Best way to add an end-to-end password-based security layer

[Evan Schoenberg, M.D.]

On Dec 16, 2009, at 12:06 PM, Louis Granboulan wrote:

> Dear pidgin and libpurple developers,
> 
> I am part of a project that is planning to add an end-to-end password-based security layer to libpurple-based instant messenging software.
> The basic idea is to add a button to any chat window, that will enable to create an encrypted chat with the same participants. The encryption would be secured by a password-authenticated key-exchange (cf. http://en.wikipedia.org/wiki/Password-authenticated_key_agreement ).
> 
> Therefore, there would be the need of a few changes in the user-interface: the "create encrypted chat" button, the popup for the password, and the creation of the encrypted chat window.
> On the implementation part, the idea would be to do everything encoded in the messages exchanged through the instant messenging protocol. Therefore, it would be protocol independent. A nice way to do it would probably that pressing the "create encrypted chat" button creates a filter for all the mesages received and sent. Un-encrypted messages would probably be encoded with a prefix, e.g. 0, and all the messages for the encrypted channel (the messages that help to setup the channel and the messages that are encrypted) would be encoded with another prefix.
> 
> What are your comments?

Don't reinvent the wheel; do take a look at the OTR project as a starting point, as while they don't have the same encryption goals as you, much of the interface and implementation can probably be reused in some form.

-Evan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/pipermail/devel/attachments/20091216/c895579e/attachment.html>