/*! @file @id $Id$ */ // 1 2 3 4 5 6 7 8 // 45678901234567890123456789012345678901234567890123456789012345678901234567890 /** @page protocol SafeChat Protocol @tableofcontents @section security Security Concept Neither the password nor the private key are sent to the server. They remain under the user's control and in the user's property. Only the user name and the public key are sent to the server. - The password is only kept in the browser's transient memory. - The private key is kept in encrypted form in the browser's persistent local storage. - The public key is stored on server, so that other users can lookup for a user's public key. There are two secret security tokens: The password, that is in the user's mind and the private key, which is in the user's device, in the local storage of his browser. Messages can only be sent or read with access to both security tokens. @section newuser Create New User If no credentials exist in the browser's local storage, the browser asks the user for a user name and a password and creates a private key that is encrypted with the password. In the login(), the browser sends the user's name and public key to the server. The server creates a new user, if the user does not exist yet. Then the server returns, whether user name and public key match to what he has in his table. @msc user, browser, server; user -> browser [label="https://safechat.ch"]; browser -> server [label="index.html"]; browser <- server [label="safechat.js",URL="\ref safechat.js"]; user <- browser [label="register new user"]; user -> browser [label="username / password"]; browser -> browser [label="create openpgp-public/private keys"]; browser -> server [label="login.php(username, public-key)"]; server -> server [label="if user name does not exist:\nstore username/public-key"]; server -> browser [label="success"]; @endmsc */