diff options
| author | Gab <24553253+gabrix73@users.noreply.github.com> | 2026-01-03 03:56:52 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-01-03 03:56:52 +0100 |
| commit | 9cc235fb97f32ae41cb468194f1c8a0d828d13aa (patch) | |
| tree | 97387080f1f0fafa27af23c5c13b9f01b7d46d57 | |
| parent | c5bb2fdae8db0edf1d6bd029aa440fe93fb67f7c (diff) | |
| download | vapordrop-9cc235fb97f32ae41cb468194f1c8a0d828d13aa.tar.gz vapordrop-9cc235fb97f32ae41cb468194f1c8a0d828d13aa.tar.xz vapordrop-9cc235fb97f32ae41cb468194f1c8a0d828d13aa.zip | |
Add README.md for VaporDrop project
Add detailed README for VaporDrop project including features, security, architecture, and usage instructions.
| -rw-r--r-- | README.md | 235 |
1 files changed, 235 insertions, 0 deletions
diff --git a/README.md b/README.md new file mode 100644 index 0000000..a65adea --- /dev/null +++ b/README.md @@ -0,0 +1,235 @@ +# VaporDrop + +**Ephemeral encrypted messaging over Tor. Zero logs. RAM only. Non-NIST cryptography.** + +``` + _ _ ____ +| | | | __ _ _ __ ___ _ _| _ \ _ __ ___ _ __ +| | | |/ _` | '_ \ / _ \| '_| | | | '__/ _ \| '_ \ +| |_| | (_| | |_) | (_) | | | |_| | | | (_) | |_) | + \___/ \__,_| .__/ \___/|_| |____/|_| \___/| .__/ + |_| |_| +``` + +## Features + +- **Brain Key Login** - No accounts, no registration. Your identity derives from 6+ words you remember +- **Zero-Knowledge Architecture** - Server stores only encrypted blobs, never sees plaintext +- **End-to-End Encryption** - Messages encrypted client-side before transmission +- **File Transfer** - Drag & drop files up to 1 GB, chunked and encrypted +- **Numeric ID + QR Code** - Easy sharing via `12345678-90` format +- **Contact Book** - Save contacts locally (never sent to server) +- **Auto-Expiration** - Messages and files deleted after 7 days +- **Tor Hidden Service** - Accessible only via .onion address + +## Cryptography + +**We reject NIST standards.** All algorithms are designed by independent cryptographers: + +| Function | Algorithm | Designer | +|----------|-----------|----------| +| Key Exchange | **X25519** | Daniel J. Bernstein | +| Encryption | **XChaCha20-Poly1305** | Daniel J. Bernstein | +| Hashing | **BLAKE3** | Aumasson, O'Connor, et al. | +| Key Derivation | **Argon2id** | PHC winner (2015) | +| Signatures | **Ed25519** | Daniel J. Bernstein | + +Why no NIST? [NIST collaborated with NSA to weaken Dual_EC_DRBG](https://en.wikipedia.org/wiki/Dual_EC_DRBG). Trust is broken. + +## Brain Key Security + +Your identity is generated from common words you can easily remember: + +| Words | Entropy | Crack Time* | +|-------|---------|-------------| +| 6 words | ~80 bits | ~16 million years | +| 8 words | ~106 bits | ~10¹⁵ years | +| 12 words | ~160 bits | ~10³¹ years | + +*10,000 word dictionary, 1 billion attempts/sec (unrealistic for Argon2id). Universe age: 13.8 billion years. + +**Example:** `house cat moon pizza sea sun` → unique cryptographic identity + +- Same words = same identity, always, on any device +- Forget words = lose access forever (no recovery) +- Never store digitally - keep in your head + +## Self-Hosting + +### Requirements + +- Docker + Docker Compose +- Linux server (VPS or dedicated) + +### Quick Start + +```bash +# Clone repository +git clone https://github.com/virebent/vapordrop.git +cd vapordrop + +# Create environment file with your passphrase +echo "VAPOR_KEY=your-secret-passphrase-min-16-chars" > .env +chmod 600 .env + +# Build and start +docker compose up -d --build + +# View logs (wait for .onion address) +docker compose logs -f +``` + +Your .onion address will appear in the logs: + +``` +✅ VAPORDROP ONLINE +🧅 http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion +``` + +### Commands + +```bash +# Start +docker compose up -d --build + +# Stop +docker compose down + +# View logs +docker compose logs -f + +# Destroy everything (including volumes) +docker compose down -v +``` + +### VAPOR_KEY + +The `VAPOR_KEY` passphrase: + +- Derives the **Ed25519 