Encrypted calls, messaging and documents
Babelnet is an instant messaging platform for secure communication. It enables encrypted messages and documents to be sent and stored on both mobile (iOS, Android, BlackBerry) and desktop devices (Windows, MacOS). Babelnet combines the best cryptographic algorithms and protocols to protect your communication and information against both active and passive cyber-attacks.
Every message is encrypted using a standard AES symmetric-key algorithm with a unique Message Key that is randomly generated by the Babelnet application on the sender's device. The recipient needs to obtain the Message key to decrypt the actual message, therefore the Message Key has to be kept encrypted while not used – that is done by use of another encryption key – a Contact Key which the sender shares with the recipient. Contact keys are attached to messages. Contact Keys are not saved anywhere, they are calculated during the transmission using a standard Diffie-Hellman algorithm. For this calculation to happen, each party needs to possess a verified value of the other party's public key. Public keys are securely distributed to all registered mobile devices via thea Babelnet Messaging Server.
Babelnet provides encrypted calls between mobile devices within the data network through VoIP. The voice is transmitted directly between end-users using an internet connection or through a TURN server (Traversal Using Relays around NAT) when the connection is relayed.
Babelnet provides a secure voice transmission using a SRTP (Secure Real Time Protocol) encryption. "Perfect Forward Secrecy" searches for encryption keys. This means that if the DH keys or relay session keys are compromised, no other keys will be compromised.
To establish a secure telephone connection, messages must be exchanged within the Babelnet protocol. Signaling messages are sent by a standard means of transfer mechanisms ensuring total integrity. During the signaling process, first the temporary DH keys of the caller and receiver are exchanged, and then shared secret keys are agreed upon. Subsequently one-time encrypted keys are generated and used for further SRTP relay.
Messages, once encrypted, are sent to the Babelnet Messaging Server (BMS) for delivery. BMS notifies the recipient that have a new message waiting to be delivered and enables the recipient to download the message. Should the message contain an attachment, a preview is sent along with message as well as a link for asynchronous download of the original attachment. The Babelnet server administrator can set the maximum time period for which it is possible to access and download attachments. Should the attachment expires, it is automatically deleted from the server.
Communication across multiple Babelnet servers is described below:
Sent and received messages are stored on mobile devices are kept encrypted using randomly generated Message Keys. Message Keys need to be protected, therefore they are encrypted using Device Keys. Device Keys are randomly generated on mobile devices during installation of the application. Device Keys are then encrypted and protected by additional keys derived from passwords that users set during application installation.
In order to display messages, users are prompted to enter their password from which the above mentioned key is derived. Such a key is then used to temporarily decrypt the Device Key. Once the Device key is available, it is possible to decrypt the Message key and view messages.
Babelnet’s security is not based on encryption only, but also on authentication and integrity control to ensure that messages have not been changed, altered, or viewed by someone else and that all messages come from authenticated – verified users. Therefore all messages sent via Babelnet are not only encrypted but also digitally signed using an HMAC algorithm with authentication keys (Encrypt-then-Authenticate). Messages are also numbered / sequenced and the Babelnet application detects and deletes messages with non-valid sequence numbers. A warning is subsequently displayed to affected users.
Babelnet Messaging Servers (BMS) are the central aspect of the platform. Each BMS maintains a database of registered user accounts, their devices and associated public keys. BMS are equipped with SSL certificates and provide the end users with client application licenses.
BMS do not store any private or secret keys and cannot decrypt the actual messages. BMS mediate data communication among Babelent users and allow for notification distribution but do not take part in the actual encryption process.
All devices must be registered with the server using a One Time Password (OTP) which users typically receive along with initial instructions from their administrators. During the registration process BMS obtains and verifies user’s public key and synchronizes it across the user base defined in the server group setting.
Babelnet maintains a central contact and group directory. Groups allow for better contact organization. A „Contact“ is a recipient and his / her public key. Every Contact can be part of multiple groups.
A BMS can be integrated with a Babelnet Attachment Servers (BAS), which take care of temporary storage and asynchronous delivery of encrypted attachments. Babelnet messages only contain an attachment’s metadata and a link for attachment download. BAS allow their administrators to set the maximum possible attachment size.
A Babelnet Messaging Gateway (BMG) is an unique proxy client providing automated software-controlled distribution of encrypted messages and documents. BMG can be integrated with BMS and can be connected with third party applications via a simple REST API. Third party applications authenticate and connect to BMG using a secure channel for secure data transfer. Data is then encrypted by BMG and distributed to Babelnet users as desired. BMG is an ideal solution for automated and secure distribution of messages, notifications, documents, pay slips, one time passwords, banking transactions etc.
