User:Mntbrry/sandbox/cameoNet

cameoNet is a secure instant messaging application for all devices, such as smartphones, tablets and desktop computers. cameoNet is availabe as web app for all devices and also as mobile app for Android and iOS. A Windows Phone version is currently being developed In addition to text messages images, videos, positions and voice messages can be transmitted as attachments. Founder, developer and operator is Memo Connect GmbH in Halle (Saale). All cameoNet servers are located in Germany.

Security
Many platforms use protocols like the Diffie–Hellman key exchange, thereby simplifying some technical aspects, but don't solve the authentication problem and enable man-in-the-middle attacks. cameoNet uses a Public Key Infrastructure (PKI). The PKI enables authentication and flexible secured group conversations.

The security system of cameoNet is based on current cryptography methods. To assure data security cameoNet uses AES and RSA algorithms. The combination of symmetric (AES-256) and asymmetric (RSA-4096) encryption algorithms makes it possible to encrypt user-to-user and group conversations. Adding a member to a conversation is facilitated without the need to re-encrypt the entire conversation. In the event that a group member is to be excluded from a conversation this is also a simple process. The management of encryption keys ensures that private keys and the content of the messages will not be accessible for a cameoNet server administrator. Only the individual users are able to decrypt secured cameoNet content.

cameoNet allows secure communication with external users outside of the application environment. It offers two ways to secure a web reader conversation. The PassCaptcha procedure includes exchanging a CAPTCHA image for transmitting the symmetric key. The PassCaptcha technology simplifies exchanging keys and makes automated key extraction more difficult.
 * 1) By manual key exchange.
 * 2) By using the PassCaptcha procedure

Another aspect is the verification of the identities of group conversation's participants. Encryption may prevent unauthorized access, but by itself cannot authenticated the particibans of a group conversation. cameoNet users may verify each other's identities by exchanging their key-IDs through several ways (manual exchange, QR-codes). Once users have validated their identities they can use digital signatures to sign messages and attachments. This enables private and authenticated conversations. This process does not imply that the service needs any information about the users' real identities. It is possible to have an anonymous account and identity while still communicating secured and authenticated. Meanwhile, users can also be fully verified by submitting personal identification documents (e.g. passport or driver's licence).

The application consists of a Scala/MongoDB based back end and a HTML5 based front end, connected by a REST API. The backend system supports stateless session handling, which enables easy horizontal scaling in case of increasing system load. Currently all major web browsers on Windows, OS X, Linux, Android, iOS and Windows Phone are supported by the front end. Mobile applications for Android and iOS are available. A Windows Phone application is in development.

Use of the Application
When first starting the application the users are asked to provide their account data (user name and password, other data is optional). After creating a user account and a short address of welcome the application's functions are introduced to the user through a quick start guide. Then a cameoKey is automatically generated. The key is essential to secure encryption. The user may then search for contacts and send friend requests. If a request is accepted, the cameoKeys (the public keys) are exchanged and a secured communication is possible. While communicating, users are informed of the level of security though a colored lock symbol. Asymmetric encryption is signified by a green lock, a yellow lock shows that the communication is secured by a regular password or a PassCaptcha. A red lock shows that the ongoing communication is unencrypted.

Data Protection
The application's servers are located in Germany. Thus, the operating company and the service are subject to the German Federal Data Protection Act. Users may synchronize their address books with the cameoNet servers. If either the phone number or the email address of a contact in the address book match an entry in the service's data base, the contact ID is added to the contact list automatically.

Characteristics of cameoNet

 * Open to external users through SMS and email
 * Encrypted communication with external users via Passcaptcha
 * Availability on all major devices and platforms
 * Open Source
 * Multiple identities per user account possible
 * Optional anonymous use