Internet Security Utilities

xsukax PGP Secure Chat

xsukax

xsukax PGP Secure Chat

A lightweight, privacy-focused real-time chat application that implements end-to-end encryption using OpenPGP standards. Built with security and user privacy as core principles, this application ensures that your conversations remain completely private and secure.

Github Repo: https://github.com/xsukax/xsukax-PGP-Secure-Chat

Project Overview

xsukax PGP Secure Chat is a modern web-based messaging platform that combines the proven security of PGP encryption with the convenience of real-time communication. The application consists of a Python WebSocket server that handles message routing and connection management, paired with a responsive web client that performs all cryptographic operations locally in the browser.

Key Architecture Principles:

  • Zero-knowledge server design: The server never has access to message content or private keys
  • Client-side encryption: All cryptographic operations occur in the user’s browser
  • Minimal data persistence: Only encrypted messages and public keys are stored
  • Decentralized trust model: Users manage their own key pairs and verify contacts independently

The application generates unique 6-character user IDs for each session and facilitates secure peer-to-peer communication through an encrypted friend request system.

Security and Privacy Benefits

End-to-End Encryption

  • OpenPGP Implementation: Utilizes the robust OpenPGP.js library for industry-standard encryption
  • Client-Side Cryptography: All encryption and decryption operations occur exclusively in the user’s browser
  • Forward Secrecy: Each message is individually encrypted, preventing retroactive decryption of message history

Privacy Protection

  • Zero-Knowledge Architecture: The server cannot read message content, only route encrypted data
  • No Persistent User Accounts: Users are identified by temporary session-based IDs
  • Minimal Metadata Collection: The server stores only essential routing information
  • No Message Content Logging: Encrypted messages pass through the server without being logged or analyzed

Key Management Security

  • Local Key Storage: Private keys never leave the user’s device
  • Passphrase Protection: Support for passphrase-protected private keys
  • Key Verification: Users can verify public key fingerprints before establishing trust
  • Secure Key Exchange: Public keys are exchanged through the friend request mechanism

Operational Security

  • Transport Layer Security: WebSocket connections can be secured with TLS
  • Connection Health Monitoring: Automatic ping/pong for connection stability
  • Graceful Error Handling: Secure failure modes that don’t leak sensitive information
  • Memory Protection: Sensitive data handling with appropriate cleanup

Features and Advantages

Core Functionality

  • Real-Time Messaging: Instant delivery of encrypted messages through WebSocket connections
  • Friend Request System: Secure method for establishing trusted communication channels
  • Cross-Platform Compatibility: Web-based client runs on any modern browser
  • Responsive Design: Optimized for both desktop and mobile devices

Technical Advantages

  • Lightweight Architecture: Minimal resource requirements for both client and server
  • Easy Deployment: Simple installation process with automated service setup
  • Scalable Design: Efficient handling of multiple concurrent connections
  • Open Source: Full transparency and community-driven development

User Experience

  • Intuitive Interface: Clean, modern UI with terminal-inspired aesthetic
  • Drag-and-Drop Key Import: Simple PGP key file upload process
  • Status Indicators: Real-time connection and encryption status display
  • Message Persistence: Encrypted message history maintained per conversation

Unique Selling Points

  • No Registration Required: Immediate access without account creation
  • Temporary Identity Model: Enhanced privacy through session-based user IDs
  • Browser-Based Encryption: No software installation required for clients
  • Self-Hosted Option: Complete control over your communication infrastructure

Installation Instructions

Prerequisites

  • Linux server (Ubuntu/Debian or CentOS/RHEL/Rocky/AlmaLinux)
  • Python 3.6 or higher
  • Root or sudo access
  • Network connectivity on port 8765

Automated Installation

  1. Download the installation package:

    git clone https://github.com/xsukax/xsukax-PGP-Secure-Chat.git
cd xsukax-PGP-Secure-Chat

  2. Run the installation script:

    sudo chmod +x install_service.sh
sudo ./install_service.sh install

  3. Verify installation:

    sudo systemctl status xsukax-pgp-chat

Manual Installation

If you prefer manual installation or need to customize the setup:

  1. Install Python dependencies:

    sudo apt update  # For Ubuntu/Debian
sudo apt install python3 python3-pip python3-venv

