CLIQUE(7) Clique Reference Manual CLIQUE(7) NAME clique - Metadata concealing network communication protocol SYNOPSIS Clique is network protocol for communicating in the presence of strong adversaries, specifically parties with unlimited funding, computing power, network access, and legal authority. Three advantages are afforded by the Clique protocol: o The cryptography used by Clique is unusually strong, with two ciphers that will be supported by the this implementation. The weaker of these ciphers, already available, is an adaptation of Rijndael using 4096-bit keys. For comparison, note that 192-bit keys are approved by the United States government for encrypting TOP SECRET material. The other cipher will be the one-time pad, which automatically uses a key that is large enough to be mathematically unbreak- able, even with infinite computing capability. o Clique is highly resistant to collection and analysis of meta- data, and can effectively hide the sender, recipient, time, and length of every message that is sent through the network. o Because Clique is completely decentralized, it cannot be taken down by changes to existing law, letters from copyright trolls, or other authoritarian regimes. Once established, the global Clique network will remain in operation until the plug to the very last node gets pulled out of the wall. DESCRIPTION Clique is slow, cumbersome, and very secure (hopefully) with respect to eavesdroppers who monitor data that is in flight through the Internet. It offers unrivaled and unprecedented capability for parties to commu- nicate unbothered by any possibility of passive eavesdropping, even in situations where communications span national, cultural, and legal sys- tem boundaries. WHO CAN USE CLIQUE? Clique is for you! If you are a businesswoman, journalist, whistle- blower, adviser, legislator, parent, attorney, defendant, activist, person of faith, cleric, patient, healthcare provider, accountant, or some other kind of sentient being, then Clique can help you maintain and defend your expectation of privacy. Clique may also afford some relief if you are an evil person in gen- eral; however, your expectation of privacy might not be respected by everyone involved. ANY DRAWBACKS? Before you consider using Clique, you need to know what you can and cannot expect. o Clique obtains privacy using brute force measures. Most impor- tantly, Clique strengthens your privacy at a great cost to the speed of your communication. If knowing that no one watched you send a short message is worth waiting an hour or more for it to reach its destination, then Clique might be for you. o Because messages travel directly from your computer to its des- tination, you are not anonymous when you use Clique. Clique is for communicating with people who know you already. o Clique uses symmetric cryptography, meaning that you will need to generate and exchange encryption keys with everyone you com- municate with. This cannot be done securely online; instead, you will generally want some kind of physical media exchange with each of your communicants. o Clique is for stationary computers that can stay on the Internet at all times. o Clique is for very dedicated users, perhaps 1% of the 1%, who are prepared to have someone absorb and use a large amount of technical information in order to set up and manage a working peer for them. HOW TO START If you aren't a geek, you will need to enlist the aid of one. Here is a rough list of what needs to happen. 1. These manpages need read. Carefully. 2. The software needs downloaded, compiled, and installed. This is not hard and is a simple make and optional sudo make install procedure. 3. For the most enjoyment, you will need to find someone to commu- nicate with via Clique who also has access to a very helpful geek. 4. The clique-keygen program will be used to make secret keys to share with your correspondents. 5. Keys will be carefully named for clarity as to who they communi- cate with and copied into the appropriate directory on the appropriate computers. 6. cipher.conf(5) will be customized and installed. 7. After determining what clique(s) you plan to use, sched.conf(5) will be customized and installed. 8. A deliverer script will be obtained (written by your geek based on examples supplied with the source code), configured, tested, and installed to serve as an interface between you and the Clique software. 9. All firewalls between your machine and the Internet must be con- figured to permit incoming and outgoing Clique packets. For most users it is sufficient to open UDP port 1866. 10. The clique-cipherer and clique-deliverer daemons are started. 11. Some glitches will be worked through. The program author and others will be answering questions for at least a few months at http://clique.freeforums.net. 12. The cipherer and deliverer will be added to system boot scripts so that they do not lapse without your knowledge. 13. Occasional updates to the Clique software will be released by the author. If you are serious about using Clique, you will definitely want these updates, as he probably omitted some important features and protections in this first release. PLATFORM NOTES The Clique protocol is only as secure as its communicating endpoints, inclusive of hardware and operating system flaws. In today's environ- ment of faithless routers, CPU "management engines" that cannot be dis- abled, wide-open memory mapped I/O, automatic updates for software (whether closed source or open), and an abundance of money for bribes, endpoint security is about as tight as the border between Missouri and Kansas. With all this said, here are a few tips for getting Clique set up and running on different machines and operating systems. All operating systems need to have the Clique port (normally 1866) open for incoming UDP traffic, as well as permit outgoing traffic to the same port. The same applies to any routers or firewalls that may exist between the host machine and the Internet. Low-power "sleep" and "sus- pend" modes need to be disabled when Clique is running; the protocol depends on round-the-clock availability. Clique only communicates through IPv4. Upgrading the protocol for IPv6 will require considerable work, to include new protections needed from adversaries who might try to connect via a quintillion addresses. Linux works with Clique as documented and interconnects successfully between 64-bit x86 and 32-bit ARM hardware. Ubuntu versions since at least 12.04 LTS are believed to run cleanly. Assuming a "make install" for Clique has happened, the following lines are suggested for the user's crontab: @reboot clique-scheduler @reboot clique-cipherer Microsoft Windows is not supported, but the Windows Subsystem for Linux available with Windows 10 works with Clique 1.2 and later. There are lots of practical problems, such as the lack of a working syslog, as well as the fact that WSL is only available for desktops, not on servers. The subsystem is also strafed with security holes that you can read about elsewhere. UNIX domain sockets are not supported on the host as of this writing, so the scheduler and cipherer need UDP sockets on the loopback adapter to communicate. This requires a line to be added at the beginning of sched.conf and cipher.conf that looks like: Socket 13333 # use two consecutive ports starting at 13333 OS X, later known as macOS, version 10.7.3 (Lion) has been found to work with Clique 1.2. Hopefully, combinations of future versions will continue to work. Remember that /home in Linux is /Users on Apple devices. The scheduler's SIGUSR1 and SIGUSR2 signals do not output to the terminal as on Linux, but write to a file in /tmp. The abstract Linux socket namespace is not supported, so sched.conf and cipher.conf will require a line at the beginning that look something like: Socket /tmp/clique-socket SEE ALSO clique-cipherer(1), clique-deliverer(1), clique-keygen(1), clique- scheduler(1), cipher.conf(5), sched.conf(5) 2016-12-20 CLIQUE(7)