How did my recovery key get from one computer to the other?
I didn't enter the recovery key on the computer I paired. How did it get there? I assume it had to be sent from the main computer, but how secure is that?
Выбранное решение
This is done via PAKE (password-authenticated key agreement), a cryptographic mechanism for two parties to agree upon a strong key based on a weak shared secret
The other device (mobile phone) displays a random PIN that simply has to be entered on the desktop computer.
Then both devices will go through the PAKE algorithm (J-PAKE in our case) to agree upon a strong key, communicating through a simple server via HTTPS.
Once it’s verified on both sides, the desktop will send the credentials to the mobile phone.
Password Authenticated Key Exchange by Juggling:
Note that in the new Firefox account based version of Sync there is no longer an explicit Sync (recovery) used, but your Sync data is encrypted with a key derived from your Firefox Account password, instead of a random key managed by the J-PAKE pairing protocol.
Прочитайте этот ответ в контексте 👍 0Все ответы (1)
Выбранное решение
This is done via PAKE (password-authenticated key agreement), a cryptographic mechanism for two parties to agree upon a strong key based on a weak shared secret
The other device (mobile phone) displays a random PIN that simply has to be entered on the desktop computer.
Then both devices will go through the PAKE algorithm (J-PAKE in our case) to agree upon a strong key, communicating through a simple server via HTTPS.
Once it’s verified on both sides, the desktop will send the credentials to the mobile phone.
Password Authenticated Key Exchange by Juggling:
Note that in the new Firefox account based version of Sync there is no longer an explicit Sync (recovery) used, but your Sync data is encrypted with a key derived from your Firefox Account password, instead of a random key managed by the J-PAKE pairing protocol.
Изменено cor-el