Results 1 to 18 of 18

Thread: VB6 - EChat

Threaded View

  1. #1

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    VB6 - EChat

    Attached is a chat program called EChat, which is short for Encrypted Chat. It actually consists of 3 programs; the Client program, the Service program, and a Control program to maintain the Service program. Why is it any different from other chat programs? The answer is Security.

    To activate the Client program requires a password. The password is not stored. What is stored in the registry is a simple numeric sum check. I could have stored it encrypted, but that would have meant storing a key, and key storage is a security risk in any encryption system.

    The Client connects to the server and sends the UserID and the Public Key from a self generated ECC (Elliptical Curve Cryptography) key pair. The server verifies the UserID and generates it's own Public/Private ECC key pair. It uses it's own Private Key, and the Public Key from the Client to generate a Shared Secret. It then sends it's Public Key back to the Client.

    The Client had previously hashed the Password that was input to activate the program. It then generates the Shared Secret using the Public Key from the Server and it's own Private Key. It uses that Shared Secret to encrypt the hashed Password and sends it back to the Server.

    The Server uses the Shared Secret to decrypt and verify the Password hash. When the Server was started, it generated a 256 bit Random Key. It now encrypts the Random Key with the Shared Secret, and sends it back to the Client. All connected Clients are sent a message that the new Client has joined the conversation, and the Client list is updated. All subsequent conversation data is encrypted/decrypted with the Random Key. The Server does not decrypt the messages, it simply passes the encrypted data on to the participants. To view the decrypted messages would require being one of the participants.

    The above programs require my encryption library file available here:
    -Linked Removed by Moderator-
    It can be stored in the executable directory or in the Windows System (\Windows\System32 or \Windows\SysWOW64) directory.

    The Server program can operate as a Desktop application or as a Service, but it does require the Microsoft NT Service Control. Normally, the UserID and hashed Password would be maintained in a database on a Secure Server. But not everyone has access to a Secure Server. In addition, Access databases do not easily store binary information that is not a recognized variable type. So I chose to develop my own binary based database using binary file access. A UserID is not encrypted information, so it can be passed on using insecure email. But a Password should never be passed using insecure communication. So what I suggest is to manually add the UserID and a blank Password to the database, and then have the new Client attempt to connect. The hashed password can then be taken from the log file and added to the User database. The Server end never has knowledge of the actual Password, because a Hash is like one-way encryption.

    Operating as a service requires different settings and directories as compared to operating as a desktop application. The reason for this is that a service operates as part of the system in session zero, whereas a desktop application operates in session one or better. Each one has it's own set of permissions as far as directories and registry are concerned. I suggest that the desktop application be compiled as "EChatS.exe". Change the "IsService" flag to true and compile the service as "EChatSvc.exe". The desktop application will require a sub directory called "Logs" in the directory where the executable is located, whereas the service will require a sub directory called "EChat" in "\Windows\System32\Logfiles". In this particular case, it doesn't matter if it is a 32 or 64 bit system. For both programs, the User Database is located in the "ProgramData\EChat" directory. If it doesn't exist, the program will create it and copy a blank database (Users.db.org) into that directory as Users.db. This database actually includes one UserID called "Admin" and a blank password.

    J.A. Coutts
    Attached Images Attached Images   
    Attached Files Attached Files
    Last edited by couttsj; Jun 1st, 2017 at 01:05 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width