Dun-sin / Whisper

A fun Application to have a random chat with people safely

https://whisper.favour.dev/

MIT License

379 stars 342 forks source link

[FEATURE] Improve on encryption #550

Closed mathiasayivor closed 10 months ago

mathiasayivor commented 11 months ago

Description

Current Situation: The current encryption method uses a single key for encrypting every message, and this key is stored as an environment variable. This presents a serious security vulnerability as anyone with access to this key can easily decrypt all messages in a single operation.

Proposed Enhancement: To significantly enhance the security of our encryption:

We should implement a model where each chat uses a different encryption key.
These keys should be accessible only to the respective chat's owner (the message sender) to prevent unauthorized decryption.

Benefits:

Improved security, as each chat has its unique encryption key.
Enhanced confidentiality, with keys inaccessible to anyone except the chat owner.
Fulfilment of the mandate: "An app to help you chat in secret" and "to make chatting much private and easy without stealing your data".

Screenshots

No response

Additional information

No response

👀 Have you checked if this issue has been raised before?

[X] I checked and didn't find similar issue

🏢 Have you read the Contributing Guidelines?

[X] I have read and understood the rules in the Contributing Guidelines

Are you willing to work on this issue ?

Yes I am willing to submit a PR!

github-actions[bot] commented 11 months ago

It's great having you contribute to this project by creating an issue

Make sure you are assigned to this before you work on it and you read the Contributing.md file, Thank you! Welcome to the community :nerd_face:

mathiasayivor commented 11 months ago

@Dun-sin I don't think this issue should have the Easy label, as it is a bit complicated.

Dun-sin commented 11 months ago

@Dun-sin I don't think this issue should have the Easy label, as it is a bit complicated.

I think otherwise🤔

mathiasayivor commented 11 months ago

The goal is to somehow employ an end-to-end encryption, which means the server can never decrypt the messages. Storing the private keys on the server defeats that goal.

The goal is to ensure that the encryption keys stay with the users (the owners of the message) instead of the server. And each chat would have separate encryption key.

Dun-sin commented 11 months ago

The goal is to somehow employ an end-to-end encryption, which means the server can never decrypt the messages. Storing the private keys on the server defeats that goal.

The goal is to ensure that the encryption keys stay with the users (the owners of the message) instead of the server. And each chat would have separate encryption key.

I understand that, there's no misunderstanding here, the only "hard" thing I see is how to store the key. Rather where but the implementation is easy in my logic

Aryakoste commented 11 months ago

Hello @Dun-sin. I can work on this issue.

Dun-sin commented 11 months ago

Hello @Dun-sin. I can work on this issue.

Sure, explain back to me what the issue is telling you to do and how you plan to solve it

Aryakoste commented 11 months ago

Current status is we use keys stored in .env file locally to encrypt messages. We want to create model where each chat session between two users would have its own unique generated key and it should be only accessible to the sender of message. We want to do this to keep messages private between users. So in short we have to do pure end to end encryption without storing keys in server/like it is now in .env file. So server shouldn't have access to keys as well as message content. I plan on doing like this:- The sender will encrypt the message using a randomly generated symmetric key and an initialization vector (IV). Then, the sender will encrypt the symmetric key with the recipient's public key and sends both the encrypted key and the IV + encrypted message to the server. The recipient can decrypt the symmetric key with their private key, then use the key and IV to decrypt the message. This will ensure end-to-end encryption without the server having access to the message content or the encryption keys.

Dun-sin commented 11 months ago

The sender will encrypt the message using a randomly generated symmetric key and an initialization vector (IV). Then, the sender will encrypt the symmetric key with the recipient's public key and sends both the encrypted key and the IV + encrypted message to the server. The recipient can decrypt the symmetric key with their private key, then use the key and IV to decrypt the message. This will ensure end-to-end encryption without the server having access to the message content or the encryption keys

okay, got it, assigned it to you, thanks for wanting to contribute. Follow the rules here, or your PR won't be accepted and will be closed. Good luck!

Dun-sin commented 11 months ago

@Aryakoste how's this going?

Aryakoste commented 11 months ago

Working on it. First i tried using diffie-hellman algo i implemented the code in by requesting public key from server and client sharing it's public key to generate a shared key by the server. But found out later on that client side browser isn't supporting it. I tried using other libraries but found no success. Later I tried with initialized vector using aes-gcm and converting hextounit8 using text encoder and decoder to generate a shared key which will only be visible to sender I was able to encrypt and decrypt the sender data with shared key but in the receiver side I wasn't able too. So I tried making a lot of changes related to exchanging keys without server knowing what the key is by encrypting the key too but wasn't working. Now i have found other method to achieve the algorithm i first tried that is Diffie-Hellman algo. I think it will work. I have found that with crypto browsify will allow me to access diffie hellman methods so I will be able to generate a shared key and share among the users. So I am gonna implement it will let you know.

Dun-sin commented 11 months ago

Working on it. First i tried using diffie-hellman algo i implemented the code in by requesting public key from server and client sharing it's public key to generate a shared key by the server. But found out later on that client side browser isn't supporting it. I tried using other libraries but found no success. Later I tried with initialized vector using aes-gcm and converting hextounit8 using text encoder and decoder to generate a shared key which will only be visible to sender I was able to encrypt and decrypt the sender data with shared key but in the receiver side I wasn't able too. So I tried making a lot of changes related to exchanging keys without server knowing what the key is by encrypting the key too but wasn't working. Now i have found other method to achieve the algorithm i first tried that is Diffie-Hellman algo. I think it will work. I have found that with crypto browsify will allow me to access diffie hellman methods so I will be able to generate a shared key and share among the users. So I am gonna implement it will let you know.

appreciate the update, thank you

Aryakoste commented 11 months ago

I have successfully been able to develop proper algorithm for end to end encryption. i just need to properly embed it with code. i first generated keypair at client side. As we cant export the public directly i had to convert it into PEM-formatted string so it can be sent through socket.io (arrayBuffer to PEM) and then export it. So i sent one users public key to other and then i have to again do PEMtoarrayBufffer in other side. i am using RSA-OAEP algorithm for encryption and decyption with SHA-256 hash. After encryption i have to convert it into unit8array and then base64 so that it can be sent to server/store the encrypted message in database and same opposite done on other side. i have tested encryting and decryption of messages at opposite sides of chats (sender and receiver) and i am getting the correct messages. Just have some issues to properly embed it with code, means the algo is working properly but when combined with existing code it is giving some issues. When done will let you know

Dun-sin commented 11 months ago

I have successfully been able to develop proper algorithm for end to end encryption. i just need to properly embed it with code. i first generated keypair at client side. As we cant export the public directly i had to convert it into PEM-formatted string so it can be sent through socket.io (arrayBuffer to PEM) and then export it. So i sent one users public key to other and then i have to again do PEMtoarrayBufffer in other side. i am using RSA-OAEP algorithm for encryption and decyption with SHA-256 hash. After encryption i have to convert it into unit8array and then base64 so that it can be sent to server/store the encrypted message in database and same opposite done on other side. i have tested encryting and decryption of messages at opposite sides of chats (sender and receiver) and i am getting the correct messages. Just have some issues to properly embed it with code, means the algo is working properly but when combined with existing code it is giving some issues. When done will let you know

you're good, looking forward to the final thing