# Secure NOSTR Direct Messages - Security Guide ## Overview This guide explains the enhanced security features implemented for NOSTR Direct Messages in the UPlanet network. The system now provides enterprise-grade security and privacy protection for all communications. ## Security Features ### 1. NIP-44 Encryption (ChaCha20-Poly1305) **Enhanced Encryption with NIP-44:** * **NIP-44 (Current)**: ChaCha20-Poly1305 with improved HKDF * **NIP-17 (Gift Wrapping)**: Additional privacy layer for anonymous communications **Benefits:** * Stronger encryption algorithm * Built-in authentication (Poly1305) * Better resistance to timing attacks * Improved key derivation ### 2. Metadata Protection **Features:** * Message length standardization (prevents length analysis) * Random padding to obfuscate content characteristics * Timestamp obfuscation with random delays * Metadata header protection **Implementation:** ```python def add_metadata_protection(message: str, sender_hex: str, recipient_hex: str) -> str: # Standardize message length to prevent analysis target_length = 256 # Add random padding # Include obfuscated timestamp # Add metadata protection header ``` ### 3. Gift Wrapping (NIP-17) **Purpose:** Hide sender identity by wrapping messages in additional encryption layers. **How it works:** 1. Generate ephemeral keypair for each message 2. Encrypt the actual message with recipient's public key 3. Wrap the encrypted message in a gift event 4. Sign with ephemeral key (hides real sender) **Benefits:** * Sender identity protection * Metadata obfuscation * Enhanced privacy for sensitive communications ### 4. Ephemeral Keys for Privacy **Gift Wrapping System:** * Ephemeral keys for gift wrapping (NIP-17) * Single-use keys for anonymous communications * No persistent key storage * Enhanced privacy for sensitive communications ### 5. Rate Limiting and Anti-Surveillance **Features:** * Minimum 1-second intervals between messages * Random delays to prevent timing analysis * Connection throttling to avoid relay overload * Anti-surveillance measures ## Usage Examples ### Basic Secure DM ```bash # Send a secure message with NIP-44 encryption python3 nostr_send_secure_dm.py nsec1... abc123... "Secure message" wss://relay.example.com ``` ### Enhanced Privacy Mode ```bash # Enable all security features python3 nostr_send_secure_dm.py nsec1... abc123... "Sensitive info" wss://relay.example.com --secure-mode ``` ### Captain Broadcast with Security ```bash # Secure broadcast to all network users ./nostr_CAPTAIN_broadcast.sh "Important announcement" --secure-mode --verbose ``` ### Privacy Management ```bash # Generate ephemeral keys for gift wrapping # (Automatically handled by the secure DM system) # Enable maximum privacy mode ./nostr_CAPTAIN_broadcast.sh "Sensitive message" --secure-mode ``` ## Security Best Practices ### 1. Privacy Protection * Use gift wrapping for anonymous communications * Enable metadata protection for sensitive messages * Implement rate limiting to prevent surveillance ### 2. Metadata Protection * Always enable metadata protection for sensitive communications * Use gift wrapping for anonymous communications * Standardize message patterns to prevent analysis ### 3. Privacy Protection * Use ephemeral keys for gift wrapping * Implement metadata obfuscation * Enable anonymous communications ### 4. Network Security * Use rate limiting to prevent surveillance * Implement connection throttling * Monitor for unusual patterns ## Threat Model ### Protected Against: * **Content Analysis**: NIP-44 encryption prevents content inspection * **Metadata Analysis**: Length/timing obfuscation prevents pattern analysis * **Sender Identification**: Gift wrapping hides sender identity * **Key Compromise**: Ephemeral keys limit impact of key compromise * **Surveillance**: Rate limiting and anti-surveillance measures ### Security Levels: **Level 1 - Basic Security:** * NIP-44 encryption * Rate limiting **Level 2 - Enhanced Privacy:** * Level 1 + Metadata protection * Timestamp obfuscation **Level 3 - Maximum Privacy:** * Level 2 + Gift wrapping * Ephemeral keys for anonymity * Enhanced metadata protection ## Implementation Details ### Encryption Flow: 1. **Key Derivation**: ECDH shared secret + HKDF 2. **Encryption**: ChaCha20-Poly1305 with random nonce 3. **Authentication**: Poly1305 MAC for integrity 4. **Encoding**: Base64 for transmission ### Metadata Protection Flow: 1. **Length Standardization**: Pad to 256 characters 2. **Random Padding**: Add random data 3. **Timestamp Obfuscation**: Random delay (0-5 minutes) 4. **Header Protection**: JSON metadata wrapper ### Gift Wrapping Flow: 1. **Ephemeral Key Generation**: New keypair per message 2. **Inner Encryption**: Encrypt with recipient's key 3. **Outer Wrapping**: Create gift event with ephemeral key 4. **Identity Hiding**: Sender identity is obscured ## Monitoring and Maintenance ### Privacy Monitoring: ```bash # Check broadcast security status ./nostr_CAPTAIN_broadcast.sh "Test message" --dry-run --verbose # Monitor secure DM delivery python3 nostr_send_secure_dm.py nsec1... abc123... "Test" wss://relay.com --verbose ``` ## Compliance and Standards ### NIP Compliance: * **NIP-44**: Enhanced encryption implementation * **NIP-17**: Gift wrapping implementation ### Security Standards: * **Privacy Protection**: Implemented via gift wrapping * **Anonymous Communications**: Ephemeral keys * **Metadata Protection**: Obfuscation techniques * **Rate Limiting**: Anti-surveillance measures ## Troubleshooting ### Common Issues: **1. Encryption Errors:** * Check cryptography library installation * Verify key formats (NSEC/hex) * Ensure relay connectivity **2. Privacy Issues:** * Check gift wrapping configuration * Verify ephemeral key generation * Monitor metadata protection **3. Performance Issues:** * Adjust rate limiting settings * Check relay performance * Monitor connection quality ### Debug Mode: ```bash # Enable verbose output for debugging ./nostr_CAPTAIN_broadcast.sh "Test message" --verbose --dry-run ``` ## Future Enhancements ### Planned Features: * **NIP-EE Support**: Messaging Layer Security (MLS) * **Group Messaging**: Encrypted group communications * **Enhanced Privacy**: Additional obfuscation techniques * **Audit Logging**: Security event monitoring ### Research Areas: * **Quantum Resistance**: Post-quantum cryptography * **Zero-Knowledge**: Privacy-preserving protocols * **Homomorphic Encryption**: Computation on encrypted data ## Conclusion The enhanced secure DM system provides enterprise-grade security and privacy for NOSTR communications. By implementing NIP-44 encryption, metadata protection, and gift wrapping, the system offers multiple layers of protection against various attack vectors. Regular maintenance, proper privacy configuration, and adherence to security best practices ensure the continued effectiveness of the security measures. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://astroport-1.gitbook.io/astroport.one/tools/secure_dm_guide.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.