[Feature request] Implement "connect from other device" with Password-Authenticated Key Exchange.
Hi. It was surprising to me that, according to #756 (closed) , the "connect from other device" feature actually encrypts transferred account data with generated short password instead of using it for some kind of authentication and/or encryption key negotiation algorithm.
It would be much more safe to use one of Password-Authenticated Key Exchange (PAKE) algorithms. There is a working and pretty decent file transfer tool https://github.com/magic-wormhole/magic-wormhole you can use as a reference.
Why is it worth implementing:
- With PAKE you can use negotiated long random key to encrypt account data on transfer. If someone intercepts the account data, it would be extremely hard for them to brute-force the key.
- The process of connecting new device will not change from the user's point of view. It will be done in the same way by typing generated short password on a new device.
(By the way, I was under impression that this feature was already implemented this way.)
Edited by Mykhailo Mishchenko