X-Git-Url: http://git.silcnet.org/gitweb/?a=blobdiff_plain;f=doc%2FFAQ;h=396daa4fe51fd81bed7deac27f66fc2efc8ac8e7;hb=c257b555225193e54d85daf541d29578b3c93882;hp=67393975d09aa567f54573cb3296c8e42b564ed9;hpb=2c6a7600ae4f30afd9dc142b98f88bd7c6911e9a;p=silc.git diff --git a/doc/FAQ b/doc/FAQ index 67393975..396daa4f 100644 --- a/doc/FAQ +++ b/doc/FAQ @@ -1,134 +1,806 @@ -Frequently Asked Questions + Frequently Asked Questions + 1. General Questions + 1.1 What is SILC? + 1.2 When was SILC Project started? + 1.3 Why SILC in the first place? + 1.4 What license covers the SILC release? + 1.5 Why SILC? Why not IRC3? + 1.6 What platforms SILC supports? + 1.7 How do you pronounce SILC? + 1.8 Where can I find more information? + 1.9 I would like to help out, what can I do? -Q: What is SILC? -A: SILC (Secure Internet Live Conferencing) is a protocol which provides - secure conferencing services in the Internet over insecure channel. - SILC is IRC like although internally they are very different. Biggest - similiarity between SILC and IRC is that they both provide conferencing - services and that SILC has almost same commands as IRC. Other than - that they are nothing alike. + 2. Protocol Questions + 2.1 What is the status of SILC protocol in the IETF? + 2.2 How much the SILC protocol is based on IRC? + 2.3 Why use SILC? Why not IRC with SSL? + 2.4 Can I talk from SILC network to IRC network? + 2.5 Does SILC support file transfer? + 2.6 Does SILC support DCC or alike? + 2.7 I am behind a firewall, can I use SILC? + 2.8 How secure SILC really is? + 2.9 Does SILC support instant messaging? + 2.10 Why SILC does not have LINKS command like in IRC? + 2.11 What does the session detaching/resuming mean? + 2.12 Is anyone outside a channel able to see the channel + messages? + 2.13 How can I register my channel in SILC? + 2.14 Is it true that all messages are encrypted in SILC? + 2.15 Can server or SILC operator gain operator mode on a channel? + 2.16 Channel name doesn't have #-character or does it? + 2.17 Does SILC support moderated channels? + 2.18 What does the "watching" mean? + 2.19 Is it possible to reject watching? + 2.20 Is it possible to block private messages? + 2.21 Is it possible to block channel messages? + 2.22 Is it possible to block invites? + 2.23 Does SILC support multimedia messages, like video/audio + streaming? + 2.24 What kind of presence modes SILC support? + 2.25 Does SILC support anonymity? + 2.26 Does SILC support services? + 2.27 I have suggestions to SILC Protocol, what can I do? + + 3. Client Questions + 3.1 Where can I find SILC clients? + 3.2 Can I use SILC with IRC client and vice versa? + 3.3 The default theme sucks, where can I find a better one? + 3.4 How do I send a private message? + 3.5 How do I negotiate secret key with another user? + 3.6 How do I negotiate secret keys behind a NAT? + 3.7 How do I change channel modes? + 3.8 What does the founder mode on channel mean, and how do I set + it? + 3.9 I am founder of invite only channel, how can I join the + channel after I have left it? + 3.10 How can I op or deop somebody on channel? + 3.11 How do I set private key for channel, and what does that + mean exactly? + 3.12 How do I transfer a file? + 3.13 How can I get other users public keys? + 3.14 How can I see the fingerprint of my public key? + 3.15 I gave WHOIS to a nick, and it returned multiple replies, + why? + 3.16 Is there a command to see all linked servers? + 3.17 How do I list the users of a channel? + 3.18 What is the difference between OPER and SILCOPER commands? + 3.19 My Cygwin client crashes with message "Couldn't create + //.silc directory" + 3.20 Why /join #silc and /join silc doesn't join the same + channel? + 3.21 How do I detach my session from the server? + + 4. Server Questions + 4.1 Where can I find SILC servers? + 4.2 Can I run my own SILC server? + 4.3 What is the difference between SILC server and SILC router? + 4.4 Why server says permission denied to write to a log file? + 4.5 When I connect to to my server, it says "server does not + support one of your proposed cipher", what is wrong? + 4.6 Why SILC server runs on privileged port 706? + 4.7 I see [Unknown] in the log file, what does it mean? + 4.8 How can I generate a new server key pair? + + 5. Toolkit Questions + 5.1 What is SILC Toolkit? + 5.2 Is the SILC Toolkit Reference Manual Available? + 5.3 How do I compile the Toolkit on Unix? + 5.4 How do I compile the Toolkit on Win32? + 5.5 Does the Toolkit package include any sample code? + + 1. General Questions + + Q: What is SILC? + A: SILC (Secure Internet Live Conferencing) is a protocol which + provides secure conferencing services in the Internet over insecure + channel. SILC is IRC like although internally they are very different. + Biggest similarity between SILC and IRC is that they both provide + conferencing services and that SILC has almost same commands as IRC. + Other than that they are nothing alike. Biggest differences are that SILC is secure what IRC is not in any - way. The network model is also entirely different compared to IRC. - - -Q: Why SILC in the first place? -A: Simply for fun, nothing more. An actually for need back then when - it was started. SILC has been very interesting and educational - project. - - -Q: When SILC will be completed? -A: SILC still has a lot things to do. The time of completion is much - related to how many interested people is willing to join the effort. - It will be ready when it is ready. The reason for release of the - current development version is just to get it out and people aware - that something like this exist. - - -Q: Why use SILC? Why not IRC with SSL? -A: Sure, that is possible, although, does that secure the entire IRC - network? And does that increase or decrease the lags and splits in - the IRC network? Does that provide user based security where some - specific private message are secured.? Does that provide security - where some specific channel messages are secured? Security is not - just about applying encryption to traffic and SILC is not just about - `encrypting the traffic`. You cannot make insecure protocol suddenly - secure just by encrypting the traffic. SILC is not meant