FiSH -- Secure communications with Internet Relay Chat

Widespread secure e-mail would certainly have a powerful impact on the internet, but at this point, it might not be enough to sell the average user (particularly one of a younger audience) on the general tradeoffs that encryption involves.

Realtime chat, on the other hand, is definitely on the rise in prevalance. Make no mistake, IRC has been around far longer than any Instant Messenger you might have running in your system tray right now, but in all likelyhood, it never projected the sense of critical mass that tends to evoke the brand of paranoia which encryption helps to soothe. Luckily, the distinction might not matter for much longer anyway.

If you are reading this, you probably use IRC, and you might have started worrying about the ramifications of large-scale monitoring of your communications. (You probably also know that SSL-IRC protects your IRC session against sniffing, or man-in-the-middle, attacks, but is utterly meaningless if the IRC server is untrusted -- in effect, the IRC server is just another man in the middle of you and your friends.) This page discusses one specific implementation of an end-to-end IRC-encryption solution in a little detail, a solution which makes you and your correspondant the only men capable of reading your IRC communications.

Getting started with some software.
You can get some more details on the software itself at the FiSH homepage; there is no need to reproduce it here.

The software has been ported to a few different platforms: mIRC for Windows, Irssi for essentially any UNIX system (possibly even Windows -- pending confirmation), Xchat for Windows, UNIX, and apparently also Mac OSX. There is a generic TCL module of some sort, possibly usable in eggdrop solutions. This document will focus on the mIRC and Irssi solutions.

The mIRC version requires a binary patch on the executable. The author of FiSH probably needs some time to port to each new release of mIRC, so the version available will probably be a version or two behind "current" (as if Kahled has any meaningful release cycle in the first place ... for that matter, anyone using mIRC probably pirated a serial, and keeps some old version anyway! Shame on you!) So grab the release off his page, and run the patcher for your version. Alternatively, you can grab this pre-patched copy of mine: mIRC_v6.14-SySReset_v2.53-FiSH_v1.29.rar. (Note, if you have any sense of security, you probably shouldn't just grab untrusted binaries from random sites. Also, you can only preserve your old mIRC/SysReset settings by patching, so that is a sensible method to consider.)

The Irssi and Xchat platforms have binary modules available for a variety of architectures. Windows and MacOS are foolproof, but Linux might need some special attention. If the system is Intel-based, odds are the binary Linux module will work. (Incredibly, the author also has a module for OpenBSD v3.8, which is exactly what I was running at the time I started using FiSH!) For Irssi, just copy into /usr/lib/irssi/modules/ ; for Xchat, goes in /usr/lib/xchat/plugins/ .

If there is no binary module available for your system, you will need to compile the source code. And unfortunately, there is no nice GNU-style build environment for this project -- you will be getting your hands *really* dirty here. In fact, I haven't even built this thing successfully myself yet! Once I manage to do so, I will update here with some details. Anyone who does succeed here, feel free to send me the details of your endeavour.

The blow.ini configuration file appears to be identical for all platforms. A simple example follows; most of the options are default anyway, but they will all be described:
mark_encrypted=" $"
plain_prefix="+p "
The default Crypto-Mark appears to be blank, so set it to something sensible here (it can be changed conveniently in the mIRC platform, but not in any others). mark_position sets the Crypto-Mark as a prefix or suffix, depending on the numerical value. auto_keyxchange and nicktracker are boolean values. Automatic keyXchange performs a /keyx function every time a new query window is opened; this is technically more secure, but presents theoretical security risks. The NickTracker bears some special mention: it will keep track of the nickname changes in all channels you are joined to, and configure any keys set to a nickname which changes, to the newly changed nickname. In other words, you will not need to manually set a key for the given nickname again, nor re-keyx the user -- the client will transparently use the old key with the new nick. Presumably there are some theoretical security implications to this feature, but it is extremely convenient, thus it is not discouraged to leave it enabled.

Oddly, the documentation for mIRC lacks a command reference, so that is what this section is really for. The following commands are known to be available:

/fish.setkey <#channel>

/fish.usechankey <#channel>

/fish.showkey <#channel>

fish.removekey <#channel>



Note that manually setting keys for privmsg communication is not necessary, as the DH1080 key-exchange (/keyx) is at least equally secure, and way the hell more convenient.

Right-clicking in any chat window will reveal a new sub-menu, "FiSH", containing the following options: Right-clicking in a channel window will reveal the same sub-menu, with the same options listed above, in addition to these options:

X-Chat and Irssi
Xchat and Irssi share identical commands for using FiSH encryption. These commands are properly documented in the distribution, so I will not go into detail here. There is only one discernable difference between the modular version and the mIRC version: an initialization key may be set for Xchat/Irssi, which will prevent unauthorized users from accessing your session keys (for example, if your blow.ini file were somehow stolen). The relevant commands are:



That is about all there is to it! You'll need a friend to test it with, of course ... otherwise, why would you even need it? But if you need some friendly encouragement, find me, Maitre, on EFnet somewhere. Typically channel #animeFiends. Or just /keyx me! Just look for that Crypto-Mark.

Update -- 2014.12.01
For quite a while now, the MIRACL library (and consequently, the old FiSH library) refuse to build on modern (read: amd64) systems. Fortunately, The Internet heard our call, and responded with a fresh new port. If you are still looking for the FiSH module, this is the place to get it:

For posterity's sake, I will keep an archive of this code here (again, updated 2014.12.01):


Take back the web!

Updated 2007.06.03.
Copyright © 1994 - 2007 UltrX corp. All rights reserved.