Created
August 29, 2010 14:45
-
-
Save Natanael90/556350 to your computer and use it in GitHub Desktop.
TCPSphere - An authentication script for tcpcrypt using MonkeySphere
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### | |
| #!/usr/bin/env python | |
| print "TCPSphere, an authentication script for tcpcrypt using MonkeySphere" | |
| print "Made by Natanael L <natanael.l@gmail.com>, licensed under GPL2 or later." | |
| print "" | |
| # 2010-09-03, 18:25 UTC+2 (DST). Pseudocode v0.1 (mostly stable and complete). | |
| # Links: http://web.monkeysphere.info/, http://tcpcrypt.org/ | |
| # Notes: A session ID is a hash of keys+ciphers that both endpoints share and is | |
| # supposed to be unique for all time, and is thus suitable for authentication. | |
| ### Functionality to implement: | |
| # Separate thread; | |
| # Listen for TCPSphere support announcements | |
| # For each announcement; Put the session ID in a temporary database | |
| # Separate thread; | |
| # For every detected tcpcrypt connection; Announce TCPShpere support to it | |
| # Separate thread for every endpoint that is running TCPSphere; | |
| # Exchange public keys | |
| # If the other endpoint's key is in your Web of Trust; # Authentication below | |
| # # Note: Public servers may accept everything, and may also still check if | |
| # # the endpoint is in WoT to make life easier for admins (remote control). | |
| # Separate thread; | |
| # Listen for an authentication packet from the other endpoint | |
| # If timeout; | |
| # Set $endpoint_authentication to 0, exit thread | |
| # Else if: The details are correct; | |
| # Reply with Ok + nonce from the packet | |
| # Set $endpoint_authentication to 1, exit thread | |
| # Else if; It's a not-in-WoT packet that is received; | |
| # Set $not_in_wot to true AND set $endpoint_authentication to 0 | |
| # Exit thread | |
| # Else; Set $endpoint_authentication to 0, exit thread | |
| # # For each step before the if-case; Skip to it if not-in-wot is received | |
| # Create message with session ID, current time, nonce, both public keys | |
| # Sign it with your private key | |
| # Encrypt it with the other endpoint's public key | |
| # Send authentication packet | |
| # Listen for an Ok + your nonce OR a not-in-WoT packet | |
| # If timeout; | |
| # Print "Auth timeout ($Endpoint, $Endpoint_fpr)" # fpr = fingerprint | |
| # Else; If $not_in_wot is set to true; | |
| # Tell user "Not in $Endpoint's ($Endpoint_fpr) WoT. He might retry." | |
| # Keep listening for a new authentication packet | |
| # If a restart packet is received; Start over # If endpoint verify key | |
| # Else; If a cancel packet is received; Notify user AND exit | |
| # Else; If wrong reply received; | |
| # Tell the user "Auth failed with $Endpoint_name, $Endpoint_fpr" | |
| # Else; If reply correct AND WHEN $endpoint_authentication is set; | |
| # If set to 1; | |
| # Tell the user "Authenticated with $Endpoint, $Endpoint_fpr" | |
| # Else; Tell user "Auth failed with $Endpoint, $Endpoint_fpr" | |
| # Else; | |
| # Notify endpoint # In case you're in his WoT but he's not in yours | |
| # # A public server may tell users "not in WoT, but I accept everything" | |
| # Ask the user what to do; # Defaults may be set | |
| # Option: Try to auth another way (accept key, phone call, other)? | |
| # Notify that a new attempt will be made | |
| # If key is verified and added to WoT; Send restart packet | |
| # Else; Notify that authentication not will be attempted | |
| # Option: Cancel authentication attempt | |
| # Notify the endpoint that authentication not will be attempted |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment