0

I am thinking about a complicated chat application where two clients can connect to each other directly like in a p2p network. My idea complexity is both about network and the security (authentication).

NETWORK PART

As far as I have read on internet, p2p connection can be achieved by TCP HOLE PUNCHING. In most examples of Hole Punching, I have seen a middle server that helps clients pass their address to each other. Imagine that server goes down. I still want my clients to be able to find each other. A very crazy idea is for them (for example my application users as human not the code) to use any other communication channels to tell each other a code (which is generated from a data). I want this data to contain client {local ip, local port, public ip and public port} (which in all examples of TCP hole punching that I have seen, they were used).

Can this data be found by client itself? and is it enough? (Consider help of extra HTTP REQUESTS from client to find about his PUBLIC IP ADDRESS)

Also, are there any better ideas than using TCP Hole Punching? My clients are mostly behind NATS

AUTHENTICATION AND SECURITY PART

I am trying my best to rely less and less on a middle server for helps. My client applications can perform Diffie Hellman key exchange and encryption after their connection established. But as I want real users to use this application, I need some ways that clients can authenticate each other. I am not looking for this app to be used by wide range of users. So maybe they can actually see each other sometimes (in the real world) and transfer some sort of files with their bluetooth (or other file sharing systems in application layer) that can be their token or authentication token. This token may later be used to authenticate each other later when they want to establish connection in network. Well this is my only idea:

The problem here would be if Jack and Rose meet and they transfer their personal tokens, later Jack has Rose authentication token and can use it to pretend to be Rose when he is talking to Jim.

Unless this token is generated with same value for both of them and somehow means its token for only {Jack and Rose} communication, and token for {Jim and Rose} is different. (I mean its unique token for any conversation or pair of users)

Would there still be any risks? Can any sort of networking attacks or other tricks, break this?

Sepehr GH
  • 1,297
  • 1
  • 17
  • 39

1 Answers1

0

You can refer to WhatsApp end-to-end encryption white paper https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf

Chaitanya
  • 201
  • 2
  • 9
  • I think my question is about end to end Authentication, not encryption. To be clear, I know how to pass their keys and encrypt their message, I need them to authenticate each other. Also, is the link broken? Or just blocked in my country!? – Sepehr GH Feb 21 '18 at 05:44
  • It talks about the same. The link is not broken. However, the signal protocol library used by WhatsApp is open source, available here: https://github.com/signalapp/libsignal-protocol-java – Chaitanya Feb 22 '18 at 04:34