[messaging] Encrypted Groups with Pre-shared keys

[steve at actor.im]

Hi!

I have one idea for encrypted messaging. 

Problem of existing messaging platform:
1) People need to verify keys AFTER chat creation. This forces people not to do checking at all.
2) Members of the group have no idea about what devices are connected or don't have control over it.

Solution:
Force people to share key with devices encrypted with one time password for joining device to group.

Result:
1) We can make different policies. For example don't allow to connect (for example) 1+ devices from each account or allow only mobile or only desktop and so on.
2) Keys are always trusted and verified.
3) One-time passwords are much easier to use than QR-codes or hashes. Because this is one-time password with limited time and attempts count (checked before sending on outgoing device) we can use much shorter passwords and use only numbers, say only 5-8.
4) You can share history with your devices, backup keys and finally store important information that can't be stored anywhere else.


I presented this to some security specialists around me and one of them say that this is not secure, because key can be stolen by social engineering without leaving any trace. This specialist proposed using encryption scheme that is used at Threema where you don't have group key at all and you need to check keys of each member. In traditional encryption you invite member to group and then you will need to check user's keys manually somehow. This looks a bit less secure and without any kind of control.

Steve,
actor.im