[onerng talk] Interesting project: JackPair

[Jim Cheetham]

I looked at JackPair a few weeks ago, it's an interesting device and I
almost backed it until I compared the in-NZ price with my expected usage of
the thing!

Doing the key verification in-channel after the setup has happened is the
only bit I'm uncomfortable with (i.e. the relationship between the OTSK and
the Pairing Key, as the Pairing Key is potentially exposed - at least in
plaintext audio at each end), but it's unavoidable with the consumer
use-case and done well enough that you'd need a very well-resourced
attacker to have even a slim chance. Good tradecraft would suggest that
each recipient pair should have their own transformation function for this
check as well, so instead of saying the actual code you would say something
else.

It's much more of a consumer-grade device than we're aiming for, of course,
but I like the way it looks!

The same requirements apply in terms of verification - how will you know
that your JackPair is doing only the correct thing? Trust would be needed,
because verification of such a complex device would be impractical.

-jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ourshack.com/pipermail/discuss/attachments/20141030/f7ca1935/attachment.html>