SecureRoom - Encrypted Communication User Guide

## Core Security Features ### End-to-End Encryption Protection SecureRoom employs military-grade AES-256-GCM encryption algorithm to ensure every message is encrypted before transmission. All encryption and decryption operations are performed locally in your browser—the server cannot read any plaintext content. Even if data is intercepted during transmission, attackers cannot decrypt your messages. ### Key Derivation Mechanism The system uses the PBKDF2 key derivation algorithm to convert your entered "passphrase" into a strong encryption key. This algorithm performs 100,000 iterations, effectively resisting brute-force attacks and rainbow table attacks. Only users with the same passphrase can successfully decrypt messages, ensuring authentication between communicating parties. ### Zero-Logging Design SecureRoom follows the "zero-knowledge" principle—the server does not log any chat content, key information, or user identities. All session data is stored only in memory and is immediately destroyed upon disconnection. We cannot recover, view, or provide any historical message records. ### Handshake Verification Mechanism Before establishing an encrypted channel, both parties automatically perform key verification handshake. Only when both parties use the same passphrase will the status bar display a green "Secure Channel Established" prompt. If an invalid key is detected, the system immediately issues a red warning to prevent information leakage. --- ## User Tutorial ### Creating a Private Room 1. Visit the SecureRoom website 2. Select "Create Room" mode 3. Enter a unique room number (e.g., meeting-2024) 4. Set a passphrase (complex password recommended) 5. Click the CONNECT button 6. Wait for the status bar to turn green, indicating the room is ready 7. Share the room number and passphrase with your counterpart through another secure channel **Important Note**: Trial version limits 3 room creations within 24 hours. Joining others' rooms is unlimited. ### Joining an Existing Room 1. Select "Join Room" mode 2. Enter the room number provided by the other party 3. Enter the passphrase communicated by the other party (must match exactly) 4. Click CONNECT to connect 5. Once you see the green "Secure Channel Established" prompt, you can begin secure communication ### Security Best Practices - **Passphrase Management**: Use strong passwords as passphrases, including uppercase and lowercase letters, numbers, and symbols - **Room Isolation**: Use different room numbers for different sessions to avoid information cross-contamination - **Channel Confirmation**: Always wait for the status bar to turn green before sending sensitive information - **Timely Disconnection**: Close the page after communication ends and clear local cache - **Key Protection**: Never transmit passphrases through insecure channels (such as email or SMS) ### Status Indicator Explanation - 🟡 Yellow: Establishing connection or verifying keys - 🟢 Green: Secure channel established, safe to communicate - 🔴 Red: Connection disconnected or key error detected --- SecureRoom is committed to providing you with a simple and secure encrypted communication experience. We believe privacy is a fundamental right—your conversations belong only to you. --- # Open Source Transparency & Security Audit ## Public Code Repository SecureRoom is **partially open-source** to enable independent security audits and transparency. Our source code is publicly available at: 🔗 **GitHub Repository:** https://github.com/collar2023/Digital-Safespace This transparency allows security researchers, developers, and users to independently verify the cryptographic implementation and understand how SecureRoom protects your privacy. --- ## What Is Publicly Available This repository contains **only the client-side cryptographic functions** that are intended for public audit and verification: - `deriveKey()` - PBKDF2 key derivation implementation - `encrypt()` - AES-256-GCM encryption function - `decrypt()` - AES-256-GCM decryption function - Related cryptographic utilities and examples **Why this approach?** These functions are the core security components that users trust with their private data. Making them publicly available allows: ✅ Independent cryptographic audits by security researchers ✅ Verification that we use standard, peer-reviewed algorithms ✅ Detection of any malicious code or backdoors in encryption logic ✅ Community contributions to improve security ✅ Compliance with "security through transparency" principles --- ## What Remains Private (For Good Reason) The following components are **intentionally kept private** to protect against abuse and maintain service integrity: ### Server-Side Operational Policies - **Anti-abuse and rate-limiting mechanisms** - Detailed thresholds would enable attackers to circumvent protections - **Session management protocols** - Specific timeout intervals and state management are withheld to prevent session hijacking - **Commercial deployment details** - Infrastructure configuration and scaling parameters ### Security Implementation Details - **Abuse detection rules** - Publishing specific detection criteria would allow attackers to craft evasion techniques - **Storage key names and encryption schemes** - Operational cryptographic details beyond client-side algorithms - **Rate limit thresholds** - Exact request limits that trigger blocking ### Privacy Protections - **Logging suppression mechanisms** - Technical details of how we ensure zero-logging compliance - **Data retention policies** - Specific implementation details of memory cleanup routines - **Anonymization techniques** - Methods used to prevent user correlation **These security measures follow the principle of "security through obscurity" where beneficial:** hiding attack surface details from potential adversaries while keeping user-facing cryptography transparent. --- ## Security Audits & Restricted Access ### For Security Researchers If you are conducting a **formal security review** of SecureRoom and require access to server-side documentation, operational details, or additional components beyond the public repository, please contact us: 📧 **Email:** 8188019@gmail.com **Subject Line:** "SecureRoom Security Audit Request" **Include in your request:** - Your organization or affiliation - Scope of the security review - Specific components or documentation needed - Timeline and deliverables - Commitment to responsible disclosure ### Access Agreement Restricted access to non-public materials requires: 1. **Confidentiality Agreement** - Details of the security architecture remain confidential 2. **Responsible Disclosure** - Any vulnerabilities discovered are reported privately before public disclosure 3. **No Reverse Engineering** - Audit access does not grant permission to reproduce or redistribute private components 4. **Qualified Reviewer** - Access is limited to certified security professionals or authorized institutional representatives We take security audits seriously and will work with qualified reviewers under appropriate confidentiality agreements. --- # Legal Disclaimer & Terms of Acceptable Use **Effective Date:** December 11, 2025 **Last Updated:** December 11, 2025 --- ## Applicable Services This Legal Disclaimer and Terms of Acceptable Use ("Terms") apply to the SecureRoom encrypted communication service ("Service") operated at **room.460001.xyz** and promoted through **space.aillm.net** and **room.aillm.net** ("Promotional Sites"). By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by these Terms. --- ## 1. Lawful Use Declaration ### 1.1 Intended Purpose SecureRoom is designed exclusively for **lawful privacy-protected communications**. The Service is intended for legitimate uses including but not limited to: - Confidential business communications - Journalist-source communications - Legal and compliance discussions protected by privilege - Personal privacy protection in accordance with applicable laws - Security research and responsible vulnerability disclosure - Any other lawful purpose requiring confidential communication ### 1.2 User Responsibility Users are solely responsible for ensuring their use of the Service complies with all applicable laws, regulations, and legal obligations in their jurisdiction. --- ## 2. Prohibited Uses Users are **strictly prohibited** from using the Service for: ### 2.1 Illegal Activities - Planning, coordinating, or facilitating any criminal activity - Money laundering, fraud, or financial crimes - Drug trafficking or illegal weapons trading - Human trafficking or exploitation - Terrorism or violent extremism - Any activity that violates local, national, or international law ### 2.2 Harmful Content - Distributing child sexual abuse material (CSAM) - Harassment, stalking, or threats of violence - Non-consensual sharing of intimate images - Hate speech or content that incites violence - Malware, viruses, or malicious code distribution ### 2.3 Intellectual Property Violations - Copyright infringement - Trademark violations - Unauthorized distribution of proprietary information - Piracy or counterfeit goods trading ### 2.4 Evasion of Lawful Authority - Obstructing legitimate law enforcement investigations where legally required to cooperate - Violating court orders or legal injunctions - Circumventing legally mandated surveillance in jurisdictions where such surveillance is lawful --- ## 3. Technical Accuracy & Security Limitations ### 3.1 Encryption Implementation The Service implements **AES-256-GCM encryption** with **PBKDF2 key derivation** (100,000 iterations). While these are industry-standard cryptographic algorithms: - Encryption strength depends on the complexity of user-chosen passphrases - No encryption is mathematically "unbreakable" (e.g., quantum computing advances) - Security is accurate **as of current computational capabilities** - **Client-side cryptographic code is publicly available for independent audit** at https://github.com/collar2023/Digital-Safespace ### 3.2 Threat Model & Limitations **What We Protect Against:** - Network surveillance and interception during transmission - Server-side access to message content - Third-party man-in-the-middle attacks (when properly configured) **What We DO NOT Protect Against:** - Compromised endpoint devices (malware, keyloggers, screen capture) - Shoulder surfing or physical device access - User error in passphrase management - Browser vulnerabilities or exploits - Coercion or social engineering attacks - Quantum computing attacks (theoretical future risk) ### 3.3 Zero-Logging Accuracy We maintain a zero-logging policy for message content and encryption keys. However: - Basic connection metadata may be temporarily stored in server RAM - Network infrastructure logs (ISP, CDN) are beyond our control - Emergency diagnostic logs may be created during system failures - Legal compliance may require cooperation in specific jurisdictions --- ## 4. No Warranty & Limitation of Liability ### 4.1 Service Provided "AS IS" The Service is provided on an "**AS IS**" and "**AS AVAILABLE**" basis without warranties of any kind, either express or implied, including but not limited to: - Warranties of merchantability - Fitness for a particular purpose - Non-infringement - Uninterrupted or error-free operation - Absolute security or privacy ### 4.2 Limitation of Liability To the maximum extent permitted by law: - We are not liable for any direct, indirect, incidental, consequential, or punitive damages - We are not responsible for user-generated content or user conduct - We are not liable for data loss, service interruptions, or security breaches - Users assume all risks associated with Service usage ### 4.3 User Conduct Disclaimer **We do not monitor, control, or assume responsibility for how users employ the Service.** Users are solely liable for their own actions and content shared through the platform. --- ## 5. Export Control & Jurisdictional Compliance ### 5.1 Encryption Export Regulations Strong encryption technology may be subject to export control laws in certain jurisdictions. Users are responsible for: - Verifying that use of encryption tools is legal in their location - Complying with export control regulations (e.g., U.S. EAR, EU Dual-Use Regulation) - Obtaining necessary licenses if required by their jurisdiction ### 5.2 Jurisdictional Restrictions The Service may not be available or legal in all countries. Users in the following regions should exercise particular caution: - Countries with strict encryption regulations (e.g., Russia, China, Iran, UAE) - Jurisdictions requiring government-accessible encryption backdoors - Regions with broad surveillance or data localization laws **If encryption communication tools are restricted in your jurisdiction, do not use this Service.** --- ## 6. Data Protection & Privacy ### 6.1 GDPR Compliance (EU Users) For users in the European Economic Area: - We process minimal personal data (connection metadata only, stored temporarily in RAM) - Users have rights to access, rectification, and erasure (though zero-logging limits available data) - Data processing is based on legitimate interests and user consent - No data is sold or shared with third parties for marketing purposes ### 6.2 CCPA Compliance (California Users) California residents have rights under CCPA: - Right to know what personal information is collected (minimal metadata only) - Right to deletion (automatically handled by RAM-only storage) - Right to opt-out of sale (we do not sell personal information) ### 6.3 International Data Transfers The Service may route data through servers in multiple jurisdictions. Users consent to international data transfers necessary for Service operation. --- ## 7. Cooperation with Law Enforcement ### 7.1 Legal Process Response While we maintain a zero-logging policy: - We will comply with valid legal process (warrants, subpoenas) where legally obligated - Due to our technical architecture, we cannot provide message content or encryption keys - We may provide limited metadata if legally compelled and technically feasible - We will challenge overly broad or unlawful requests where appropriate ### 7.2 Transparency We are committed to transparency regarding legal requests, subject to applicable laws and gag orders. --- ## 8. Account Termination & Service Suspension We reserve the right to: - Suspend or terminate access for users violating these Terms - Discontinue the Service at any time without prior notice - Modify features, functionality, or Terms with reasonable notice - Block access from specific jurisdictions for legal or operational reasons --- ## 9. Intellectual Property ### 9.1 Service Ownership The Service's code, design, trademarks, and branding are proprietary or licensed property. Users may not: - Reverse engineer or decompile the Service (except for the publicly available open-source components) - Use our trademarks without written permission - Create derivative works without authorization ### 9.2 Public Repository License The client-side cryptographic code in our public repository at https://github.com/collar2023/Digital-Safespace is made available for audit, research, and educational purposes. Use of this code is governed by the license specified in that repository. ### 9.3 User Content Users retain ownership of content they transmit through the Service. By using the Service, users grant us a limited license to transmit and temporarily store content for operational purposes only. --- ## 10. Dispute Resolution ### 10.1 Governing Law These Terms are governed by the laws of **Hong Kong SAR**, without regard to conflict of law principles. ### 10.2 Dispute Resolution Process Users agree to: 1. First attempt informal resolution by contacting us at **8188019@gmail.com** 2. Pursue binding arbitration if informal resolution fails 3. Waive the right to class action lawsuits ### 10.3 Jurisdiction Any legal action must be brought in the courts of **Hong Kong SAR**. --- ## 11. Changes to These Terms We may modify these Terms at any time. Material changes will be announced through: - Notice on Promotional Sites (space.aillm.net, room.aillm.net) - Update to the "Last Updated" date above - Announcements in the GitHub repository (https://github.com/collar2023/Digital-Safespace) Continued use after changes constitutes acceptance of modified Terms. --- ## 12. Contact & Reporting ### 12.1 Legal Inquiries & Security Audits For legal questions, security audits, or concerns: 📧 **Email:** 8188019@gmail.com 🌐 **Technical Support:** https://log.aillm.net 🔗 **GitHub Repository:** https://github.com/collar2023/Digital-Safespace ### 12.2 Abuse Reporting To report suspected violations of these Terms: 📧 **Email:** 8188019@gmail.com **Subject Line:** "Abuse Report - SecureRoom" We take abuse reports seriously and will investigate all credible claims. --- ## 13. Severability & Entire Agreement ### 13.1 Severability If any provision of these Terms is found unenforceable, the remaining provisions remain in full effect. ### 13.2 Entire Agreement These Terms constitute the entire agreement between users and SecureRoom regarding Service use, superseding any prior agreements. --- ## 14. User Acknowledgment **By using SecureRoom (room.460001.xyz), you acknowledge and agree that:** ✅ You have read and understood these Terms in their entirety ✅ You will use the Service only for lawful purposes ✅ You understand the Service's security limitations and threat model ✅ You accept all risks associated with encrypted communication tools ✅ You are responsible for compliance with laws in your jurisdiction ✅ You will not hold the Service liable for user conduct or content ✅ You acknowledge the partially open-source nature of the Service ✅ You consent to these Terms as a condition of Service access --- ## Final Notice **SecureRoom is a privacy tool, not a license for illegal activity.** We are committed to protecting user privacy while maintaining zero tolerance for abuse. Our technical architecture makes us unable to monitor user content, but we will cooperate with legitimate legal processes and take action against confirmed violations. We embrace transparency through partial open-source code publication, allowing the security community to independently verify our cryptographic implementation. Server-side operational details remain private to maintain service integrity and anti-abuse protections. **Use responsibly. Stay legal. Protect privacy. Audit the code.** --- **For questions about these Terms, contact:** 8188019@gmail.com **Technical documentation:** https://log.aillm.net **Source code audit:** https://github.com/collar2023/Digital-Safespace **Service access:** https://room.460001.xyz