Some of you may already be familiar with Flow, the new feature that allows you to quickly and seamlessly share images, links and videos between your Opera browser for computers and your Opera Touch mobile browser (currently available for Android and coming soon to iOS).
Flow is very easy to set up: all you need to do is scan a QR code in the Opera PC browser with Opera Touch on your phone. It doesn’t require a login or password, and yet we have managed to make Flow extremely secure. Breaking the end-to-end encryption would take billions of years on currently available hardware.
It’s time to look under the hood and explain the design considerations and technology which allowed us to create this secure and anonymous service.
The main two goals for Flow were to provide the easiest way to pair devices and to use end-to-end encryption for all information transmitted by users.
The first of these objectives was accomplished by using a hashed QR code for authentication, which is never sent by wire. So even if someone took a photo of your screen with the displayed QR code, the pairing would fail because the pairing token can be used only once.
For end-to-end cryptography, which is used to secure the content sent between devices in Flow, we chose the symmetric cryptographic algorithm AES, the same as the one used by the U.S. Government for secret and top secret classified information.
Symmetric cryptography relies on a single shared key, which means all devices in a group can simply encrypt and decrypt messages exchanged between themselves. This also means that new devices connected to the group after obtaining the key can access all previous Flow messages. This encryption key is transmitted only during the pairing process and in an encrypted form, and never leaves your device in plain-text.
This means Flow is easy to set up and as secure as US govt secret info.