[guardian-dev] Gibberbot: add strong encryption level

Natanael natanael.l at gmail.com
Tue Oct 8 10:16:19 EDT 2013 

That's basically what it already does. You simply initiate a chat and
exchange keys securely, and when you meet in person you verify that you've
got the right key (or else you start a new key exchange). The OTR
encryption is already strong.

The keys can be password encrypted locally on the phone and password
protected.

- Sent from my phone
Den 8 okt 2013 16:06 skrev "Satz Klauer" <satzklauer at googlemail.com>:

> Hi,
>
> I'm aware of the fact that Gibberbot already uses OTR encryption but
> from what we have learned the last weeks this may not be completely
> secure. Thus I'd suggest an additional mechanism based on asymmetric
> encryption. That's what I'd imagine:
>
> - a user generates a pair of keys within its local App (2048 bits or more)
> - the private key is stored locally only and can be exported to store
> it somewhere (backup) and imported (t obe used from more than one
> device)
> - when a user meets an other person he wants to communicate with, both
> exchange their public keys via Bluetooth
> - the clients keep the information that both can communicate encrypted
> - now all communication between both are done encrypted, doing the
> encryption on the endpoints only so no vulnerable servers are involved
>
> I'm not familar enough with XMPP protocol but I guess such an
> encrypted message could be sent as plain, Base-64-encoded text too -
> so no server side changes are necessary.
>
> Key exchange via Bluetooth seems to be compilcated but it ensures
> there is no "Man In The Middle" since a face-to-face verification is
> done.
>
> Weak point in this idea: when somebody loses his phone with the
> private key on it, it could be abused. May be a mechanism is required
> that informs other users the key is no longer secure and a new
> face-to-face key exchange has to be done.
>
> Any thoughs on this idea?
>
> Thanks
>
> :-)
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/natanael.l%40gmail.com
>
> You are subscribed as: natanael.l at gmail.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20131008/ab20552a/attachment.html>

More information about the Guardian-dev mailing list