Closed mathiasayivor closed 10 months ago
@Dun-sin I don't think this issue should have the Easy
label, as it is a bit complicated.
@Dun-sin I don't think this issue should have the
Easy
label, as it is a bit complicated.
I think otherwise🤔
The goal is to somehow employ an end-to-end encryption, which means the server can never decrypt the messages. Storing the private keys on the server defeats that goal.
The goal is to ensure that the encryption keys stay with the users (the owners of the message) instead of the server. And each chat would have separate encryption key.
The goal is to somehow employ an end-to-end encryption, which means the server can never decrypt the messages. Storing the private keys on the server defeats that goal.
The goal is to ensure that the encryption keys stay with the users (the owners of the message) instead of the server. And each chat would have separate encryption key.
I understand that, there's no misunderstanding here, the only "hard" thing I see is how to store the key. Rather where but the implementation is easy in my logic
Hello @Dun-sin. I can work on this issue.
Hello @Dun-sin. I can work on this issue.
Sure, explain back to me what the issue is telling you to do and how you plan to solve it
Current status is we use keys stored in .env file locally to encrypt messages. We want to create model where each chat session between two users would have its own unique generated key and it should be only accessible to the sender of message. We want to do this to keep messages private between users. So in short we have to do pure end to end encryption without storing keys in server/like it is now in .env file. So server shouldn't have access to keys as well as message content. I plan on doing like this:- The sender will encrypt the message using a randomly generated symmetric key and an initialization vector (IV). Then, the sender will encrypt the symmetric key with the recipient's public key and sends both the encrypted key and the IV + encrypted message to the server. The recipient can decrypt the symmetric key with their private key, then use the key and IV to decrypt the message. This will ensure end-to-end encryption without the server having access to the message content or the encryption keys.
The sender will encrypt the message using a randomly generated symmetric key and an initialization vector (IV). Then, the sender will encrypt the symmetric key with the recipient's public key and sends both the encrypted key and the IV + encrypted message to the server. The recipient can decrypt the symmetric key with their private key, then use the key and IV to decrypt the message. This will ensure end-to-end encryption without the server having access to the message content or the encryption keys
okay, got it, assigned it to you, thanks for wanting to contribute. Follow the rules here, or your PR won't be accepted and will be closed. Good luck!
@Aryakoste how's this going?
Working on it. First i tried using diffie-hellman algo i implemented the code in by requesting public key from server and client sharing it's public key to generate a shared key by the server. But found out later on that client side browser isn't supporting it. I tried using other libraries but found no success. Later I tried with initialized vector using aes-gcm and converting hextounit8 using text encoder and decoder to generate a shared key which will only be visible to sender I was able to encrypt and decrypt the sender data with shared key but in the receiver side I wasn't able too. So I tried making a lot of changes related to exchanging keys without server knowing what the key is by encrypting the key too but wasn't working. Now i have found other method to achieve the algorithm i first tried that is Diffie-Hellman algo. I think it will work. I have found that with crypto browsify will allow me to access diffie hellman methods so I will be able to generate a shared key and share among the users. So I am gonna implement it will let you know.
Working on it. First i tried using diffie-hellman algo i implemented the code in by requesting public key from server and client sharing it's public key to generate a shared key by the server. But found out later on that client side browser isn't supporting it. I tried using other libraries but found no success. Later I tried with initialized vector using aes-gcm and converting hextounit8 using text encoder and decoder to generate a shared key which will only be visible to sender I was able to encrypt and decrypt the sender data with shared key but in the receiver side I wasn't able too. So I tried making a lot of changes related to exchanging keys without server knowing what the key is by encrypting the key too but wasn't working. Now i have found other method to achieve the algorithm i first tried that is Diffie-Hellman algo. I think it will work. I have found that with crypto browsify will allow me to access diffie hellman methods so I will be able to generate a shared key and share among the users. So I am gonna implement it will let you know.
appreciate the update, thank you
I have successfully been able to develop proper algorithm for end to end encryption. i just need to properly embed it with code. i first generated keypair at client side. As we cant export the public directly i had to convert it into PEM-formatted string so it can be sent through socket.io (arrayBuffer to PEM) and then export it. So i sent one users public key to other and then i have to again do PEMtoarrayBufffer in other side. i am using RSA-OAEP algorithm for encryption and decyption with SHA-256 hash. After encryption i have to convert it into unit8array and then base64 so that it can be sent to server/store the encrypted message in database and same opposite done on other side. i have tested encryting and decryption of messages at opposite sides of chats (sender and receiver) and i am getting the correct messages. Just have some issues to properly embed it with code, means the algo is working properly but when combined with existing code it is giving some issues. When done will let you know
I have successfully been able to develop proper algorithm for end to end encryption. i just need to properly embed it with code. i first generated keypair at client side. As we cant export the public directly i had to convert it into PEM-formatted string so it can be sent through socket.io (arrayBuffer to PEM) and then export it. So i sent one users public key to other and then i have to again do PEMtoarrayBufffer in other side. i am using RSA-OAEP algorithm for encryption and decyption with SHA-256 hash. After encryption i have to convert it into unit8array and then base64 so that it can be sent to server/store the encrypted message in database and same opposite done on other side. i have tested encryting and decryption of messages at opposite sides of chats (sender and receiver) and i am getting the correct messages. Just have some issues to properly embed it with code, means the algo is working properly but when combined with existing code it is giving some issues. When done will let you know
you're good, looking forward to the final thing
Description
Current Situation: The current encryption method uses a single key for encrypting every message, and this key is stored as an environment variable. This presents a serious security vulnerability as anyone with access to this key can easily decrypt all messages in a single operation.
Proposed Enhancement: To significantly enhance the security of our encryption:
Benefits:
Screenshots
No response
Additional information
No response
👀 Have you checked if this issue has been raised before?
🏢 Have you read the Contributing Guidelines?
Are you willing to work on this issue ?
Yes I am willing to submit a PR!