Best way to add an end-to-end password-based security layer
Evan Schoenberg, M.D.
evan.s at dreskin.net
Wed Dec 16 14:05:12 EST 2009
On Dec 16, 2009, at 12:06 PM, Louis Granboulan wrote:
> Dear pidgin and libpurple developers,
> I am part of a project that is planning to add an end-to-end password-based security layer to libpurple-based instant messenging software.
> The basic idea is to add a button to any chat window, that will enable to create an encrypted chat with the same participants. The encryption would be secured by a password-authenticated key-exchange (cf. http://en.wikipedia.org/wiki/Password-authenticated_key_agreement ).
> Therefore, there would be the need of a few changes in the user-interface: the "create encrypted chat" button, the popup for the password, and the creation of the encrypted chat window.
> On the implementation part, the idea would be to do everything encoded in the messages exchanged through the instant messenging protocol. Therefore, it would be protocol independent. A nice way to do it would probably that pressing the "create encrypted chat" button creates a filter for all the mesages received and sent. Un-encrypted messages would probably be encoded with a prefix, e.g. 0, and all the messages for the encrypted channel (the messages that help to setup the channel and the messages that are encrypted) would be encoded with another prefix.
> What are your comments?
Don't reinvent the wheel; do take a look at the OTR project as a starting point, as while they don't have the same encryption goals as you, much of the interface and implementation can probably be reused in some form.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Devel