key** for your Tor hidden service +- Determines your **.onion address** +- Same passphrase = same .onion address (reproducible) +- **Does NOT encrypt messages** (that's done client-side with user keys) + +Store it in `.env` file with `chmod 600`. Never commit to git. + +## Architecture + +``` +┌─────────────────────────────────────────────────────────────┐ +│ CLIENT │ +│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │ +│ │ Brain Key │→ │ X25519 │→ │ XChaCha20-Poly1305 │ │ +│ │ (6+ words) │ │ Key Pair │ │ Encryption │ │ +│ └─────────────┘ └─────────────┘ └─────────────────────┘ │ +└─────────────────────────────────────────────────────────────┘ + │ + │ Encrypted blob only + ▼ +┌─────────────────────────────────────────────────────────────┐ +│ SERVER (Zero-Knowledge) │ +│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │ +│ │ Tor HS │ │ RAM-only │ │ Auto-expiration │ │ +│ │ (Ed25519) │ │ Storage │ │ (7 days) │ │ +│ └─────────────┘ └─────────────┘ └─────────────────────┘ │ +└─────────────────────────────────────────────────────────────┘ +``` + +**Server never sees:** +- Plaintext messages +- Encryption keys +- Brain keys +- Contact lists + +## Security Features + +### Traffic Analysis Protection +- Random padding on all messages +- Randomized response delays +- Constant-time comparisons + +### Anti-Replay +- Nonce cache with 24h expiration +- BLAKE3 hashed nonces for privacy + +### Rate Limiting +- Session-based (Tor-compatible, not IP-based) +- Prevents abuse without deanonymization + +### Memory Protection +- Uses `memguard` for sensitive data +- Keys zeroed after use +- No swap, RAM only + +## API Endpoints + +| Endpoint | Method | Description | +|----------|--------|-------------| +| `/api/register` | POST | Register numeric ID → public key mapping | +| `/api/resolve/{id}` | GET | Resolve numeric ID to public key(s) | +| `/api/send` | POST | Send encrypted message | +| `/api/fetch` | POST | Fetch and delete messages | +| `/api/file/init` | POST | Initialize file transfer | +| `/api/file/chunk/{id}/{n}` | POST | Upload encrypted chunk | +| `/api/file/pending/{pubkey}` | GET | List pending files | +| `/api/file/download/{id}/{n}` | GET | Download chunk | +| `/api/file/complete/{id}` | POST | Mark transfer complete, delete | +| `/api/health` | GET | Health check | +| `/api/stats` | GET | Public statistics | + +## File Structure + +``` +vapordrop/ +├── main.go # Backend server +├── go.mod # Go dependencies +├── Dockerfile # Multi-stage build +├── docker-compose.yml # Container orchestration +├── .env # VAPOR_KEY (create this, never commit) +├── .gitignore # Excludes .env +├── .dockerignore # Excludes .env from build +└── static/ + ├── index.html # Application + └── home.html # Landing page +``` + +## Threat Model + +### Protects Against + +- ✅ Mass surveillance (Tor + E2E encryption) +- ✅ Server seizure (encrypted blobs without keys are useless) +- ✅ NIST backdoors (we don't use NIST algorithms) +- ✅ Metadata collection (no logs, no accounts, RAM only) +- ✅ Traffic analysis (random padding + timing delays) +- ✅ Replay attacks (nonce cache with expiration) + +### Limitations + +- ❌ Compromised endpoint (malware on your device) +- ❌ Screenshot by recipient +- ❌ State-level Tor correlation attacks +- ❌ Quantum computers (future threat to X25519) + +## Contributing + +1. Fork the repository +2. Create feature branch (`git checkout -b feature/improvement`) +3. Commit changes (`git commit -am 'Add feature'`) +4. Push branch (`git push origin feature/improvement`) +5. Open Pull Request + +## License + +MIT License - See [LICENSE](LICENSE) file. + +## Acknowledgments + +- [Daniel J. Bernstein](https://cr.yp.to/) - X25519, ChaCha20, Poly1305, Ed25519 +- [BLAKE3 Team](https://github.com/BLAKE3-team/BLAKE3) - BLAKE3 hash function +- [Tor Project](https://www.torproject.org/) - Anonymous communication +- [bine](https://github.com/cretz/bine) - Go Tor library + +--- + +**No logs. No traces. No NIST. No compromise.** |
