 4096 bit key and SHA-256 for certificate integrity verification. The RSA key generation is done at the client side and is protected by profile encryption password. Keeping the RSA private key secure is the primary reason for the registration process to be included in the Bit Chat application instead of having a server side web based registration process.
How do you verify an email address upon registration?
Upon receiving registration, the user will receive an automated email with instructions. To verify the email address, user will have to reply to the received email without changing the subject of the email. The contents of the email doesn't matter. Upon receiving the email, the backend system will generate a signed profile certificate.
Thus the email verification process checks that a user can both send and receive email for the provided email address. This method prevents users from using disposable email services for registration.
How can I use Bit Chat to chat anonymously?
One fact to remember is that, the information you provide during the profile registration is stored in the profile certificate and can be seen by anyone you chat with. If you don't want your primary email address getting disclosed, you can create a new email address for profile registration and can provide limited or no information during the registration process.
Since Bit Chat peers can see each other's IP address, to prevent your IP address from getting disclosed, you can use any VPN service or configure Bit Chat to use a proxy server. Bit Chat supports HTTP proxy & SOCKS5 proxy, and you can even configure Bit Chat to use Tor Network.
What user information is stored with Technitium?
Technitium stores only the registration information that includes the details provided in the form, the profile certificate (which includes only the RSA public key), time of registration and the IP address.
Technitium does not store or have access to the user's profile encryption password or the profile certificate RSA private key.
What information gets disclosed when using Bit Chat?
Bit Chat creates an identifer for each chat group using the group name and password. This identifier is basically a SHA-1 hash generated by an algorithm. This identifier is used to with bit-torrent trackers to find peers. Any person who knows this identifier can find the IP addresses of the peers in the group. However, to join the group, the password component must be known separately.
Each peer in the group connects directly to each other over the Internet. Thus, each peer knows your IP address and the information that was provided in the profile certificate. Any entity trying to sniff your network traffic will just know that IP A is connected to IP B, the entire communication is encrypted end-to-end with perfect forward secrecy (PFS).
Technitium does not know to whom you chat with. The chat groups are virtual groups, they are not registered on any server and thus knowing any information or reading messages of a group chat or private chat is impossible.
I forgot my profile password. How do I reset it?
The profile password set by the user is an encryption password used to securely store the profile certificate (which includes the user's private key) on the user's computer. Technitium does not have access to the profile password or the private key of the user. If user forgets the profile encryption password, there is no other way to decrypt the file. In such a scenario, user can register again with the same email address but, with the loss of the settings stored in the previous profile file. When user registers again with the same email address, the previous certificate is revoked and will no longer work with Bit Chat.
Do I need to register profile again to use Bit Chat on another computer? Can I use same profile on multiple computers?
You don't need to register new profile for using Bit Chat on another computer. You can export your existing profile file using the Bit Chat Profile Manager and import the file on another computer. To open Profile Manager, click on the Switch Profile option in main menu. You can also close the password prompt in the begining to get Profile Manager window.
What happens if I register for profile twice with the same email address?
If you register for profile certificate using the email address that was already in use, the previous profile certificate issued will be revoked and thus the previous profile will be invalidated and cannot be used. You will be forced to use the new profile issued for using Bit Chat on all computer/devices.
Can I use multiple computers with same Bit Chat profile simultaneously?
Yes, you can import an existing profile to any number of computers and can simultaneously use all the computers for Bit Chat. Example, if you join same chat group from two computers, you can send and receive messages to the group from both the computers.
Is it necessary to provide a password or shared secret while creating a chat group?
The password/shared secret for creating a chat group is optional but, its highly recommended to use a password, even a simple one will do. People in the group connect to each other using an identifier that is generated by the group name and password combination. Thus, if you keep the password blank and another group of people also use the same group name, everyone will end up in the same chat group.
Setting a password also provides a level of security such that only people who know it will be able to establish a end-to-end encrypted communication channel. A password will also prevent your profile certificate getting disclosed to an active attacker.
What if the password or shared secret used for creating a chat group is exposed or leaked?
In such scenario, there is no need to panic. Since the group exists virtually, no messages are stored anywhere to retrieve. If some unknown person gets connected to your group, that person's profile will be listed in Bit Chat and you will be able to see the profile certificate information which includes email address. You can also find the person's IP address in the profile viewer.
If you find unknown person in the group, just leave the group, create another group with same name but different password and notify the original group participants of the new password via email.
Which encryption algorithms are used to secure communication?
AES with 256-bit key is primarily used to encrypt the data between peers. The key exchange is done using Diffie-Hellman (DHE-2048) or Elliptic Curve Diffie-Hellman (ECDHE-256) algorithm in a secure handshake protocol during which peers exchange ephemeral public key info, encrypted profile certificate and encryption keys for AES. Authentication is provided by RSA-4096 based digital certificate.
Why Bit Chat is not using X.509 certificate format?
Due to the peer-to-peer architecture, Bit Chat needed specific fields for which it was necessary to use a customized certificate format.
Why Bit Chat is not using SSL/TLS protocol for peer-to-peer connections?
SSL/TLS protocol exchanges the client and server certificates during the handshake process in clear text. To protect the identity and personal information of people using Bit Chat, it was necessary to design a secure handshake protocol similar to TLS.
The protocol used in Bit Chat requires the connecting peer to know chat group password. During the protocol handshake, an ephemeral public key exchange is done to establish an end-to-end encrypted communication channel. After establishing an encrypted channel, the peers exchange profile certificate through it and verify the profile certificate as well as the ephemeral public key & handshake parameters that were exchanged to verify identity and make sure there is no man-in-the-middle.
The protocol thus protects users from disclosing the profile certificate to passive attackers over the network.
- How can I trust that Bit Chat is not having any backdoor?
- Does Bit Chat provide Perfect Forward Secrecy (PFS)?
- Which Key Derivation Function (KDF) is used by Bit Chat?
Does Bit Chat implement Authenticated Encryption (AE)?
Yes, Bit Chat from version 3.0 uses HMAC-SHA256 to authenticate the encrypted data in Encrypt-then-MAC (EtM) mode.
Why are anonymous email services, like Mailinator.com, not allowed for registration?
Bit Chat profile registration process requires you to confirm ownership of the email address, that you provide, by replying to the verification email that you receive upon registration. This design was implemented to protect your identity, that is your email address, being exploited by hackers.
Email providers like Mailinator provide anonymous email service that comes without authentication, that is, anyone who knows the alias you used, can check your email on the website. An attacker can thus register for a Bit Chat profile certificate using the same alias and use it to steal your identity online.
Also, very few of these anonymous service providers have HTTPS (secure) website. So, an attacker who can read your network traffic can read the alias you are using which even includes the secure alias or the alternate email alias of random characters.
Such services are great but, not really useful when your email address is used as an identity while chatting online. These services only allow users to receive email and due to this fact, Bit Chat registration requires you to reply to the verification email.