Help
Home | How It Works
| General FAQ | Technical FAQ
| Definitions | Privacy
Links
High Level Technical
Description
All discussion assumes that the Elite Fitness
Stealth Messaging user has a Java ™ Enabled Web-browser,
implementing JVM 1.1.5 or higher and the most recent version
of SSL, Secure Sockets Layer. An example of such a browser would
be Netscape Navigator ™ 4.72 or Microsoft's Internet Explorer
™ 5, running on a Windows ™ platform.
The founding principle of Elite Fitness Stealth MessagingMail is that the
user need not trust either the Internet or the Elite Fitness Stealth Messaging service
to be assured that a secure system is being used.
First, an overview of address creation:
- The user downloads the "New Account" Java Applet, via the
World Wide Web, and picks an email address name.
- The user is asked to move his or her mouse to generate random
numbers.
- Both public and private key are generated, using a 1,024-bit
Diffie-Helman scheme.
- The user enters, and confirms, their self-created passphrase.
- The passphrase, seen as a key, is used to symmetrically
encrypt the private key.
- The encrypted private key and plaintext public key are sent
to the Elite Fitness Stealth MessagingMail server.
Some finer clarifications:
1a. The "NewAccount "Java Applet is transferred
to the client machine via an SSL connection. Elite Fitness Stealth Messaging recommends
that the connection be 128-bit strong encryption, in order
to strongly authenticate the client software origin. The hash
of the applet can be compared for extra rigor.
2a. Exactly 1,024-bits of random numbers are
generated, calculated from the X and Y coordinates of the mouse movements.
The exact algorithm is present in the source code, which can be reviewed
at http://www.hush.ai/. These random bits are then
"mixed up" a second time using a secure one-way hash algorithm (SHA),
to alleviate any possible skew from differing JVM performance or Elite
Fitness Stealth Messaging user mouse patterns.
3a. The 1,024-bits of randomly generated
code is the Elite Fitness Stealth Messaging user's private key. The public key is mathematically
generated from it, using the ElGamal scheme. The p and g numbers
are strong pre-generated constants given in the applet. The
Elite Fitness Stealth Messaging user has now created his or her keypair.
4a. The Elite Fitness Stealth Messaging user creates any passphrase
he or she wishes. The strength of the system directly correlates
to how hard it would be to guess or brute force attack this
passphrase. Elite Fitness Stealth Messaging strongly recommends that its users create
strong passphrases.
5a. Using a 128-bit key, derived from
the Elite Fitness Stealth Messaging user's passphrase, the Blowfish symmetric algorithm
is applied to the user's private key, thus, generating an
encrypted private key.
6a. A secure one-way hash of the Elite Fitness Stealth Messaging
user's passphrase, using SHA, is also partially sent to the
Elite Fitness Stealth MessagingMail server, for validation of the Elite Fitness Stealth Messaging user at a later
date. All the information sent between the Elite Fitness Stealth Messaging applet and
the Elite Fitness Stealth MessagingMail server is encrypted using a symmetric, 128-bit,
Blowfish algorithm. The key to this symmetric "pipe" is randomly
generated each session by the Elite Fitness Stealth MessagingMail server, and is transferred
to the client machine via a secure SSL connection.
Next, an overview of the process of sending
a Elite Fitness Stealth MessagingMail message:
- The Elite Fitness Stealth Messaging user downloads the Elite Fitness
Stealth Messaging applet via the World Wide Web, having entered his
or her address name.
- The Elite Fitness Stealth Messaging applet, running on the client
machine, requests the user's passphrase.
- The passphrase is entered. Then, it is securely hashed. Part of
this hash is sent to the Elite Fitness Stealth MessagingMail server
for user validation.
- Only if the partial hash is valid, will the Elite Fitness Stealth
MessagingMail server send the client Elite Fitness Stealth Messaging
applet the Elite Fitness Stealth Messaging user's public key and encrypted
private key.
- The Elite Fitness Stealth Messaging applet symmetrically decrypts
the encrypted private key into its plaintext form.
- The Elite Fitness Stealth Messaging user enters the system and can
view email, create address aliases, compose email, and utilize other
features of the Elite Fitness Stealth MessagingMail service.
- When the Elite Fitness Stealth Messaging user composes and sends
a message, the Elite Fitness Stealth Messaging applet contacts the
Elite Fitness Stealth MessagingMail server and downloads the recipient's
public key.
- If the recipient is in the sending Elite Fitness Stealth Messaging
user's address book, it compares the public key values against an
electronic fingerprint for extra security.
- The body of the email message being sent is symmetrically encrypted
with a randomly generated session key.
- Using the recipient's public key, the random session key is asymmetrically
encrypted and added to the message that is sent to the recipient.
- The entire message is sent to the Elite Fitness Stealth MessagingMail
server, which sends the message out to the Internet using SMTP.
- When the recipient reads the message, the recipient's private key
will decrypt the session key, which will yield access to the plaintext
message itself.
Some finer clarifications:
1a. Refer to 1a under the "Address Creation
Process" section of this document. Please note a different
applet is used in this example.
2a. The passphrase is never transmitted
from the client machine.
3a. The Elite Fitness Stealth MessagingMail server only releases
encrypted private keys to strongly validated users. This limits
possible risk of high-speed, brute force attacks trying to
recover either the Elite Fitness Stealth Messaging user's passphrase or plaintext private
keys. If the Elite Fitness Stealth MessagingMail server detects multiple tries in a short
period, such as someone trying to guess a user passphrase,
it will notify a system administrator and/or temporarily stop
accepting requests from that address name and/or IP address.
4a. This operation is the same as 5a,
except in the reverse.
5a. All public keys of Elite Fitness Stealth MessagingMail users
are available. They are retrieved during the encryption process,
prior to transmission of the encrypted message
6a. If a sending Elite Fitness Stealth Messaging user distrusts
the Elite Fitness Stealth MessagingMail server itself, the sender may put the recipient
address in his or her address book. By doing so, the sender
can view the hash (or "fingerprint") of the recipient's public
key before sending the message. Both sender and recipient
may exchange fingerprint information at any time, any way
they wish.
7a. The randomly generated Blowfish algorithm
is 128-bits long. It is created by differences in keystroke
timing from the Elite Fitness Stealth Messaging user after being securely hashed with
SHA multiple times.
8a. The Elite Fitness Stealth MessagingMail message format is a
hybrid symmetric encryption/public system, created for speed
and efficiency. Once messages have been read, they are stored
via symmetric encryption. The session key is stored in the
email header. Messages sent to oneself are symmetrically encrypted
only.
|