to be IRC - replacement. IRC is good for some things, SILC is good for same and - some other things. - - -Q: Can I use SILC with IRC client? What about can I use IRC with SILC - client? -A: Answer for both question is no. IRC client is in no way compatible - with SILC server. SILC client cannot currently use IRC but this may - change in the future if IRC support is added to the SILC client. - After that one could use both SILC and IRC with the same client. - Although, even then one cannot talk from SILC network to IRC network. - That just is not possible. - - -Q: Why client/server protocol is based on IRC? Would it be more - interesting to implement something extensible and more powerful? -A: They are not, non the least. Have you read the protocol specification? - The client superficially resembles IRC client but everything that - happens under the hood is nothing alike IRC. SILC could *never* - support IRC because the entire network toppology is different - (hopefully more scalable and powerful). So no, SILC protocol (client - or server) is not based on IRC. Instead, I've taken good things from - IRC and leaved all the bad things behind and not even tried to burden - myself with the IRC caveats that will burden IRC and future IRC - projects til the end. SILC client resembles IRC client because it is - easier for new users to start using SILC when they already know all the - commands. - - -Q: Why SILC? Why not IRC3? -A: Question that is justified no doubt of that. I didn't start doing SILC - to be replacement for IRC. SILC was something that didn't exist in - 1996 or even today except that SILC is now released. However, I did + way. The network model is also entirely different compared to IRC. + + Q: When was SILC Project started? + A: The SILC development started in 1996 and early 1997. But, for + various reasons it suspended many times until it finally got some wind + under its wings in 1999. First public release was in summer 2000. + + Q: Why SILC in the first place? + A: Simply for fun, nothing more. And actually for need back in the + days when it was started. When SILC was first developed there really + did not exist anything like this. SILC has been very interesting and + educational project. + + Q: What license covers the SILC release? + A: The SILC software developed here at silcnet.org, the SILC Client, + the SILC Server and the SILC Toolkit are covered by the GNU General + Public License. + + Q: Why SILC? Why not IRC3? + A: Question that is justified no doubt of that. SILC was not started + to become a replacement for IRC. SILC was something that didn't exist + in 1996 or even today except that SILC is now released. However, I did check out the IRC3 project in 1997 when I started coding and planning the SILC protocol. - But, IRC3 is problematic. Why? Because it still doesn't exist. The - project is at the same spot where it was in 1997 when I checked it out. - And it was old project back then as well. Couple of months ago I - checked it again and nothing were happening. That's the problem of IRC3 - project. The same almost happened to SILC as well as I wasn't making - real progress over the years. I talked to the original author of IRC, - Jarkko Oikarinen, in 1997 and he directed me to the IRC3 project, - although he said that IRC3 is a lot of talking and not that much of - anything else. I am not trying to put down the IRC3 project but its - problem is that no one in the project is able to make a decision what - is the best way to go about making the IRC3 and I wasn't going to be - part of that. The fact is that if I would've gone to IRC3 project, - nor IRC3 or SILC would exist today. I think IRC3 could be something - really great if they just would get their act together and start - coding the thing. - - -Q: How secure SILC really is? -A: A good question which I don't have a answer. SILC has been tried to - make as secure as possible. However, there is no security protocol - or security software that has not been vulnerable to some sort of - attacks. SILC is in no means different from this. So, it is suspected - that there are security holes in the SILC. These holes just needs to - be found so that they can be fixed. + But, IRC3 is problematic. Why? Because it still doesn't exist. The + project is almost at the same spot where it was in 1997 when I checked + it out. And it was old project back then as well. That's the problem + of IRC3 project. The same almost happened to SILC as well as I wasn't + making real progress over the years. I talked to the original author + of IRC, Jarkko Oikarinen, in 1997 and he directed me to the IRC3 + project, although he said that IRC3 is a lot of talking and not that + much of anything else. I am not trying to put down the IRC3 project + but its problem is that no one in the project is able to make a + decision what is the best way to go about making the IRC3 and I wasn't + going to be part of that. The fact is that if I would've gone to IRC3 + project, nor IRC3 or SILC would exist today. I think IRC3 could be + something really great if they just would get their act together and + start coding the thing. + + Q: What platforms SILC supports? + A: The SILC Client is available on various Unix systems and is + reported to work under cygwin on Windows. The SILC Server also works + on various Unix systems. However, the server has not been tested under + cygwin as far as we know. The SILC Toolkit is distributed for all + platforms, Unix, Cygwin and native Windows. + + Q: How do you pronounce SILC? + A: SILC is usually pronounced as `silk', but you are free to pronounce + it the way you want. + + Q: Where can I find more information? + A: For more technical information we suggest reading the SILC Protocol + specifications. You might also want to take a look at the + documentation page on the web page. + + Q: I would like to help out, what can I do? + A: You might want to take a look at the Contributing page and the TODO + list. You might also want to join the SILC development mailing list. + + 2. Protocol Questions + + Q: What is the status of SILC protocol in the IETF? + A: The SILC protocol specifications has been submitted currently as + individual submissions. There does not currently exist a working group + for this sort of project. Our goal is to fully standardize the SILC + and thus submit it as RFC to the IETF at a later time. This can happen + only after we have requested the IETF to accept SILC as RFC. As of + today, we have not yet even requested this from the IETF. We want to + let the protocol mature a bit more. + + Q: How much SILC Protocol is based on IRC? + A: SILC is not based on IRC. The client superficially resembles IRC + client but everything that happens under the hood is nothing alike + IRC. SILC could *never* support IRC because the entire network + toppology is different (hopefully more scalable and powerful). So no, + SILC protocol (client or server) is not based on IRC. Instead, We've + taken good things from IRC and left all the bad things behind and not + even tried to burden the SILC with the IRCs problems that will burden + IRC and future IRC projects till the end. SILC client resembles IRC + client because it is easier for new users to start using SILC when + they already know all the commands. + + Q: Why use SILC? Why not IRC with SSL? + A: Sure, that is possible, although, does that secure the entire IRC + network? And does that increase or decrease the lags and splits in the + IRC network? Does that provide user based security where some specific + private message are secured? Does that provide security where some + specific channel messages are secured? And I know, you can answer yes + to some of these questions. But, security is not just about applying + encryption to traffic and SILC is not just about `encrypting the + traffic`. You cannot make insecure protocol suddenly secure just by + encrypting the traffic. SILC is not meant to be IRC replacement. IRC + is good for some things, SILC is good for same and some other things. + + Q: Can I talk from SILC network to IRC network? + A: Simple answer for this is No. The protocols are not compatible + which makes it impossible to directly talk from SILC network to IRC + network or vice versa. Developing a gateway between these two networks + would technically be possible but from security point of view strongly + not recommended. We have no plans for developing such a gateway. + + Q: Does SILC support file transfer? + A: Yes. The SILC protocol support SFTP as mandatory file transfer + protocol. It provides simple client to client file transfer, but also + a possibility for file and directory manipulation. Even though the + SFTP is the file transfer protocol the support for file transferring + has been done so that practically any file transfer protocol may be + used with SILC protocol. + + Q: Does SILC support DCC or alike? + A: SILC does not support the DCC commonly used in IRC. It does not + need it since it has builtin support for same features that DCC have. + You can transfer files securely and encrypted directly with another + client. You can also negotiate secret key material with another client + directly to use it in private message encryption. The private messages + are not, however sent directly between clients. The protocol, on the + other hand does not prohibit sending messages directly between clients + if the implementation would support it. The current SILC Client + implementation does not support it. This means that private messages + travel through the SILC Network. SILC protocol also has a capability + to support DCC and CTCP like protocols with SILC. None of them, + however have not been defined to be used with SILC at the present + time. + + Q: I am behind a firewall, can I use SILC? + A: Yes. If your network administrator can open the remote port 706 + (TCP) you can use SILC without problems. You may also compile your + SILC client with SOCKS support which will proxy your SILC session + through the firewall. + + Q: How secure SILC really is? + A: We have tried to make SILC as secure as possible. However, there is + no security protocol or security software that has not been vulnerable + to some sort of attacks. SILC is in no means different from this. So, + it is suspected that there are security holes in the SILC. These holes + just need to be found so that they can be fixed. SILC's security + features has been developed from attacker's point of view, and we've + tried to find all the possible attacks and guard the protocol against + them. But to give you some parameters of security SILC uses the most secure - crytographic algorithms such as Blowfish, RC5, Twofish, etc. SILC - does not have DES or 3DES as DES is insecure and 3DES is just too - slow. SILC also uses cryptographically strong random number generator - when it needs random numbers. Public key cryptography uses RSA - and Diffie Hellman algorithms. Key lengths for ciphers are initially - set to 128 bits but many algorithm supports longer keys. For public - key algorithms the starting key length is 1024 bits. - - But the best answer for this question is that SILC is as secure as - its weakest link. SILC is open and the protocol is open and in public - thus open for security analyzes. + crytographic algorithms such as AES (Rijndael), Twofish, Blowfish, + RC5, etc. SILC does not have DES or 3DES as DES is insecure and 3DES + is just too slow. SILC also uses cryptographically strong random + number generator when it needs random numbers. Public key cryptography + uses RSA (PKCS #1) and Diffie-Hellman algorithms. Key lengths for + ciphers are initially set to 256. For public key algorithms the + starting key length is 1024 bits. + + But the best answer for this question is that SILC is as secure as its + weakest link. SILC is open and the protocol is open and in public thus + open for security analysis. To give a list of attacks that are ineffective against SILC: - o Man-in-the-middle attacks are ineffective if proper public key - infrastructure is used. SILC is vulnerable to this attack if - the public keys used in the SILC are not verified to be trusted. + - Man-in-the-middle attacks are ineffective if proper public key + infrastructure is used, and if all public keys are always verified. + - IP spoofing is ineffective (because of encryption and trusted keys). + - Attacks