Have you heard of OTR? http://en.wikipedia.org/wiki/Off-the-Record_Messaging
About 3DES-128, at least they're not using 3ROT-13 I guess ;D If you want to make it free (as in GPL) - why not make it public domain? That would make it much easier for proprietary IMs to integrate it. Also what I don't get, you state you want to use symmetric and asymmetric encryption to securely exchange the key (which actually is hybrid encryption), but then you say hybrid encryption ain't an option cause of the public/private keypair which have to be kept secret. In addition I don't see how you think you can defeat mitm. smu johnson wrote: > Dear Crypto++ gurus and users, > > Coles notes version of my question: Does Crypto++ support STS Station- > to-Station secret key distribution? > =================================== > > Explanation: > ============ > > This is my first post to the mailing list (hi!). I came here because > of my dream to write a GPL-based IM privacy clone of program Simp > (www.secway.fr), because Simp does not provide the following that I > want: > > 1) open & open-source so it can be criticized if any security holes > exist > 2) ability to choose ciphers other than AES for free > 3) increase their keysizes past 128-bits, which Simp / SimpPro will > not do. > 4) confidence in facts. Simp claims it supports 3DES-128. Please > correct me if I'm wrong, but I don't think such a keysize exists for > 3DES. And for a "security company" to claim that it does, it destorys > my confidence in how secure Simp is actually coded. If my statement > is correct, then this reason alone is enough to motivate me to write a > free GPL clone. > 5) unforgiving lack of support for *nix world, especially Mac OS X (I > can't talk to my Mac friends!) > > Crypto++ has all the ciphers I love. The program goal is to use both > asym & sym ciphers, and using authentication, send the sym. key > secretly. A hybrid method of encrypting the session key with a > private key will not be supported as I think the risk of private key > compromise is high with people who might use the program and not take > key management too seriously. > > Now, I am afraid I will have to "do everything by hand" if only > regular DH is implemented in Crypto++ libs... and that I have to "hit > the books" for about 3 years before I am qualified to do STS > properly. I didn't see STS mentioned on the main page of this lib. > > And... to me, currently it seems STS is the best way, but perhaps > better / more modern ways to accomplish the same thing have been > invented? > > Many thanks in advance. I hope this is not too off-topic to Crypto++ > discussion. > > -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com.
