Improving KDEConnect encryption.

vineet garg grgvineet at gmail.com
Wed Mar 4 18:00:28 UTC 2015


Hi,

I want to work to improve KDEConnect encryption in this GSOC. I am thinking
to implement following scheme:
1. Instead of using normal TCP we can use SSL/TLS to create session.
2. SSL/TLS, certificate for each device will be generated programmatically
upon first use of application.
3. Instead of sharing public key on pairing, we can share certificates
which will be stored on other device like we currently store public key.
4. Using a three way pairing so that user can verify other device's
certificate by just verifying SHA fingerprint.

What we will be results :
1. Full packet encryption.
2. No need to encrypt manually, SSL will take care.
3. No replay attacks, due to nonces in SSL.
4. No man in the middle attack, because fingerprint will be changed if
there is attack in pairing or certificates will not match if there is
attack afterward.
5. Fast, as asymmetric cryptography only used for SSL handshake, after that
symmetric cryptography will be used which is quite fast.
6. Payload encryption, as it is fast.

How I will do this:
1. Android supports SSL sockets and SSL server sockets throught
Bouncycastle library.
2 We can generate certificate using Bouncycastle based on devices
information programmatically.
3. Apache mina supports SSL filter over session.
4. QCA supports SSL/TLS.
5. We may implement openSSL (if possible, currently not sure).

I have already started working on it and look forward to further improve it
and to discover vulnerabilities in this scheme.

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kdeconnect/attachments/20150304/041f5a2c/attachment.html>


More information about the KDEConnect mailing list