# Or for CentOS/RHEL:
sudo yum install python3 python3-pip

pip3 install websockets asyncio

  2. Create application directory:

    sudo mkdir -p /opt/xsukax-pgp-chat
sudo cp server.py /opt/xsukax-pgp-chat/
sudo chmod +x /opt/xsukax-pgp-chat/server.py

  3. Create systemd service (optional but recommended):

    sudo cp xsukax-pgp-chat.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable xsukax-pgp-chat
sudo systemctl start xsukax-pgp-chat

Firewall Configuration

Open the required port for WebSocket connections:

For UFW (Ubuntu/Debian):

sudo ufw allow 8765/tcp

For FirewallD (CentOS/RHEL):

sudo firewall-cmd --permanent --add-port=8765/tcp
sudo firewall-cmd --reload

TLS/SSL Setup (Recommended)

For production deployments, configure a reverse proxy with TLS:

server {
    listen 443 ssl;
    server_name your-domain.com;

    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;

    location / {
        proxy_pass http://localhost:8765;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
    }
}

PGP Key Generation

Before using xsukax PGP Secure Chat, you need to generate a PGP key pair. This section provides step-by-step instructions for creating your cryptographic keys using GnuPG (GPG).

Prerequisites for Key Generation

  • GnuPG (GPG) installed on your system
  • Basic understanding of public-key cryptography concepts
  • Secure environment for key generation (offline recommended for maximum security)

Installing GnuPG

Ubuntu/Debian:

sudo apt update
sudo apt install gnupg

CentOS/RHEL/Rocky:

sudo yum install gnupg2
# or for newer versions:
sudo dnf install gnupg2

macOS:

brew install gnupg

Windows: Download and install GPG4Win from https://gpg4win.org/

Step-by-Step Key Generation

1. Generate Your Key Pair

Run the following command to start the interactive key generation process:

gpg --full-generate-key

During the interactive process, you will be prompted for:

  • Key type: Select (1) RSA and RSA (default)
  • Key size: Choose 4096 bits for maximum security
  • Key expiration: Set according to your security policy (recommend 1-2 years)
  • Real name: Enter your name or identifier
  • Email address: Enter your email (can be fictional for privacy)
  • Comment: Optional description field
  • Passphrase: Choose a strong passphrase to protect your private key

Example output:

pub   rsa4096 2025-09-20 [SC]
      5BE31FC1655C5D57F4EE4578E0B17789DB4D8F77
uid                      Your Name <[email protected]>
sub   rsa4096 2025-09-20 [E]

2. Export Your Public Key

Use your key ID (the long hexadecimal string) to export your public key:

gpg --armor --export YOUR_KEY_ID > public_key.asc

Example:

gpg --armor --export 5BE31FC1655C5D57F4EE4578E0B17789DB4D8F77 > public_key.asc

3. Export Your Private Key

Export your private key using the same key ID:

gpg --armor --export-secret-keys YOUR_KEY_ID > private_key.asc

Example:

gpg --armor --export-secret-keys 5BE31FC1655C5D57F4EE4578E0B17789DB4D8F77 > private_key.asc

Key Management Best Practices

Security Recommendations

  • Secure Storage: Store your private key in a secure location with restricted access
  • Backup Strategy: Create encrypted backups of your private key and store them separately
  • Passphrase Strength: Use a strong, unique passphrase for your private key
  • Key Expiration: Set reasonable expiration dates and renew keys regularly
  • Revocation Certificate: Generate a revocation certificate and store it securely

Verifying Your Keys

After generation, verify your keys are correctly created:

# List your secret keys
gpg --list-secret-keys

# List your public keys
gpg --list-keys

# Check key fingerprint
gpg --fingerprint YOUR_KEY_ID

Key File Format

Your exported keys will be in ASCII-armored format (.asc files):

  • public_key.asc: Contains your public key for sharing with others
  • private_key.asc: Contains your private key (keep this secret and secure)

Both files can be directly uploaded to the xsukax PGP Secure Chat application.