Mobile devices with iOS and Android operating systems can receive push notifications that are used to let Babelnet mobile users know that they have messages on the server waiting for delivery. Push notifications can be used even when the Babelnet application is not active.
The Babelnet Push Notification Gateway was developed to send requests for push notification distribution within the Apple/Google server notification infrastructure. Each request is electronically signed using the Push Notification Gateway’s private key and a certificate, which is registered with Apple’s/Google’s notification center. This process is not mandatory and can be activated or disabled by Babelnet administrators. If disabled, distribution of messages can be delayed.
No information about the content of messages is sent along with notification requests. The only purpose of such requests is to let users know that there are messages waiting to be delivered.
Babelnet clients can encrypt, decrypt, send and receive messages and documents via BMS/BAS, create and display supported file formats directly in the application (documents, photos, videos, audio messages, ..), store messages and attachments in an encrypted form, set up group chats or search for contacts in the application and device directories.
Non-commercial Babelnet Lite clients are available for free on all major mobile and desktop platforms:
- client for iOS
- client for Android
- client for BlackBerry
- client for PC with Windows
- client for MacOS (OS-X)
Every user can have multiple devices registered under his / her account.
Each device can be connected to multiple Babelnet servers.
A company IT administrator uses the Babelnet web admin console to manage the server, users’ accounts, groups etc. Connectivity to LDAP / AD directories can be also configured to import and synchronize users’ accounts. An administrator can also delete users and / or revoke their keys as well as monitor overall server usage and connectivity.
Personalized web pages have been developed to further simplify user’s device management. Once logged in, users can add or remove their devices to / from their account.
Encryption is one of the most effective methods used to protect and secure data. Encryption is always based on some form of a cryptographic algorithm which is used to transform plaintext data into an encrypted text (ciphertext). For every encryption, a back transformation (decryption) method is necessary. All modern cryptography algorithms use parameters (cryptographic keys) for encryption and decryption.
Cryptography algorithms, which use an identical key for both encryption and decryption are called symmetric.
Cryptography, which uses different keys for encryption and decryption is called asymmetric. One of the keys from every key pair can be publicly known (public key), the second one remains private (private key).
SHA-2 is a family of cryptographic hash functions with a variable output length which are widely used in many cryptography schemes and protocols. Hash function is a one-way function, which transforms the entry data of any length into an output value of a given length while meeting the requirements of collision discovery resistance. Hash standards are described into a great detail in the following publication FIPS PUB 180-4.
Diffie Hellman is an algorithm used to establish a shared secret between two parties. It is primarily used as a method of exchanging cryptography keys for use in symmetric encryption algorithms like AES. Diffie-Hellman is described in RFC 2631 and NIST SP 800-56A. Diffie-Hellman in itself is not resistant against a man in the middle attack and has to be supplemented with other cryptographic mechanisms.
RSA is one of the first practical public-key cryptosystems and is widely used for secure data transmission. The standard used in RSA is PKCS #1 v2.1, described in RFC 3447. Babelnet uses RSA in connection with the public key server certificate.
HMAC is a specific type of message authentication code (MAC) involving a cryptographic hash function (hence the 'H') in combination with a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and message authentication.
Certificates allow the use public keys of other individuals for purposes for which they were issued by a certification authority within the PKI infrastructure.
Certificates consist of a binary data structure containing a holder’s identity, the value of their public key and other information. Certificates are supplied with a publisher’s digital signature. The digital certificates standard is X.509v3, the interoperability profile is described in RFC 3280.
Babelnet only uses server certificates for the purpose of establishing an SLL/TLS communication, server authentication and signing of the notification distribution requests.
Data is encrypted by the sender and can be decrypted by the recipient only. No node (server, router), through which the data passes, can decrypt the data. Babelnet uses end to end encryption between the communication endpoints as a fundamental security solution.
Standard cryptographic protocols for secure communication SSL / TLS include three phases:
- agreement between participants on supported cryptographic algorithms
- key exchange based on public key encryption and certificate-based authentication
- symmetric cipher encryption
SSL / TLS ensures encryption only between two adjacent points of communication. The TLS v2.1 protocol is described in RFC 5246.
Man-in-the-middle is a known type of attack, where the attacker acts between the sender and recipient and is redirecting and changing messages to make both the sender and the recipient believe that they communicate with each other. In reality they both communicate with the attacker. To protect our users against MitM attack, Babelnet implements several protective measures: sender & recipient authentication, message authentication, message integrity control and doubled control of the encryption keys via alternative channels. For more information about MitM visit https://en.wikipedia.org/wiki/Man-in-the-middle_attack.