Add option for generated PANDA secrets.

agl · agl · commit a2f9c940c4c0 · 2013-11-03T15:38:47.000-05:00
This changes the working in the new contact UI and adds a "Generate"
button in the PANDA flow. This is to support exchanging shared secrets
via email or IM which, while not as secure as other options, is a lot
easier.
diff --git a/client/gui.go b/client/gui.go
@@ -1987,9 +1987,13 @@ func (c *guiClient) newContactUI(contact *Contact) interface{} {
 			},
 			{
 				{1, 1, nil},
-				{1, 1, Label{text: `Manual keying involves exchanging key material with your contact in a secure and authentic manner, i.e. by using PGP. The security of Pond is moot if you actually exchange keys with an attacker: they can masquerade the intended contact or could simply do the same to them and pass messages between you, reading everything in the process. Note that the key material is also secret - it's not a public key and so must be encrypted as well as signed.
+				{1, 1, Label{text: `Shared secret keying involves anonymously contacting a global, shared service and performing key agreement with another party who holds the same shared secret.
 
-Shared secret keying involves anonymously contacting a global, shared service and performing key agreement with another party who holds the same shared secret and shared time as you. For example, if you met your contact in real life, you could agree on a shared secret and the time (to the minute). Later you can both use this function to bootstrap Pond communication. The security of this scheme rests on the secret being unguessable, which is very hard for humans to manage. So there is also a scheme whereby a deck of cards can be shuffled and split between you.`, wrap: 400}},
+If other other party is someone who you are in email or IM contact with, then a button is provided to generate a secret, which can then be sent to the other party. Neither Email nor IM ensures that someone didn't change the secret during transmission but you can verify the other party's fingerprint later and, as always, have to weigh convenience against security.
+
+If, for example, you met your contact in real life, you could agree on a shared secret and the time (to the minute). Later you can both use this function to bootstrap Pond communication. The security of this scheme rests on the secret being unguessable, which is very hard for humans to manage. So there is also a scheme whereby a deck of cards can be shuffled and split between you.
+
+Manual keying (not generally recommended) involves exchanging key material with your contact in a secure and authentic manner, i.e. by using PGP. The security of Pond is moot if you actually exchange keys with an attacker: they can masquerade the intended contact or could simply do the same to them and pass messages between you, reading everything in the process. Note that the key material is also secret - it's not a public key and so must be encrypted as well as signed.`, wrap: 400}},
 			},
 			{
 				{1, 1, nil},
@@ -2000,16 +2004,16 @@ Shared secret keying involves anonymously contacting a global, shared service an
 							{1, 1, Label{widgetBase: widgetBase{hExpand: true}}},
 							{1, 1, Button{
 								widgetBase: widgetBase{
-									name: "manual",
+									name: "shared",
 								},
-								text: "Manual Keying",
+								text: "Shared secret",
 							}},
 							{1, 1, Label{widgetBase: widgetBase{hExpand: true}}},
 							{1, 1, Button{
 								widgetBase: widgetBase{
-									name: "shared",
+									name: "manual",
 								},
-								text: "Shared secret",
+								text: "Manual Keying",
 							}},
 							{1, 1, Label{widgetBase: widgetBase{hExpand: true}}},
 						},
@@ -2278,7 +2282,15 @@ func (c *guiClient) newContactPanda(contact *Contact, existing bool, nextRow int
 					widgetBase: widgetBase{font: fontMainLabel, foreground: colorHeaderForeground, hAlign: AlignEnd, vAlign: AlignCenter},
 					text:       "Shared secret",
 				}},
-				{2, 1, Entry{widgetBase: widgetBase{name: "shared"}}},
+				{2, 1, Grid{
+					colSpacing: 5,
+					rows: [][]GridE{
+						{
+							{1, 1, Entry{widgetBase: widgetBase{name: "shared", width: 400}}},
+							{1, 1, Button{widgetBase: widgetBase{name: "generate"}, text: "Generate"}},
+						},
+					},
+				}},
 			},
 			{
 				{1, 1, Label{
@@ -2342,9 +2354,13 @@ func (c *guiClient) newContactPanda(contact *Contact, existing bool, nextRow int
 		},
 		{
 			{1, 1, nil},
-			{1, 1, Label{text: `The shared secret can be a phrase, or can be generated by shuffling one or two decks of cards together, splitting the stack roughly in half and giving one half to each person. (Or you can do both the card trick and have a phrase.) Additionally, it's possible to use the time of the meeting as a salt if you agreed on it.
+			{1, 1, Label{text: `If you received a secret from someone, enter it as the "Shared secret" and ignore the rest.
+
+If you wish to email/IM a shared secret, click "Generate" to create one and send it to them over email or IM.
 
-When entering the cards enter the number or face of the card first, and then the suite - both as single letters. So the three of dimonds is '3d' and the ace of spades is 'as'. Discard the jokers. Click on a card to delete.`, wrap: 400}},
+If you are agreeing upon the shared secret via other means, then it can be a phrase, or can be generated by shuffling one or two decks of cards together, splitting the stack roughly in half and giving one half to each person. (Or you can do both the card trick and have a phrase.) Additionally, it's possible to use the time of a meeting as a salt if you agreed on it.
+
+When entering cards enter the number or face of the card first, and then the suite - both as single letters. So the three of dimonds is '3d' and the ace of spades is 'as'. Discard the jokers. Click on a card to delete.`, wrap: 400}},
 		},
 		{
 			{1, 1, nil},
@@ -2484,6 +2500,11 @@ SharedSecretEvent:
 				contact.pandaKeyExchange = kx.Marshal()
 				contact.kxsBytes = nil
 				break SharedSecretEvent
+			case click.name == "generate":
+				var secret [16]byte
+				c.randBytes(secret[:])
+				c.gui.Actions() <- SetEntry{name: "shared", text: fmt.Sprintf("%x", secret[:])}
+				c.gui.Signal()
 			}
 		}
 	}
