Wherever you are, you always get the “trusted” internet from the Enigmabox servers, bypassing law enforcement agencies, snooping secret services or evil dudes who have targeted your PC and try to put some malware on it (see Darkhotel attack).
The green line is encrypted cjdns traffic, they can't see or manipulate anything.
Dear attacker: You have to be *inside* the network AND you have to be in my address book to have a chance of attacking me.
The Enigmabox is built on free and open source software.
You can build your own image from source. Have a look at GitHub: https://github.com/enigmagroup/enigmabox-openwrt
The administration interface resides here: webinterface
We use CFEngine for configuring the system. Templates can be found here: cfengine-promises
Firewall script: rebuild-iptables
Send a pull requests if you find a weak spot!
In cjdns, the IPv6 is the fingerprint. Every cjdns-IPv6 has a corresponding private key. Therefore, encryption is built in into the network protocol; unencrypted communication is not possible by design!
A unique session key is generated for communication. After you hang up your phone, that key is thrown away and not even *you* are able to decrypt the encrypted phone call traffic. Those session keys are regenerated every now and then.
So, you have immense computing power, dear NSA; cracking trillions of passwords per second? Let's say you need ten years to decrypt that phone call. Chances are that you even only get parts of the conversation. For the next phone call, you need to crack a different key and you have to start all over: another ten years - bummer!
Communication between two partners happens directly from Enigmabox to Enigmabox. The server in the middle is only passing on encrypted data. Enigmabox A has encrypted the stream for Enigmabox B and only B is able to decrypt the data.
Nobody can tell for sure if two Enigmaboxes communicate between each other.
What law enforcement sees:
This is an example of different traffic patterns. A download consumes much bandwith for a fair amount of time, whereas a spotify stream and a phone call use little bandwith, but over a longer period of time. Sending an email, checking for updates or synchronizing the time perform short spikes in the traffic pattern.
After the data has left the Enigmabox, you can only see the “silhouette” of the traffic. Whether you send an email, browse the web, stream a song, watch porn, make a phone call - it all looks the same; one pile of encrypted data, heading in one direction to one port - namely the direction of the Enigmabox server. Nobody can tell for sure what you are doing.
Skype's VBR codec leaks information regardless of the quality of the encryption, which may allow phrases to be identified with an accuracy of 50-90%.
E.g. when I don't speak on codecs with variable bitrate, no data is being transmitted. This makes it vulnerable to traffic analysis.
Some safe non-VBR codecs include GSM 6.10, iLBC, G.711 (A-LAW, u-LAW, and PCMU), G.722, and G.726 (http://zfoneproject.com/faq.html#vbr).
The Enigmabox only allows codecs with a constant bit-rate (sip.conf on GitHub) to resist voice traffic analysis attacks.
Enigmaboxes do not depend on an internet infrastructure. You can connect them via direct cable connection or via Wi-Fi. They form a mesh network that runs independent of the internet. And you can send emails and place phone calls with your partners as you are used to.
We only use the internet as a “long antenna”, to bridge long distances.