If I understand right, an existing user (who already has an account, and a device) wants to add a new device, they…
• On new device, make a key pair.
• On new device, log in to server and send new device's public key to server.
• Server sends approval request to old device, which includes the new device's public key.
• On old device, receive the approval request and the new device's public key. Decide to approve new device.
• On old device, take old device's _private_ key, encrypt with new device's public key, and send encrypted blob to server.
• Server relays approval message to new device.
• New device decrypts blob, and deletes its original key-pair (that was generated at the start). New device now uses old device's private key. The public key is derived from the private key.
So in the end, old device and new device have the same key pair.
Please let me know if I got that wrong!
Assuming I got it right, this strikes me as problematic, because it means that all the devices are sharing a private key. If any one device were compromised, then all past messages would be exposed; if the compromise were to go undetected, then future messages would also be compromised.
I agree. You would be better off, if you have a private key per device and increase your logic on the server side (multiple devices per user), to allow for easier revocation of stolen devices.
“Linking multiple devices” via their public key is still fine, since the user has to login once with email/password (or by some other means).
If you were to have the requirement of needing multiple private keys to decrypt a message, that would be a different thing - maybe to ensure in a group chat only the current group chat members can decrypt the messages. And whenever a member leaves/joined a new group secret gets generated based on all private keys of all members. But then what would be the benefit of this ?
• On new device, make a key pair.
• On new device, log in to server and send new device's public key to server.
• Server sends approval request to old device, which includes the new device's public key.
• On old device, receive the approval request and the new device's public key. Decide to approve new device.
• On old device, take old device's _private_ key, encrypt with new device's public key, and send encrypted blob to server.
• Server relays approval message to new device.
• New device decrypts blob, and deletes its original key-pair (that was generated at the start). New device now uses old device's private key. The public key is derived from the private key.
So in the end, old device and new device have the same key pair.
Please let me know if I got that wrong!
Assuming I got it right, this strikes me as problematic, because it means that all the devices are sharing a private key. If any one device were compromised, then all past messages would be exposed; if the compromise were to go undetected, then future messages would also be compromised.