0

due to all this surveillance on the internet I was planning on writing a complete opensource, cross-platform and fully encrypted chat client including video functionality.

Similar to Skype, but messages and video stream should be fully encrypted and all communication must only occurs between the clients itself and never need to go through any server.

The registration, authentication and online checking, however needs to be done server-side to keep it simple and usable also for beginners.

So to keep it as simple as possible I was gonna go for public/private key encryption. In order not to store the private key anywhere on the server and also not to carry it to each computer you want to log on, I thought about making password as the private key. This way you could log on where ever you want and do not have to worry about the key.

If you add a person, you will then automatically send him/her your public key. If he/she accepts, he/she will respond with her/his public key and then you can both chat/video-call.

The problem I am seeing here is:

  • How can I remain the public key when changing my password (the private key)?
  • Can I use existing SSL Infrastructure to achieve this, without having to re-implement any encryption standard?

I have already a couple of people willing to help programming (C/C++), but unfortunately none of us is pretty keen on the encryption technology, so I will need to sort those things first. Once I know how to implement the encryption I will publish a diagram and ask for feedback about that.

Thanks in advance.

lockdoc
  • 1,539
  • 1
  • 18
  • 31

1 Answers1

1

First, I think Jitsi roughly is the app your thinking of building. It does encrypted text chat via OTR , and encrypted voice and video chat via ZRTP for key negotiation and SRTP. In general, cryptographic protocol design is very hard and so if your going to write your own app, you should use these protocols and the libraries that do them.

To answer your question, you cannot directly derive the key from the password if you want it not to change between passwords. Instead, you store the key on a server encrypted(symmetrically) with a key derived from the password( using say PKBDF2 or scrypt). If the user changes the password, they decrypt the key with their old password derived key and reencrypt it with their new one.

In general, though, there isn't much of a point in doing this unless your using some webapp type solution where users might log on anywhere. That is actually a very bad idea. See some the the criticism of cryptocat's javascript bassed implementation e.g. here.

imichaelmiers
  • 3,449
  • 2
  • 19
  • 25