high level explanation of RustDesk's end-to-end encryption?

[kolAflash]

Can someone give me a high level explanation of the encryption RustDesk does?
rustdesk.com states: "End-to-end encryption."
So when doing end to end encryption, I usually expect one of the following solutions to verify the others identity.

 

PKI
Either certificate authorities for a public key infrastructure. And each client has to get a certificate for it's "identity" (compare: X.509 certificates email addresses to use S/MIME encryption).

Fingerprints
Or the alternative I'd expect is some manual public key fingerprint comparison. Either by scanning QR codes, like some mobile messengers do it (Signal, Threema, ...). Or by manually comparing fingerprints, like people are used to do it when using PGP or SSH.
(I'd clearly prefer that one)

 

I couldn't find neither in RustDesk. Or did I miss a secret menu to show fingerprints to compare them or install my X.509 certificate?

I really like RustDesk. And I'd really welcome a way to compare fingerprints, including some TOFU mechanism to remember identities I've verified before. Maybe RustDesk can even incooperate PGP, to the identity can simply be verified by the PGP key.

In some way this relates to the question which has been asked here before: #223
"How does this end-to-end encryption prevent man-in-the-middle attacks?"
Or in other words: How does RustDesk authenticate identities to establish a secure end-to-end encryption?

[djex]

I do not know the details on how the encryption is implemented however I did find that it uses the NaCl encryption library and uses crypto_secretbox_xsalsa20poly1305 for encryption.

[rustdesk]

#63 (comment)

crypto_sign_ed25519 for signature creation and verification
crypto_box_curve25519xsalsa20poly1305 for asymmetric cryptography
crypto_secretbox_xsalsa20poly1305 for symmetric cryptography

[AlexZigante]

I would love a detail explanation too.
Mainly does the end-to-end mean between machines or is it just encrypted machine to server then decrypted on server and re-encrypted to transmit to second machine??

[rustdesk]

Between machines

[rustdesk]

fingerprints

We do have this, but not displayed friendly on

controlled side

@21pages please check where anydesk show it, I guess somewhere in settings or about page

and remote menubar

@21pages should be shown aside the secured connection tip when the mouse hover on tab of the remote window (where for mobile?).

yet. @21pages add this in our GUI please. For us, the fingerprint is the public key of controlled side.

rustdesk/src/client.rs

Line 476 in bdd3148

sign_pk = Some(sign::PublicKey(pk));

rustdesk/src/server.rs

Line 144 in 7a818c5

let (sk, pk) = Config::get_key_pair();

[21pages]

anydesk about page

[rustdesk]

Let's follow AnyDesk.

[rustdesk]

#4098

[kolAflash]

Thanks a lot!

I know many decent IT security and network administrator guys who will honor this.