that change the contents of the data or add extra data to + the packets are ineffective (because of encryption and integrity + checks). + - Passive attacks (listenning network traffic) are ineffective + (because of encryption). Everything is encrypted including + authentication data such as passwords when they are needed. + - Any sort of cryptanalytic attacks are tried to make ineffective by + using the best cryptographic algorithms out there, and by designing + the protocol to guard against them. + + Q: Does SILC support instant messaging? + A: Officially SILC is not an instant message (IM) system as people + usually understands it. However, SILC supports many of the features + that are found in traditional IM systems. SILC can be implemented in + either IRC-style or IM-style system. Features that are usually found + only in IM systems, such as multiple presence settings, persistent + sessions etc. are also found in SILC. + + Q: Why SILC does not have LINKS command like in IRC? + A: It was felt that this information as an own command in SILC is not + necessary. Moreover, the topology of the network might be undisclosed + information even though the servers and routers in the network are + still open. We feel that the network topology information, if it is + wanted to be public, and the list of accessible servers can be made + available in other ways than providing command like LINKS, which shows + the active server links in IRC. + + Q: What does the session detaching/resuming mean? + A: The new SILC protocol supports a feature called session detachment. + This means that client can detach from the server by giving a DETACH + command, but still remain as valid user in the network. The connection + is lost to the server but the user remains in the network. User can + then resume the session back next time it connects a server in the + network, and be like he was never gone. + + This feature clearly could be used in many cases. For example, if you + want to upgrade your current SILC client, you do not have to quit the + network anymore. You just give DETACH command and still remain in the + network. Then you upgrade your client and reconnect to the server and + continue business as is. If somebody gives WHOIS command to your + nickname he will see that you are detached. Messages that are sent to + you when you are detached are dropped by the server. Nice thing about + this feature is also that you can resume the session from any server + in the network; you do not have to reconnect to the same server you + originally were connected to. + + Q: Is anyone outside a channel able to see the channel messages? + A: A short answer is simply No. A longer answer involves assumptions + about security conditions. Initially channel keys are generated by the + server, so if the server would get compromised it would be possible + for an adversary to see the messages. However, users on the channel + can prevent this even if the server would be compromised. It is + possible to set so called channel private key that only the users on + the channel know about. The servers does not know about the key, and + therefore cannot see the messages even if they would be compromised. + So, longer answer results into same as the short one; No. + + Q: How can I register my channel in SILC? + A: There is not a channel registering service in SILC. However, SILC + does support permanent channels. When you join a non-existing channel + for the first time you will become the founder of the channel. You can + then set a special founder mode on the channel which makes the channel + permanent. When the last user leaves the channel when this mode is + set, the channel will not be destroyed. If the founder mode is not + set, then empty channels will be destroyed automatically. When the + founder mode is set and you leave the channel you can also reclaim the + founder rights back on the channel next time you join it. (see also Q: + What does the founder mode on channel mean, and how do I set it? and + Q: I am founder of invite only channel, how can I join the channel + after I have left it?). You can call this channel registering if you + want. + + Q: Is it true that all messages are encrypted in SILC? + A: Most definitely yes. The SILC protocol makes it impossible to send + unencrypted messages or packets to the SILC network. All messages are + always encrypted, either using session keys, or other secret keys such + as channel keys or private message keys. + + Q: Can server or SILC operator gain operator mode on a channel? + A: They cannot get operator status, founder status, join invite only + channels, escape active bans, escape user limits or anything alike, + without explicitly being allowed. Only way to get channel operator + status is that someone ops him. Server and SILC operators in the + network are normal users with the extra privileges of being able to + adminstrate their server. They cannot do anything more than a normal + user. + + Q: Channel name doesn't have #-character or does it? + A: The #-character is not mandatory part of channel name, like it is + in IRC. This means that giving the command /JOIN #silc and /JOIN silc + will join to different channels. This is intentional since the + #-character clearly is IRC feature and has nothing to do with SILC. If + you want it to have the character then just join to the channel with + #-character in the name. + + Q: Does SILC support moderated channels? + A: Yes. Channel founder can moderate both normal users and channel + operators so that they cannot talk on the channel. It is also possible + to quiet one specific user on the channel if needed. + + Q: What does the "watching" mean? + A: You can set a "watch" list for yourself in the server. This means + that you can watch for certain nicknames in the network. For example, + if you add a nickname "foo" to the watch list you will be notified + when the foo logins to the network, leaves the network, changes its + user mode or changes its nickname. This way you can watch for example + when does you friend login to the network. + + Q: Is it possible to reject watching? + A: Yes. Since it is clear that not everyone