In the spirit of openness and being a big believer of the Kerckhoff’s principle – “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge,” we are publishing our design.
Our uber goal is to make a safer internet. With the opening up of our design it could help us start the conversation, receive feedback and build a valuable product.
Consider few of the 2014 cyber Hacks
In none of the above was the information purposefully leaked by the sender/receiver. It was the system that was compromised. Either the server that stores the content was breached, social hacking of passwords, or in the case of snapchat, intercepting access to their backend. The architecture we created is meant to make these scenarios impossible. We ask our users to make the judgment who they trust, and we will provide a safe place to express yourself.
How we do it
Phone number verification to establish user.
Once verified the “hash” of phone number is stored. Privacy of our users is absolute. There is no reason for us to store the phone number.
Each user in glitchi has a public private key pair.
We use NaCl for the crypto library.
- The private key is available only in the device
- The public key is available in our servers
- Private key in device is encrypted with unique safe key for each user available in server.
- This additional validation requires establishing session with our server is a requirement to access the private key
Messages are encrypted with public key of the receiver.
We have optimized our solution to be able to send messages to as many receivers as required.
Receiver decrypts messages with local private key
Messages are opaque to our servers.
We do not have have the keys to decrypt them.
Signup Flow and Creating Key Pair
There is no passwords. The only way to use glitchi is on your phone with a valid SIM. The phone number is your identity.
glitchi Server Hacked
glitchi server only has encrypted copies of your messages. It does not have the keys to decrypt them. We have a few of my sample photos encrypted and stored in glitchi. Feel free to take a crack at it.
iCloud Backup compromised
This was one of the scenarios for the celebrity hack. glitchi private keys cannot be decrypted without accessing glitchi servers. Our servers require user to be authenticated with their phone number.
glitchi cannot be valid in two devices at the same time. If you lose your phone, activate a new device with the same phone number. glitchi will no longer be active in the previous device.
We would love to know what you think and answer any questions you have. Please leave a comment below.