Security of the Enigmabox

  • Double NAT (PC behind Enigmabox behind server)
  • Securing your internet connection wherever you are, e.g. resisting the Darkhotel attack
  • Firewall in full shielding mode by default, only friends allowed inside the encrypted network (iptables rules on GitHub)
  • Free and open source software. Send pull requests if you find a weak spot!
  • cjdns: IPv6 is the fingerprint, backed by a private key == communication is encrypted by default
  • Forward secret communications, unique session keys per phone call, per email
  • End-to-end encrypted phone calls
  • End-to-end encrypted emails
  • Obfuscated metadata (nobody can tell who communicates with whom)
  • All data in one big encrypted pile of junk, indistinguishable (YouTube stream or phone call?)
  • Only constant bitrate codecs allowed (sip.conf on GitHub), see
  • Mailserver running on the Enigmabox; direct contact between boxes, no central server involved
  • Can run in P2P mesh mode without any server at all

Double NAT

  • Your PC sits behind the Enigmabox
  • All Enigmaboxes sit behind the server
  • Your PC is shielded behind two IP rewrites and in the end has the server's IP address
  • To get to your PC, an attacker has to figure out the correct server, from there the correct Enigmabox, and from there the correct PC
  • The green line is encrypted cjdns traffic, using IPv4-in-IPv6 for transport

Securing your internet connection

Wherever you are, you always get the “trusted” internet from the Enigmabox servers, bypassing law enforcement agencies, snooping secret services or evil dudes who have targeted your PC and try to put some malware on it (see Darkhotel attack).

The green line is encrypted cjdns traffic, they can't see or manipulate anything.

Firewall in full shielding mode by default

  • Only traffic from selected friends inside the encrypted network is allowed
  • Regular incoming network traffic is completely blocked

Dear attacker: You have to be *inside* the network AND you have to be in my address book to have a chance of attacking me.

Free and open source software

The Enigmabox is built on free and open source software.
You can build your own image from source. Have a look at GitHub:

The administration interface resides here: webinterface

We use CFEngine for configuring the system. Templates can be found here: cfengine-promises

The web interface generates a json-file: webinterface/app/ (http://box/cfengine/site.json) that is being read by CFEngine:

Some important configuration templates

Asterisk: sip.conf, extensions.conf

cjdns: cjdroute.conf, setup-cjdns-networking (network script)

Mailserver: exim4.conf, dovecot.conf, users.conf

Privoxy: user.action

Firewall script: rebuild-iptables

Send a pull requests if you find a weak spot!

cjdns: IPv6 is the fingerprint

In cjdns, the IPv6 is the fingerprint. Every cjdns-IPv6 has a corresponding private key. Therefore, encryption is built in into the network protocol; unencrypted communication is not possible by design!

For the techies: cjdns uses crypto_box_curve25519xsalsa20poly1305 of the NaCl Networking and Cryptography library

Forward secret communications

A unique session key is generated for communication. After you hang up your phone, that key is thrown away and not even *you* are able to decrypt the encrypted phone call traffic. Those session keys are regenerated every now and then.

So, you have immense computing power, dear NSA; cracking trillions of passwords per second? Let's say you need ten years to decrypt that phone call. Chances are that you even only get parts of the conversation. For the next phone call, you need to crack a different key and you have to start all over: another ten years - bummer!

End-to-end encryption

Communication between two partners happens directly from Enigmabox to Enigmabox. The server in the middle is only passing on encrypted data. Enigmabox A has encrypted the stream for Enigmabox B and only B is able to decrypt the data.

  • All Enigmabox emails are end-to-end encrypted
  • All Enigmabox phone calls are end-to-end encrypted

Obfuscated metadata

Nobody can tell for sure if two Enigmaboxes communicate between each other.

  • Every Enigmabox is only connected to an Enigmabox server
  • Servers are connected amongst themselves
  • Lots of traffic passing through the servers with so many Enigmaboxes
  • Who communicates with whom?

What law enforcement sees:

  • Enigmabox A is connected to server A
  • Enigmabox B is connected to server B
  • Server A is connected to server B
  • They can't tell for sure if Enigmabox A is communicating with Enigmabox B

Real world topology (Nov 12 2014)

Email headers: PGP vs. Enigmabox

All data in one big encrypted pile of junk

This is an example of different traffic patterns. A download consumes much bandwith for a fair amount of time, whereas a spotify stream and a phone call use little bandwith, but over a longer period of time. Sending an email, checking for updates or synchronizing the time perform short spikes in the traffic pattern.

After the data has left the Enigmabox, you can only see the “silhouette” of the traffic. Whether you send an email, browse the web, stream a song, watch porn, make a phone call - it all looks the same; one pile of encrypted data, heading in one direction to one port - namely the direction of the Enigmabox server. Nobody can tell for sure what you are doing.

Constant bitrate codecs

Skype's VBR codec leaks information regardless of the quality of the encryption, which may allow phrases to be identified with an accuracy of 50-90%.

E.g. when I don't speak on codecs with variable bitrate, no data is being transmitted. This makes it vulnerable to traffic analysis.

Some safe non-VBR codecs include GSM 6.10, iLBC, G.711 (A-LAW, u-LAW, and PCMU), G.722, and G.726 (

The Enigmabox only allows codecs with a constant bit-rate (sip.conf on GitHub) to resist voice traffic analysis attacks.

No central server involved

  • Every Enigmabox runs a mailserver
  • Every Enigmabox runs a telephony server
  • No central mail or telephony servers involved
  • The Enigmabox server doesn't even know that you are sending an email

Can run in P2P mesh mode without any server at all

Enigmaboxes do not depend on an internet infrastructure. You can connect them via direct cable connection or via Wi-Fi. They form a mesh network that runs independent of the internet. And you can send emails and place phone calls with your partners as you are used to.

We only use the internet as a “long antenna”, to bridge long distances.

security.txt · Last modified: 2015/02/23 18:22 by 42
Back to top
GNU Free Documentation License 1.3 = chi`s home Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0