wants to be spied on you + can set a mode for yourself which rejects watching you. Even if + someone is watching the nickname you have, your logins, logoffs, mode + changes or nickname changes will not be notified to the watcher. + + Q: Is it possible to block private messages? + A: Yes. You can block incoming private messages by setting a mode that + prevents unwanted private messages. Only the private messages that are + secured with a private message key are delivered to you. This implies + that you have negotiated the private key with the sender of the + message, and therefore want to receive messages from that user. Other + private messages that are secured with normal session keys are dropped + when the mode is set. + + Q: Is it possible to block channel messages? + A: Yes it is. By setting a mode that accomplishes this you can prevent + the server of sending any channel messages to you. There is also a + mode that allows blocking channel messages from normal users. This + means that you will receive channel messages only when it is sent by + channel operator or channel founder. It is also possible to block + channel messages sent by robots. A user on the channel can have a + robot mode set (which means that the user is actually a robot + program), and messages sent from that user can be blocked with the + mode. + + Q: Is it possible to block invites? + A: It sure is. You can set a mode that prevents the server of sending + invite notifications to you. This can for example prevent invite + flooding. The downside is that it may make joining to a invite only + channels a bit harder. + + Q: Does SILC support multimedia messages, like video/audio streaming? + A: Yes it does. The new version of the protocol supports sending of + MIME objects as messages. Since MIME objects can easily represent any + kind of data, such as video stream, audio stream, images, etc. it is + easy to send these multimedia messages in SILC. It also makes video + conferencing possible with SILC. It can work by sending the stream(s) + to a channel and everybody who joins the channel can receive the + stream. This feature in the protocol surely makes possible many kind + of multimedia applications in the future. + + Q: What kind of presence modes SILC support? + A: By presence we mean indication of presence in the network, and SILC + supports several different kinds of presence modes. They can be + changed with the UMODE command which changes your user mode in the + network. Currently there is the following modes for presence: GONE + (I'm away), INDISPOSED (I cannot be here), BUSY (I'm busy, don't + bother me), PAGE (page me if you want to talk), and HYPER (I'm hyper + active, talk to me). When mode is not set it means you are present in + the network. There are many other user modes as well, but they are not + directly related to presence indication. + + Q: Does SILC support anonymity? + A: The protocol has a user mode which indicates that user is anonymous + user. The user cannot set or unset the mode itself, but a server which + provides these anonymous chatting services can set the mode for the + user that connects to the server. User that has the mode set has their + username and hostname information scrambled. There are other ways of + making anonymity in SILC but they all are implementational methods, + and protocol does not handle those methods. + + Q: Does SILC support services? + A: Yes it does. There is command called SERVICE which can be used by + clients and servers to negotiate a service agreement with a remote + server. The protocol does not however define any services currently. + + Q: I have suggestions to SILC Protocol, what can I do? + A: All suggestions and improvements are of course welcome. You should + read the protocol specifications first to check out whether your idea + is covered by them already. The best place to make your idea public is + the SILC development mailing list. You might want to checkout the TODO + list from the CVS as well. + + 3. Client Questions + + Q: Where can I find SILC clients? + A: The official SILC client is available for free download from the + silcnet.org web page. There is also several independent projects + working with the SILC Toolkit to come up with various other clients. + Bombyx is a cross-platform GUI client written with FLTK. Milc is also + a cross-platform GUI client written with WxWindows. See also our links + page for links to other clients. + + Q: Can I use SILC with IRC client and vice versa? + A: Generally the answer would be no for both. However, there exist + already at least one IRC client that supports SILC, the Irssi client. + The current SILC client is actually based on the user interface of the + Irssi client. So, yes it is possible to use SILC with some IRC clients + and vice versa. You can use SILC plug-in in Irssi and have support for + both protocols in one client. But, this does not mean that you can + talk from SILC network to IRC network, that is not possible. + + Q: The default theme sucks, where can I find a better one? + A: The Irssi SILC client's theme files are almost 100% compatible with + the original Irssi IRC client's themes. You can get those theme files + from the Irssi project website. You can also try to make a better + theme by yourself. + + Q: How do I send a private message? + A: Sending private message is done by using the MSG command. For + example, command: /MSG john hello, will send a `hello' message to a + nickname `john'. By default private messages are secured with session + keys, and the message is re-encrypted by the servers when the message + travels to the receiver. If you would like to secure the private + messages with a private key, you can negotiate a secret key with the + receiver. Always remember to give WHOIS command before sending a + private message to assure that you are sending the message to correct + person. + + Q: How do I negotiate secret key with another user? + A: It is important to negotiate secret keys if you cannot trust the + servers and the network you are using. By negotiating a key with the + user you want to talk to assures that no one except you and your + friend is able to encrypt