Alternative Key Generation Methods

Using Kleopatra (Windows/GUI)

For users who prefer a graphical interface:

  1. Install GPG4Win with Kleopatra
  2. Open Kleopatra
  3. Click “New Key Pair”
  4. Follow the wizard to generate your keys
  5. Export keys in ASCII-armored format

Using GPG Suite (macOS)

  1. Install GPG Suite
  2. Open GPG Keychain
  3. Click “New” to create a key pair
  4. Export keys in .asc format

Security Considerations

Important Security Notes:

  • Never share your private key with anyone
  • Use the application only after verifying the server’s authenticity
  • Consider generating keys on an air-gapped system for maximum security
  • Regularly audit your key usage and revoke compromised keys
  • Verify key fingerprints when exchanging public keys with contacts

Usage Guide

Setting Up Your Keys

  1. Access the application by opening Client.html in your web browser
  2. Connect to server by entering the WebSocket URL (e.g., ws://your-server:8765)
  3. Import your PGP keys:
    • Click “Choose Files” for both private and public key slots
    • Select your .asc or .gpg key files
    • Click “Load Keys”
    • Enter your private key passphrase when prompted (or leave blank if none)

Step-by-Step Communication Process

  1. Add a Friend:

    • Obtain your friend’s 6-character user ID
    • Enter the ID in the “Add Friend” field
    • Click “Send Friend Request”
    • Wait for your friend to accept the request

  2. Send Encrypted Messages:

    • Select your friend from the friends list
    • Type your message in the text area
    • Click “Send” – the message is automatically encrypted
    • Your friend receives and decrypts the message automatically

  3. Message Security Verification:

    • All messages display a lock icon indicating encryption
    • Failed decryption attempts are clearly marked
    • Connection status is continuously monitored

Administration and Monitoring

Service Management:

# Start the service
sudo systemctl start xsukax-pgp-chat

# Stop the service
sudo systemctl stop xsukax-pgp-chat

# Restart the service
sudo systemctl restart xsukax-pgp-chat

# View status
sudo systemctl status xsukax-pgp-chat

# View logs
sudo journalctl -u xsukax-pgp-chat -f

Monitoring Active Connections: The server logs provide information about:

  • Client connections and disconnections
  • Friend request activities
  • Message routing (encrypted content only)
  • Error conditions and recovery

Troubleshooting Common Issues

Connection Problems:

  • Verify server is running: sudo systemctl status xsukax-pgp-chat
  • Check firewall rules allow port 8765
  • Ensure WebSocket URL is correct (ws:// not http://)

Key Loading Issues:

  • Verify key file formats (.asc or .gpg)
  • Check passphrase accuracy (case-sensitive)
  • Ensure private and public keys match

Message Decryption Failures:

  • Confirm friend’s public key is properly loaded
  • Verify your private key is correctly decrypted
  • Check that you’re friends with the message sender

Licensing Information

This project is licensed under the GNU General Public License v3.0 (GPL-3.0).

What This Means for Users

Freedom to Use: You are free to use this software for any purpose, including commercial applications, without paying licensing fees.

Freedom to Study and Modify: You have the right to examine the source code, understand how it works, and modify it to suit your needs.

Freedom to Distribute: You may redistribute copies of the software to others, either in original or modified form.

Copyleft Protection: Any modifications or derivative works must also be licensed under GPL-3.0, ensuring the software remains open and free.

What This Means for Contributors

Open Source Requirement: All contributions become part of the GPL-3.0 licensed codebase and must be compatible with this license.

No Proprietary Derivatives: The copyleft nature of GPL-3.0 prevents the creation of proprietary versions of this software.

Patent Protection: The license includes provisions that protect users from patent-related legal issues.

Compliance Requirements

If you distribute this software (modified or unmodified):

  • Include the full GPL-3.0 license text
  • Provide access to the corresponding source code
  • Clearly indicate any modifications made to the original code
  • Ensure derivative works are also licensed under GPL-3.0

For the complete license text, see the LICENSE file in this repository or visit https://www.gnu.org/licenses/gpl-3.0.html.

Security Notice: While this application implements strong cryptographic practices, users should conduct their own security review before using it for highly sensitive communications. For maximum security, deploy on infrastructure you control and audit the code thoroughly.

Leave a Reply

Your email address will not be published. Required fields are marked *