FiSH -- Secure communications with Internet Relay Chat
Widespread secure e-mail would certainly have a powerful impact on the
internet, but at this point, it might not be enough to sell the average
user (particularly one of a younger audience) on the general tradeoffs
that encryption involves.
Realtime chat, on the other hand, is definitely on the rise in prevalance.
Make no mistake, IRC has been around far longer than any Instant Messenger
you might have running in your system tray right now, but in all likelyhood,
it never projected the sense of critical mass that tends to evoke the
brand of paranoia which encryption helps to soothe. Luckily, the distinction
might not matter for much longer anyway.
If you are reading this, you probably use IRC, and you might have started
worrying about the ramifications of large-scale monitoring of your
communications. (You probably also know that SSL-IRC protects your IRC
session against sniffing, or man-in-the-middle, attacks, but is
utterly meaningless if the IRC server is untrusted -- in effect, the IRC
server is just another man in the middle of you and your friends.)
This page discusses one specific implementation of an end-to-end IRC-encryption
solution in a little detail, a solution which makes you and your
correspondant the only men capable of reading your IRC communications.
Getting started with some software.
You can get some more details on the software itself at the FiSH homepage;
there is no need to reproduce it here.
The software has been ported to a few different platforms: mIRC for Windows,
Irssi for essentially any UNIX system (possibly even Windows -- pending
confirmation), Xchat for Windows, UNIX, and apparently also Mac OSX. There is a generic TCL module of some sort,
possibly usable in eggdrop solutions. This document will focus on the mIRC
and Irssi solutions.
The mIRC version requires a binary patch on the executable. The author of
FiSH probably needs some time to port to each new release of mIRC, so the
version available will probably be a version or two behind "current" (as if
Kahled has any meaningful release cycle in the first place ... for that
matter, anyone using mIRC probably pirated a serial, and keeps some old
version anyway! Shame on you!) So grab the release off his page, and run
the patcher for your version. Alternatively, you can grab this pre-patched
copy of mine: mIRC_v6.14-SySReset_v2.53-FiSH_v1.29.rar. (Note, if you have any sense of security,
you probably shouldn't just grab untrusted binaries from random sites. Also,
you can only preserve your old mIRC/SysReset settings by patching, so that is
a sensible method to consider.)
The Irssi and Xchat platforms have binary modules available for a variety of
architectures. Windows and MacOS are foolproof, but Linux might need some
special attention. If the system is Intel-based, odds are the binary Linux
module will work. (Incredibly, the author also has a module for OpenBSD v3.8,
which is exactly what I was running at the time I started using FiSH!) For
Irssi, just copy libfish.so into /usr/lib/irssi/modules/ ; for Xchat, xfish.so
goes in /usr/lib/xchat/plugins/ .
If there is no binary module available for your system, you will need to
compile the source code. And unfortunately, there is no nice GNU-style build
environment for this project -- you will be getting your hands *really* dirty
here. In fact, I haven't even built this thing successfully myself yet! Once
I manage to do so, I will update here with some details. Anyone who does
succeed here, feel free to send me the details of your endeavour.
The blow.ini configuration file appears to be identical for all platforms. A
simple example follows; most of the options are default anyway, but they will
all be described:
The default Crypto-Mark appears to be blank, so set it to something
sensible here (it can be changed conveniently in the mIRC platform, but not in
any others). mark_position sets the Crypto-Mark as a prefix or suffix,
depending on the numerical value. auto_keyxchange and nicktracker are boolean
values. Automatic keyXchange performs a /keyx function every time a new query
window is opened; this is technically more secure, but presents theoretical
The NickTracker bears some special mention: it will keep track of the nickname
changes in all channels you are joined to, and configure any keys set to a
nickname which changes, to the newly changed nickname. In other words, you
will not need to manually set a key for the given nickname again, nor re-keyx
the user -- the client will transparently use the old key with the new nick.
Presumably there are some theoretical security implications to this feature,
but it is extremely convenient, thus it is not discouraged to leave it enabled.
Oddly, the documentation for mIRC lacks a command reference, so that is what
this section is really for. The following commands are known to be available:
Sets the encryption key for channel <#channel> to . (Unlike UNIX
clients, the channel must always be specified as an argument - setting
the "current" channel is not supported.)
This command will set the key used for privmsg communication with user
to the same key that is currently set for channel <#channel>. Note
that there does not appear to be a similar function for the other clients,
so use of this command is discouraged.
This command will open a small dialogue window, containing the currently
set key for channel <#channel>.
Removes the key currently set for channel <#channel>. Encryption will
no longer be performed on the channel.
This command will initiate a DH1080 key-exchange with user . The
message, "FiSH:Sent my DH1080 public key to , waiting for reply ..."
will be shown; if the user is also using FiSH, their IRC client will
automatically reply to the request, and a key will be negotiated -- the
message, "Key for set to *censored*" will then be shown. The key
will be saved automatically by both clients, and does not need to be seen.
This command changes the encryption prefix used by FiSH to the character(s)
. It is suggested that a single character be used, but any number
of characters may be used.
Note that manually setting keys for privmsg communication is not necessary,
as the DH1080 key-exchange (/keyx) is at least equally secure, and way the
hell more convenient.
Right-clicking in any chat window will reveal a new sub-menu, "FiSH",
containing the following options:
Right-clicking in a channel window will reveal the same sub-menu, with the
same options listed above, in addition to these options:
- Set plain-prefix
- Encrypt outgoing
- Encrypt incoming
- Crypt-Mark (Incoming)
- Crypt-Mark (Outgoing)
- Encrypt NOTICE
- Encrypt ACTION
- Show key
- Set new key
- Remove key
- Encrypt TOPIC
X-Chat and Irssi
Xchat and Irssi share identical commands for using FiSH encryption. These
commands are properly documented in the distribution, so I will not go into
detail here. There is only one discernable difference between the modular
version and the mIRC version: an initialization key may be set for Xchat/Irssi,
which will prevent unauthorized users from accessing your session keys (for
example, if your blow.ini file were somehow stolen). The relevant commands
Sets a new password on your blow.ini key container. You will need
to re-enter this password each time the FiSH module is loaded (i.e. each
time Xchat/Irssi is launched).
Removes the password from the blow.ini container. No password protection
will be present after this command has been executed.
That is about all there is to it! You'll need a friend to test it with, of
course ... otherwise, why would you even need it? But if you need some friendly
encouragement, find me, Maitre, on EFnet somewhere. Typically channel
#animeFiends. Or just /keyx me! Just look for that Crypto-Mark.
Update -- 2014.12.01
For quite a while now, the MIRACL library (and consequently, the old FiSH library)
refuse to build on modern (read: amd64) systems. Fortunately, The Internet heard
our call, and responded with a fresh new port. If you are still looking for the
FiSH module, this is the place to get it:
For posterity's sake, I will keep an archive of this code here (again, updated 2014.12.01):
Take back the web!
Copyright © 1994 - 2007 UltrX corp. All rights reserved.