and decrypt the messages. The secret key + negotiation is done with the KEY command. Here is an example of how to + negotiate keys for securing private messages. + + By giving command: /KEY MSG john agreement 192.168.2.100, you will + send a key negotiation request to a nickname `john'. The 192.168.2.100 + IP address would be your machine's IP address. You can also define an + port to the KEY command after the IP address. If you do not do that + the operating system will bind to a port of its choosing. John will + receive a notification on the screen that you would like to negotiate + secret keys with him, and he will receive the IP address and port + where you are listenning for the negotiation. When he gives command: + /KEY MSG You negotiate 192.168.2.100 31382, the key negotiation is + started. During the key negotiation you will be prompted on the screen + to verify and accept John's public key if you do not have his public + key already. The John will be prompted to accept your public key as + well. After the key negotiation is over all private messages sent + between you and John are secured with the negotiated secret key. Note + that you must verify the public key you are prompted for, and this is + very important since someone could be doing man-in-the-middle attack. + + Q: How do I negotiate secret keys behind a NAT? + A: If only you are behind a NAT, or firewall then key negotiation + works, but if both you and your friend are behind a NAT then key + negotiation will not work, since it is done peer to peer. If you are + behind a NAT then you obviously cannot receive key negotiations, and + cannot bind to any IP address and port. However, you can still use KEY + command to negotiate the keys. + + By giving command: /KEY MSG john agreement, without any other + arguments (such as IP address and port) you will send a negotiation + request to John, but do not provide an address and port for the John + to connect to. When John receives the notification on the screen that + you would like to perform key negotiation, he can give command: /KEY + MSG You agreement 172.16.100.78, which will send key negotiation + request back to you. You will receive the IP address and port where + you need to connect in order to perform the negotiation. After + receiving the notification you can give command: /KEY MSG john + negotiate 172.16.100.78 31181, which will start the key negotiation + with John. This way you can negotiate the keys if you are behind a + NAT. + + Q: How do I change channel modes? + A: The command to manage channel modes is CMODE. With this command you + can change the channel status (to change it to secret channel for + example), set user limit on the channel, passphrase for the channel, + set the channel to use private keys on channel, and set the founder + mode. + + Q: What does the founder mode on channel mean, and how do I set it? + A: Who ever creates the channel by being the first user to join the + channel becomes automatically the founder of the channel. Founder has + some extra privileges on the channel. For example, it is not possible + to kick the founder off the channel, and there are some channel modes + that only the founder of the channel can change. If the creator of the + channel wishes to preserve the channel founder mode even if he leave + the channel he can set the founder mode for the channel. + + The mode is set by giving command: /CMODE #channel +f. This will set + the founder mode and will use the public key of the founder as + authenticator when the user is reclaiming the mode back. If the + founder leaves the channel he will be able to get the founder mode + back by using JOIN or CUMODE commmands. Giving command /JOIN #channel + -founder, will get the founder mode back at the same time he joins the + channel, or giving commmand /CUMODE #channel +f yournick, will also + give the founder mode back on the channel after he has joined the + channel. + + The founder mode also means that the channel becomes permanent when it + is set. This means that when the last client leaves the channel the + channel is not destroyed when the founder mode is set. Next time + someone joins the channel he will not become the founder of the + channel if the channel already existed (but were empty). If the + founder mode is not set when last user leaves the channel, the channel + will be destroyed. When you set the mode for the channel and leave the + channel you can reclaim the founder rights to yourself back at any + time when you rejoin the channel. + + Q: I am founder of invite only channel, how can I join the channel + after I have left it? + A: Founder can override the invite only status by reclaiming the + founder status on the channel using the JOIN command. The channel must + have the founder mode set in order for it to work. Reclaiming founder + status using JOIN command is important also if the channel has user + limit set, and has active bans. Founder can override these conditions + as well. However, founder cannot override the passphrase of the + channel if it is set. To get the founder mode during JOIN and to + override the invite only condition, give command: /JOIN #channel + -founder. This will join the channel and attempt to reclaim the + founder status back to you. + + Q: How can I op or deop somebody on channel? + A: Giving operator status, or removing the operator status on a + channel requires you to have at least operator status, or founder + status on the channel. You can give operator status to another user by + using CUMODE command. To give ops give the command: /CUMODE #channel + +o john, and to remove ops give command: /CUMODE #channel -o john. To + indicate current channel you can also use `*' character in #channel's + stead. + + Q: How do I set private key for channel, and what does that mean + exactly? + A: Setting private key for channel requires first to set the private + key mode for the channel. You need to be the founder of the channel to + be able to do this. Give the command: /CMODE #channel +k. After this + mode is set the old channel key will not be used to encrypt and + decrypt channel messages. To set the key for the channel use the KEY + command. Every user on the channel must do the same thing and set the + same key. If some user on the channel does not set the key (or does + not know the key) he won't be able to see any messages on the channel. + Give the command: /KEY CHANNEL #channel set verysecretkey. This + command will set the `verysecretkey' passphrase as key to #channel. + How exactly other users will know this key is out of scope of the SILC + protocol. SILC does not provide yet a possibility of negotiating + secret key with many users at the same time. For this reason the + secret key on the channel is usually a passphrase or a password that + all users on the channel have to know. Setting a private key for + channel means that only the users on the channel who know the key is + able to encrypt and decrypt messages. Servers do not know the key at + all. If you remove the private key mode from the channel, all users + will start automatically using a new channel key to secure channel + messages. + + Q: How do I transfer a file? + A: You can transfer files securely using the FILE command. This + command will automatically negotiate secret key with the remote user + and the file transfer stream is secured using that key. The file + transfer stream is always sent peer to peer. If you would like to send + a file to another user you can give command: /FILE SEND + path/to/the/file john. This command sends, or actually makes the + `path/to/the/file' available for download for the user `john'. The + John will decide whether he wants to actually download the file. When + John gives the command: /FILE RECEIVE, the key negotiation is started. + You and John will be prompted to verify and accept each other's public + key if you do not have it cached already. After key negotiation is + over the file transfer process starts. If you want to cancel the file + transfer session, or if John wants to reject the file transfer + request, giving the command: /FILE CLOSE will close the session. + + Q: How can I get other users public keys? + A: You can get a user's public key using the GETKEY command. This + command will fetch the user's public key from the server where the + user has connected to. The server has verified that the user posesses + the corresponding private key, however, you will be prompted to verify + and accept the public key. All client public keys are saved in your + local key directory in ~/.silc/clientkeys/. You can also receive + clients public keys during key negotiation and file transfers. The + GETKEY command can be used to fetch a server's public key as well. + Those keys are saved in ~/.silc/serverkeys/ directory. + + Q: How can I see the fingerprint of my public key? + A: You can check out your own fingerprint by giving just WHOIS command + without any arguments. Additionally you can also dump the contents of + the key file using the silc program and giving -S option to it. Your + own public key is always saved in ~/.silc/public_key.pub file. To dump + your key run silc as: silc -S .silc/public_key.pub. The same way you + can dump the contents of any public key inside ~/.silc/clientkeys/ and + ~/.silc/serverkeys/ directories. The WHOIS command will also show + other users public key fingerprints. + + Q: I gave WHOIS to a nick, and it returned multiple replies, why? + A: This will happen if there are several same nicknames in the network + at the same time. As you may already know nicknames are not unique in + SILC network. This means there can be multiple same nicknames. This + also means that you can always have the nickname you want. If WHOIS + returns multiple replies, you can distinguish the users by their + realname, username, hostname and ultimately by the fingerprint of + their public key, which the WHOIS will also show. You will also notice + an additional nickname inside a parenthesis. It may show for example: + nickname: John (John@otaku). The real nickname is `John', but since + there are many John's in the network you can access this one using + `John@otaku'. So, if you were to send private message to this + particular John you can do it by giving command: /MSG John@otaku + hello. This will send `hello' message to the John@otaku. + + Q: Is there a command to see all linked servers? + A: No there is not. For longer answer see also this FAQ. + + Q: How do I list the users of a channel? + A: The command to list all users on a particular channel is USERS. It + is also aliased to WHO command in Irssi SILC Client. To see the users + of the current channel give the command: /USERS *. You can replace the + `*' with the channel name of your choosing. If the channel is private + or secret channel, and you have not joined the channel, you cannot + list the users of that channel. + + Q: What is the difference between OPER and SILCOPER commands? + A: The OPER command is used to gain server operator privileges on + normal SILC server, while SILCOPER is used to gain router operator + (also known as SILC operator) privileges on router server. You cannot + use SILCOPER command on normal SILC server, it works only on router + server. + + Q: My Cygwin client crashes with message "Couldn't create //.silc + directory" + A: A solutions should be setting HOME enviroment variable to the + directory where you have unpacked your SILC Client. Type to your + command prompt something like: + c:\>set HOME=c:\silc + + Q: Why /join #silc and /join silc doesn't join the same channel? + A: The #-character is not mandatory part of channel name in SILC. So + #silc and silc are two different channels. The #-character in channel + name is IRC feature and has nothing to do with SILC. If you have + #-character in the channel name, then it is part of the channel name, + just like %-character, or &-character could be part of channel name. + + Q: How do I detach my session from the server? + A: You can detach your session by simply giving DETACH command. Your + connection to the server will be closed automatically. Next time you + connect any server in the network your session will be automatically + resumed. If there is an error during session resuming your connection + will be closed and you need to reconnect to the server. In this