FiSH -- Secure communications with Internet Relay Chat

Widespread secure e-mail would certainly have a powerful impact on the internet, but at this point, it might not be enough to sell the average user (particularly one of a younger audience) on the general tradeoffs that encryption involves.

Realtime chat, on the other hand, is definitely on the rise in prevalance. Make no mistake, IRC has been around far longer than any Instant Messenger you might have running in your system tray right now, but in all likelyhood, it never projected the sense of critical mass that tends to evoke the brand of paranoia which encryption helps to soothe. Luckily, the distinction might not matter for much longer anyway.

If you are reading this, you probably use IRC, and you might have started worrying about the ramifications of large-scale monitoring of your communications. (You probably also know that SSL-IRC protects your IRC session against sniffing, or man-in-the-middle, attacks, but is utterly meaningless if the IRC server is untrusted -- in effect, the IRC server is just another man in the middle of you and your friends.) This page discusses one specific implementation of an end-to-end IRC-encryption solution in a little detail, a solution which makes you and your correspondant the only men capable of reading your IRC communications.

Getting started with some software.

http://fish.sekure.us/
You can get some more details on the software itself at the FiSH homepage; there is no need to reproduce it here.

The software has been ported to a few different platforms: mIRC for Windows, Irssi for essentially any UNIX system (possibly even Windows -- pending confirmation), Xchat for Windows, UNIX, and apparently also Mac OSX. There is a generic TCL module of some sort, possibly usable in eggdrop solutions. This document will focus on the mIRC and Irssi solutions.

The mIRC version requires a binary patch on the executable. The author of FiSH probably needs some time to port to each new release of mIRC, so the version available will probably be a version or two behind "current" (as if Kahled has any meaningful release cycle in the first place ... for that matter, anyone using mIRC probably pirated a serial, and keeps some old version anyway! Shame on you!) So grab the release off his page, and run the patcher for your version. Alternatively, you can grab this pre-patched copy of mine: mIRC_v6.14-SySReset_v2.53-FiSH_v1.29.rar. (Note, if you have any sense of security, you probably shouldn't just grab untrusted binaries from random sites. Also, you can only preserve your old mIRC/SysReset settings by patching, so that is a sensible method to consider.)

The Irssi and Xchat platforms have binary modules available for a variety of architectures. Windows and MacOS are foolproof, but Linux might need some special attention. If the system is Intel-based, odds are the binary Linux module will work. (Incredibly, the author also has a module for OpenBSD v3.8, which is exactly what I was running at the time I started using FiSH!) For Irssi, just copy libfish.so into /usr/lib/irssi/modules/ ; for Xchat, xfish.so goes in /usr/lib/xchat/plugins/ .

If there is no binary module available for your system, you will need to compile the source code. And unfortunately, there is no nice GNU-style build environment for this project -- you will be getting your hands *really* dirty here. In fact, I haven't even built this thing successfully myself yet! Once I manage to do so, I will update here with some details. Anyone who does succeed here, feel free to send me the details of your endeavour.

Configuration

The blow.ini configuration file appears to be identical for all platforms. A simple example follows; most of the options are default anyway, but they will all be described:
[FiSH]
process_incoming=1
process_outgoing=1
mark_encrypted=" $"
mark_position=1
plain_prefix="+p "
auto_keyxchange=0
nicktracker=1
The default Crypto-Mark appears to be blank, so set it to something sensible here (it can be changed conveniently in the mIRC platform, but not in any others). mark_position sets the Crypto-Mark as a prefix or suffix, depending on the numerical value. auto_keyxchange and nicktracker are boolean values. Automatic keyXchange performs a /keyx function every time a new query window is opened; this is technically more secure, but presents theoretical security risks. The NickTracker bears some special mention: it will keep track of the nickname changes in all channels you are joined to, and configure any keys set to a nickname which changes, to the newly changed nickname. In other words, you will not need to manually set a key for the given nickname again, nor re-keyx the user -- the client will transparently use the old key with the new nick. Presumably there are some theoretical security implications to this feature, but it is extremely convenient, thus it is not discouraged to leave it enabled.

Usage
mIRC

Oddly, the documentation for mIRC lacks a command reference, so that is what this section is really for. The following commands are known to be available:

/fish.setkey <#channel>
Sets the encryption key for channel <#channel> to . (Unlike UNIX clients, the channel must always be specified as an argument - setting the "current" channel is not supported.)

/fish.usechankey <#channel>
This command will set the key used for privmsg communication with user to the same key that is currently set for channel <#channel>. Note that there does not appear to be a similar function for the other clients, so use of this command is discouraged.

/fish.showkey <#channel>
This command will open a small dialogue window, containing the currently set key for channel <#channel>.

fish.removekey <#channel>
Removes the key currently set for channel <#channel>. Encryption will no longer be performed on the channel.

/keyx
This command will initiate a DH1080 key-exchange with user . The message, "FiSH:Sent my DH1080 public key to , waiting for reply ..." will be shown; if the user is also using FiSH, their IRC client will automatically reply to the request, and a key will be negotiated -- the message, "Key for set to *censored*" will then be shown. The key will be saved automatically by both clients, and does not need to be seen.

/fish.prefix
This command changes the encryption prefix used by FiSH to the character(s) . It is suggested that a single character be used, but any number of characters may be used.

Note that manually setting keys for privmsg communication is not necessary, as the DH1080 key-exchange (/keyx) is at least equally secure, and way the hell more convenient.

Right-clicking in any chat window will reveal a new sub-menu, "FiSH", containing the following options:

Set plain-prefix
Auto-KeyXchange
Encrypt outgoing
Encrypt incoming
Crypt-Mark (Incoming)
Crypt-Mark (Outgoing)
NickTracker
Encrypt NOTICE
Encrypt ACTION
Right-clicking in a channel window will reveal the same sub-menu, with the same options listed above, in addition to these options:

Show key
Set new key
Remove key
Encrypt TOPIC

X-Chat and Irssi

Xchat and Irssi share identical commands for using FiSH encryption. These commands are properly documented in the distribution, so I will not go into detail here. There is only one discernable difference between the modular version and the mIRC version: an initialization key may be set for Xchat/Irssi, which will prevent unauthorized users from accessing your session keys (for example, if your blow.ini file were somehow stolen). The relevant commands are:

/setinipw
Sets a new password on your blow.ini key container. You will need to re-enter this password each time the FiSH module is loaded (i.e. each time Xchat/Irssi is launched).

/unsetinipw
Removes the password from the blow.ini container. No password protection will be present after this command has been executed.

That is about all there is to it! You'll need a friend to test it with, of course ... otherwise, why would you even need it? But if you need some friendly encouragement, find me, Maitre, on EFnet somewhere. Typically channel #animeFiends. Or just /keyx me! Just look for that Crypto-Mark.

Update -- 2014.12.01
For quite a while now, the MIRACL library (and consequently, the old FiSH library) refuse to build on modern (read: amd64) systems. Fortunately, The Internet heard our call, and responded with a fresh new port. If you are still looking for the FiSH module, this is the place to get it:

https://github.com/falsovsky/FiSH-irssi

For posterity's sake, I will keep an archive of this code here (again, updated 2014.12.01):

FiSH-falsovski.tar.gz

Take back the web!