|
Good question! The code is broken up into two parts: a number, and some words. The number is like a mailbox: you put messages into it, the person you're intending to talk to puts messages into it, (maybe an attacker puts messages into it), everybody can read the messages there. The words are secret. There's a special cryptographic protocol named PAKE ("Password Authenticated Key Exchange") that tells you what messages to put into the mailbox. The protocol has a lock-step part in the middle, where you don't generate your second message until you've seen the other person's first message (and vice versa). When the protocol is done, if the two people used the same secret words, they'll wind up with the same secret encryption key, and nobody else will know the key. If they used different words, they'll wind up with random strings. The file transfer uses the shared key to encrypt the bulk data. Your client will generate a random wormhole code (random words plus server-allocated mailbox number) and run the protocol exactly once. It will generate and send its first message, wait for the partner's first message, then generate and send the second message, wait for the partner's second message, compute the shared key, do a test to see if it matches the other side (send a hash of the key), negotiate a direct connection if possible, then encrypt and transmit the file data. If an attacker is trying to guess your code, their only option is to pretend to be your intended recipient and follow the same protocol. They watch the server and learn the mailbox number: that part isn't secret. But then, to send their first message, they have to commit to some particular secret words. And they don't get to find out if they were right or not until they see your second message, by which point your client knows that this "one shot" has been used up, and it's either correct (the key-verification hash matches) or it's not (or the attacker disconnects and runs away, in the hopes of getting you to blame a flaky network instead of suspecting an attacker). If it fails, the client tells you that fact and quits, and you have to re-run the program (getting a brand new random wormhole code) to try again. Which means the attacker is back to square one: they know their first guess was wrong, but now the code is different, so their second guess has exactly the same chances of being right as the first guess. |
Thanks for the clear explanation.