The Secure Internet Live Conferencing (SILC) protocol is a new generation chat protocol which provides full featured conferencing services, just like any other contemporary chat protocol provides. In addition, it provides security by encrypting and authenticating the messages in the network. The security has been the primary goal of the SILC protocol and the protocol has been designed from the day one security in mind. All packets and messages travelling in the SILC Network are always encrypted and authenticated. The network topology is also different from for example IRC network. The SILC network topology attempts to be more powerful and scalable than the IRC network. The basic purpose of the SILC protocol is to provide secure conferencing services. The SILC Protocol have been developed as Open Source project. The protocol specifications are freely available and they have been submitted to the Internet Engineering Task Force(IETF). The very first implementations of the protocol are also already available.
SILC is a protocol which provides secure conferencing services on the Internet over insecure channel. SILC superficially resembles IRC, although they are very different internally. They both provide conferencing services and have almost the same set of commands. Other than that, they are nothing alike. The SILC is secure and the network model is entirely different compared to IRC.
SILC is much more than just about encrypting the traffic. That is easy enough to do with IRC and SSL hybrids, but even then the entire network cannot be secured, only part of it. SILC provides security services, such as sending private messages entirely secure; no one can see the message except you and the real receiver of the message. SILC also provides same functionality for channels; no one except those clients joined to the channel may see the messages destined to the channel. Communication between client and server is also secured with session keys and all commands, authentication data (such as passwords etc.) and other traffic is entirely secured. The entire network, and all parts of it, is secured. We are not aware of any other conferencing protocol providing same features at the present time.
SILC has secure key exchange protocol that is used to create the session keys for each connection. SILC also provides strong authentication based on either passwords or public key authentication. All authentication data is always encrypted in the SILC network. Each connection has their own session keys, all channels have channel specific keys, and all private messagescan be secured with private message specific keys.
II. Features of Secure Internet Live Conferencing
- Normal conferencing services such as private messages, channels, channel messages, etc. All traffic is secured and authenticated.
- No unique nicknames. There can be same nicknames in SILC without collisions. SILC has unique Client ID’s, Server ID’s and Channel ID’s to assure that there are no collisions. The maximum length of the nickname is 128 characters. The maximum length of the channel name is 256 characters.
- Channels can have channel operators and a channel founder which is the client who created the channel. Channel founder privileges supersede the channel operator privileges.
- Channel messages are protected by channel key, generated by the server. The key is re-generated once in an hour. It is possible to set a private key for the channel so that even the server does not know the key. Actually, it is possible to set several private keys so that only specific users on the channel may decrypt some specific messages.Adding the private key significantly increases the security as nobody else but the users on the channel know the key.
The SILC is distributed currently in three different packages. The SILC Client package, the SILC Server package and the SILC Toolkit package. Each package has its intended audience.
- SILC Client package is intended for end users who are looking for a good and full featured SILC client. The SILC Client package currently includes Irssi-SILC client that supports all SILC features, themes and much more. It is curses based but has a possibility of adding various other frontends to it. The Irssi-SILC client’s user interface is based on the Irssi client (see Irssi project).
- SILC Server package is intended for system administrators who would like to run their own SILC server or SILC router. The package includes the actual server but not the client. If you are running a server and would like to connect it to the silc.silcnet.org router you can contact us.
- SILC Toolkit package is intended for developers and programmers who would like to create their own SILC based applications or help in the development of the SILC protocol.
The Secure Internet Live Conferencing (SILC) protocol provides secure conferencing services over insecure network channel. The SILC is IRC like protocol, however it does not support IRC. Strong cryptographic methods are used to protect SILC packets inside the SILC network. SILC provides all the common conferencing services like channels, channel messages, private messages, nicknames, various commands, and secure file transfer. Difference to other chat protocol is in the design of the protocol. The SILC protocol has been designed from the day one security in mind and it shows in the protocol design.
The packets and messages in the SILC network are always encrypted and authenticated. It is not possible to send unencrypted messages in SILC at all. This assures that end user cannot even accidently send unencrypted messages while thinking that it is encrypted. This is one of the problems of most of the other chat protocols that provide so called plugin encryption. They are not secure by default but try to provide security by applying external security protocol such as PGP or SSL over the insecure chat protocol. In these cases the security is achieved usually by encrypting the data while key management, message authentication and other security issues may be left out, leaving the implementation vulnerable to various security problems. The other problem is also that the external protocols tend to leave the network only partly secured. usually only two points in the network are secured with for example SSL. While SSL does provide provable security it is not enough to provide security for a chat network as a whole. SILC is secure in environment of mutual distrust between entities in the network. It is possible to encrypt messages end to end, so that only the sender and the receiver is able to encrypt and decrypt messages. It is also possible to send messages to group of users, so that only the specified group of users is able to encrypt and decrypt messages. Many times the protocol use keys that are generated by the servers, so that if other external key exchange methods fail the network still remains encrypted. However, it is always possible to negotiate and use locally generated keys to secure messages, so that the servers do not know the key. Like so many other contemporary chat protocols, SILC too provides file transfer. It is possible to transfer files securely between users in the SILC Network. The actual file transfer stream is always sent outside the network peer to peer. Before the file transfer is started a key exchange protocol is executed to negotiate file transfer session key.
The network topology is also different to various other chat protocols, like for example IRC. IRC has tree style network, but SILC network can be described more as an hybrid ring-mesh network. The routers in the network form a ring, but they can also have other direct routers (secondary routes) to other routers. A router in the network is also called a cell, when it has multiple servers and clients connected to it. The cell can also have backup routers in case the primary router becomes unresponsive.
The diagram above illustrates a portion of the SILC network. It shows two cells that both have several servers, and backup routers and several clients. Clients can connect to server and routers if they want to.
A client is a piece of software connecting to SILC server. The software is usually run by the end user, a real person that is. The purpose of the clients is to provide the end user an interface to the SILC services. They are used to actually engage the onversations on the SILC Network, and they can be used to execute various SILC commands.
The clients are distinguished from other clients by unique Client ID.There cannot be multiple same Client IDs in the SILC Network at the same time. The end user, however does not use Client IDs. The end users usually selects a preferred nickname they want to use, and identifies themself with that nickname to other users on the network. The nicknames are not unique in the SILC Network. There can be multiple same nicknames at the same time on the network. The maximum length for the nickname is 128 characters. Most of the other chat protocols have unique nicknames. This is where SILC differs from most of the other chat protocols. The purpose of this feature is to make IRC style nickname wars obsolete, as no one owns their nickname; there can always be someone else with the same nickname.
Servers forms the basis for the SILC Network, by providing a point to which clients may connect. There are two kinds of servers in SILC; normal servers and router servers. The next section describes the function of router server. Normal servers connect to router server.
Normal servers cannot directly connect to other normal servers. Messages that are destined outside the local server are always sent to the router for further routing. The clients usually connect to the normal server, however, clients may connect to router servers as well. The SILC Network diagram above illustrates how normal servers connects to the router server. The servers are distinquished by other servers in the network by unique Server ID. There cannot be multiple same Server IDs in the SILC Network at the same time. The servers keep track of local information. It knows all locally connected clients and it knows all channels that its clients have joined. However, it does not know any global information. It usually does not keep track of global clients, however, it may cache that information if it was queried. The reason for this is that the server does not need to keep global information up to date and thus makes the server faster (and in the end the entire network faster). They can always query the information from the router.
When server connects to its router the SILC Key Exchange (SKE) protocol and the SILC Connection Authentication protocol are executed, just like when client connects to server. The SKE results in to the session key that is used to secure the communication between the server and the router. The connection authentication protocol is used to authenticate the server to the router. The authentication is always based in either passphrase or public key (or certificates).
The router servers are servers that actually handles the message routing in the network. They are, however also normal servers and they do accept client connections. Each of the router in the network is called a cell. A cell can have only one active router and it may have several servers and several clients.
The cell, however may have backup routers that can take over the tasks of the primary router if it becomes unresponsive. The switch to the backup router should be transparent and only local connections to the primary router are lost. Other connections in the cell are intact, and clients and servers merely experience some lag in the network connection during the switch to the backup router.
4.SILC Packet Protocol :
The basis of SILC protocol relies in the SILC packets and they are with out a doubt the most important part of the protocol. The SILC Packet protocol is a binary packet protocol. The protocol provides secure binary packets and assures that the contents of the packets are secured and authenticated
Packets are used in the SILC protocol all the time to send for example channel messages, private messages, commands and other information. All packets in SILC network are always encrypted and their integrity is assured by computed Message Authentication Codes (MAC). The protocol defines several packet types and packet payloads. Each packet type usually has a specific packet payload that actually defines the contents of the packet. Hence, the actual data in the packet is the packet payload defined in the protocol.
5.SILC Key Exchange Protocol :
SILC Key Exchange Protocol (SKE) is used to exchange shared secret between connecting entities. The result of this protocol is a key material used to secure the communication channel. This protocol is executed when, for example client connects to server. It is also executed when server connects to router. And, there is no reason why it could not be executed between two clients too, if two clients would need to create secret key. The purpose of the SKE protocol is to create session keys to be used in current SILC session. The SKE is based on the Diffie-Hellman key exchange algorithm, and is immune to for example man-in-the-middle attacks by using digital signatures.
This is the first protocol that is executed when creating connection to, for example SILC server. All the other protocols are always executed after this protocol. This way all the other protocols are secured since the SKE creates the session key that is used to secure all subsequent packets. The session keys created in the SKE are valid only for some period of time (usually an hour) or at most until the session ends. The rekey process can be executed with or without the Perfect Forward Secrecy (PFS).
The public key or certificate that is received during the SKE protocol must be verified. If it is not verified it would be possible to execute a man-inthe-middle attack against the SKE protocol. If certificates are used they can be verified by a third party Certification Authority (CA). Verifying a public key requires either confirming a fingerprint of the public key over phone or email, or the server can for example publish the fingerprint (public key) on some website. In real life systems accepting the public key without verification
6.SILC Connection Authentication Protocol:
Purpose of SILC Connection Authentication protocol is to authenticate the connecting party with server or router. This protocol is executed when for example client connects to server. It is also executed when server connects to router. Its other purpose is to provide information for the server about which type of connection it is. The type of the connection defines whether it is client, server or router. If it is client then the server will create a new Client ID for the client. If it is server then it will except the server to send its Server ID. Server IDs are created by the servers and routers itself.
The Secure Internet Live Conferencing (SILC) protocol is a new generation chat protocol that provides all the common conferencing services with strong support for security. It has wide range of security properties that should meet the highest levels of security requirements, while not forgetting easy of use. The network topology offers new architectural solution with better scalability over traditional chat protocols.