Create a gist now

Instantly share code, notes, and snippets.

TCPSphere - An authentication script for tcpcrypt using MonkeySphere
###
#!/usr/bin/env python
print "TCPSphere, an authentication script for tcpcrypt using MonkeySphere"
print "Made by Natanael L <natanael.l@gmail.com>, licensed under GPL2 or later."
print ""
# 2010-09-03, 18:25 UTC+2 (DST). Pseudocode v0.1 (mostly stable and complete).
# Links: http://web.monkeysphere.info/, http://tcpcrypt.org/
# Notes: A session ID is a hash of keys+ciphers that both endpoints share and is
# supposed to be unique for all time, and is thus suitable for authentication.
### Functionality to implement:
# Separate thread;
# Listen for TCPSphere support announcements
# For each announcement; Put the session ID in a temporary database
# Separate thread;
# For every detected tcpcrypt connection; Announce TCPShpere support to it
# Separate thread for every endpoint that is running TCPSphere;
# Exchange public keys
# If the other endpoint's key is in your Web of Trust; # Authentication below
# # Note: Public servers may accept everything, and may also still check if
# # the endpoint is in WoT to make life easier for admins (remote control).
# Separate thread;
# Listen for an authentication packet from the other endpoint
# If timeout;
# Set $endpoint_authentication to 0, exit thread
# Else if: The details are correct;
# Reply with Ok + nonce from the packet
# Set $endpoint_authentication to 1, exit thread
# Else if; It's a not-in-WoT packet that is received;
# Set $not_in_wot to true AND set $endpoint_authentication to 0
# Exit thread
# Else; Set $endpoint_authentication to 0, exit thread
# # For each step before the if-case; Skip to it if not-in-wot is received
# Create message with session ID, current time, nonce, both public keys
# Sign it with your private key
# Encrypt it with the other endpoint's public key
# Send authentication packet
# Listen for an Ok + your nonce OR a not-in-WoT packet
# If timeout;
# Print "Auth timeout ($Endpoint, $Endpoint_fpr)" # fpr = fingerprint
# Else; If $not_in_wot is set to true;
# Tell user "Not in $Endpoint's ($Endpoint_fpr) WoT. He might retry."
# Keep listening for a new authentication packet
# If a restart packet is received; Start over # If endpoint verify key
# Else; If a cancel packet is received; Notify user AND exit
# Else; If wrong reply received;
# Tell the user "Auth failed with $Endpoint_name, $Endpoint_fpr"
# Else; If reply correct AND WHEN $endpoint_authentication is set;
# If set to 1;
# Tell the user "Authenticated with $Endpoint, $Endpoint_fpr"
# Else; Tell user "Auth failed with $Endpoint, $Endpoint_fpr"
# Else;
# Notify endpoint # In case you're in his WoT but he's not in yours
# # A public server may tell users "not in WoT, but I accept everything"
# Ask the user what to do; # Defaults may be set
# Option: Try to auth another way (accept key, phone call, other)?
# Notify that a new attempt will be made
# If key is verified and added to WoT; Send restart packet
# Else; Notify that authentication not will be attempted
# Option: Cancel authentication attempt
# Notify the endpoint that authentication not will be attempted
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment