Implementing a anonymous encrypted peer-to-peer chat

Implementing a anonymous encrypted peer-to-peer chat

I am planning on making a basic groupchat application only for me and my colleagues. It needs to be as secure and anonymous as possible without leaving any fingerprints. Already existing applications cannot be trusted.

This is how I would develop the application:

• It will be a simple code/script using sockets (with SSL) to create a peer-to-peer connection.
• I do not want to use a static central server. So it needs to be "pseudo peer-to-peer". However, because it needs to support groupchats one participant must function as "server". This without the need to port-forward.
• The participant initiating a chat will start a localtunnel by using something like ngrok, localtunnel.me or serveo. The URL of that localtunnel will be sent as a invite to the other users. This way the person initiating the chat will function as the socket "server".
• The person intiating the chat will enter a password (aka the Master Key). This password will be given to invited persons in real life. Each chat session will have a different master key.
  • Without the correct master key the socket will refuse connection from the client.
  • This master key will function as the KDF (HMAC) to generate a AES-key.
  • Meaning that all clients entering the correct master key will have correct AES-key.
• All messages will be encrypted using the AES-key derived from the master key before they're sent. The receivers can decrypt it because they also have derived the correct AES-key from the master-key they inputted while joining the chat.
• AES won't be the only encryption used. All messages will also be encrypted using PGP. The same private key will be given to the users welcome to the chat in person. These keys will rotate frequently.

Notes:

• So we won't be relying on a hosted server. A local tunnel will be used so one participant can function as socket-server to which the other clients can connect to.
• All communication will be encrypted in AES using a key derived from a master key (communicated in person).
• All messages will be encrypted using PGP (keys given in person).
• Socket connection will be refused with the wrong master key.
• The socket connections will go over SSL.
• Because there is no central server there would be no logs of the messages. Closing the device on which a participant chatted will delete all messages from RAM.
• All socket connections will go over Tor.

Questions:

• Would this be a safe implementation of a groupchat application?
• Are there dangers on using e.g Ngrok? Does ngrok or other local tunnels communicate/log the IP of the clients?
• Would there be a advantage to use a compiled language instead of a scripting language like Python for this implementation?
• By using Tor this would provide full anonimity for all participants, right?
• Other things I should consider?