case + the old sessionn cannot be resumed anymore. + + 4. Server Questions + + Q: Where can I find SILC servers? + A: The SILC server is available for free download from the silcnet.org + web page. We are not aware of any other SILC server implementations, + so far. + + Q: Can I run my own SILC server? + A: Yes of course. Download the SILC server package, compile and + install it. Be sure to check out the installation instructions and the + README file. You also should decide whether you want to run SILC + server or SILC router. + + Q: What is the difference between SILC server and SILC router? + A: The topology of the SILC network includes SILC routers and the SILC + servers (and SILC clients of course). Normal SILC server does not have + direct connections with other SILC servers. They connect directly to + the SILC router. SILC Routers may have several server connections and + they may connect to several SILC routers. The SILC routers are the + servers in the network that know everything about everything. The SILC + servers know only local information and query global information from + the router when necessary. + + If you are running SILC server you want to run it as router only if + you want to have server connections in it and are prepared to accept + server connections. You also need to get the router connected to some + other router to be able to join the SILC network. You may run the + server as normal SILC server if you do not want to accept other server + connections or cannot run it as router. + + Q: Why server says permission denied to write to a log file? + A: The owner of the log files must be same user that the server is run + under, by default it is user `nobody'. Just change the permissions and + try again. + + Q: When I connect to my server it says "server does not support one of + your proposed ciphers", what is wrong? + A: Most likely the ciphers and others has not been compiled as SIMs + (modules) and they are configured as modules in the silcd.conf. If + they are not compiled as modules remove the module paths from the + ciphers and hash functions from the silcd.conf, so that the server use + the builtin ciphers. Then try connecting to the server again. It is + also possible that the client IS proposing some ciphers that your + server does not support. + + Q: Why SILC server runs on privileged port 706? + A: Ports 706/tcp and 706/udp have been assigned for the SILC protocol + by IANA. Server on the network listening above privileged ports + (>1023) SHOULD NOT be trusted as it could have been set up by + untrusted party. The server normally drops root privileges after + startup and then run as user previously defined in silcd.conf. + + Q: I see [Unknown] in the log file, what does it mean? + A: You can see in the log file for example: [Info] Closing connection + 192.168.78.139:3214 [Unknown]. The [Unknown] means that the connection + was not authenticated yet, and it is not known whether the connection + was a client, server or router. There will appear [Client], [Server] + or [Router] if the connection is authenticated at that point. + + Q: How can I generate a new server key pair? + A: You can generate a new key pair using the silcd command with the -C + option. When SILC Server is installed a key pair is generated + automatically for you. However, it is suggested that you check the + information found in that key and generate a new key pair if the + information is incorrect. You can check the information of your public + key by giving command: silc -S file.pub. + + If you want to generate a new key pair then you can give for example + command: silcd -C . --identifier="UN=silc-oper, HN=silc.silcnet.org, + RN=SILC Router Admin, E=silc-oper@silcnet.org, O=SILC Project, C=SK". + This will create the key pair to current directory, with the specified + identifier. Please, give the --help option to the silcd to see usage + help for the -C and --identifier options. - o IP spoofing is ineffective (because of encryption and trusted - keys). + 5. Toolkit Questions - o Attacks that change the contents of the data or add extra - data to the packets are ineffective (because of encryption and - integrity checks). + Q: What is SILC Toolkit? + A: SILC Toolkit is a package intended for software developers who + would like to develope their own SILC based applications or help in + the development of the SILC. The Toolkit includes SILC Protocol Core + library, SILC Crypto library, SILC Key Exchange (SKE) library, SILC + Math library, SILC Modules (SIM) library, SILC Utility library, SILC + Client library and few other libraries. - o Passive attacks (listenning network traffic) are ineffective - (because of encryption). Everything is encrypted including - authentication data such as passwords when they are needed. + Q: Is the SILC Toolkit Reference Manual Available? + A: Yes, partially completed reference manual is available in the + Toolkit releases as HTML package and they are available from the + silcnet.org website as well at the documentation page. - o Any sort of cryptanalytic attacks are tried to make ineffective - by using the best cryptographic algorithms out there. + Q: How do I compile the Toolkit on Unix? + A: You should read the INSTALL file from the package and follow its + instructions. The compilation on Unix is as simple as compiling any + other SILC package. Give, `./configure' command and then `make' + command. + Q: How do I compile the Toolkit on Win32? + A: We have prepared instructions to compile the Toolkit on Win32 in + the Toolkit package. Please, read the README.WIN32 file from the + package for detailed instructions how to compile the Toolkit for + Cygwin, MinGW and native Win32 systems. We have also prepared ready + MSVC++ Workspace files in the win32/ directory in the package that + will compile automatically the Toolkit. -More to come later... + Q: Does the Toolkit package include any sample code? + A: Yes, naturally. It includes sample codes for two different SILC + Client implementations, and SILC Server. The silcer/ directory + includes a simple GUI client based on GTK--, and Win32 samples are + included in the win32/ directory, for simple client.