search

PradyumnaKrishna / enigma-protocol

An end to end encrypted messenger using Flask, SocketIO, and Vue.js
https://protocol.onpy.in
MIT License
20 stars 34 forks source link

User can send messages on behalf of other user due to unsigned messages #2

Open PradyumnaKrishna opened 2 years ago

muskan119 commented 1 year ago

Pls assign me this issue

AishwaryaSatpute1 commented 11 months ago

I can implement message authentication mechanisms to ensure the authenticity and integrity of the messages and User can send messages on behalf of other user due to unsigned messages bug, You will be if you please assign me this issue under GSSOC 2023!

PradyumnaKrishna commented 11 months ago

I can implement message authentication mechanisms to ensure the authenticity and integrity of the messages and User can send messages on behalf of other user due to unsigned messages bug, You will be if you please assign me this issue under GSSOC 2023!

Can you please provide me a pseudo algorithm that you will implement to fix this.

AishwaryaSatpute1 commented 11 months ago

here's a pseudo code that combines Vue.js, Python, and a backend API implemented in Go:

Frontend (Vue.js):

javascript

// Vue component for sending messages on behalf of another user
<template>
  <div>
    <!-- Form to input the necessary information -->
    <input v-model="sender" placeholder="Your username">
    <input v-model="authenticationInfo" placeholder="Authentication info">
    <input v-model="userToBeSent" placeholder="User to send the message">
    <textarea v-model="messageContent" placeholder="Message content"></textarea>

    <button @click="sendMessage">Send Message</button>
  </div>
</template>

<script>
export default {
  data() {
    return {
      sender: '',
      authenticationInfo: '',
      userToBeSent: '',
      messageContent: '',
    };
  },
  methods: {
    sendMessage() {
      // Make an API call to the backend with the necessary data
      axios.post('/send-message', {
        sender: this.sender,
        authenticationInfo: this.authenticationInfo,
        userToBeSent: this.userToBeSent,
        messageContent: this.messageContent,
      })
      .then(response => {
        // Handle successful response
        console.log('Message sent successfully!');
      })
      .catch(error => {
        // Handle error response
        console.error('Error sending message:', error);
      });
    },
  },
};
</script>

**Backend API (Go):

go**

package main

import (
    "fmt"
    "net/http"
)

func sendMessageHandler(w http.ResponseWriter, r *http.Request) {
    // Parse the request data
    sender := r.FormValue("sender")
    authenticationInfo := r.FormValue("authenticationInfo")
    userToBeSent := r.FormValue("userToBeSent")
    messageContent := r.FormValue("messageContent")

    // Verify sender's authentication and authorization
    if verifySender(sender, authenticationInfo, userToBeSent) {
        // Send the message or perform any necessary actions
        fmt.Printf("Sending message from %s to %s: %s\n", sender, userToBeSent, messageContent)

        // Return a success response
        w.WriteHeader(http.StatusOK)
        w.Write([]byte("Message sent successfully"))
    } else {
        // Return an unauthorized response
        w.WriteHeader(http.StatusUnauthorized)
        w.Write([]byte("Unauthorized sender"))
    }
}

func verifySender(sender string, authenticationInfo string, userToBeSent string) bool {
    // Implement your authentication and authorization logic here
    // Verify the sender's authentication information and their authorization to send messages on behalf of the specified user
    // Return true if verified and authorized, otherwise false
}

func main() {
    // Set up the HTTP server and routes
    http.HandleFunc("/send-message", sendMessageHandler)

    // Start the server
    http.ListenAndServe(":8080", nil)
}

Please note I will need to adapt it to your specific use case and architecture. Additionally, I can implement the verifySender function in the backend to perform the necessary authentication and authorization checks.

PradyumnaKrishna commented 11 months ago

Thanks @AishwaryaSatpute1, but this doesn't looks like a correct approach to solve this problem. The server shouldn't involve in verifying the message authenticity. What I suggest is image

Before working on this, I am looking to create a PROTOCOL.md that contains a solid foundation of encryption/ decryption algorithm, the json envelope that will be sent or received, encryptions algorithms key digest and all.

Would you like to work on writing the algorithm? Current algorithm is simple and we are modifying it to support large text messages (Look at #20 and #34).

AishwaryaSatpute1 commented 11 months ago

Thank you for providing feedback on my approach. I appreciate your input and the time you took to review it. I am trying to understand your approach and its efficiency. After carefully analyzing the problem, I have taken a close look at #20 and #34. I now have a clear understanding of your approach towards creating a PROTOCOL.md that encompasses a robust foundation of encryption/decryption algorithms, the JSON envelope for transmission, encryption algorithm key digests, and more.

As a student of cybersecurity, I am genuinely excited to explore and build upon the current algorithm. I am particularly interested in modifying it to support large text messages. Therefore, I kindly request you to assign the issue to me under GSSOC 2023. Rest assured, I will start working on it as soon as possible and dedicate my efforts to its successful completion.

Thank you once again for the opportunity, and I look forward to contributing to the project.

PradyumnaKrishna commented 11 months ago

Sorry @AishwaryaSatpute1, But the large text message support has been added. I will assign the issue to write the PROTOCOL.md file. Just look at the current algorithm, data structure and whatever you think is relevant and try to document it. I will review it and have a chat with you regarding regarding new algorithm or protocol.

AishwaryaSatpute1 commented 11 months ago

Protocol

The protocol for the algorithm you described, which involves generating a random symmetric key, encrypting the message with the symmetric key, and encrypting the symmetric key with the recipient's public key, can be summarized as follows:

Sender:

Generate a random symmetric key.
Encrypt the message using the symmetric key and an encryption algorithm such as AES.
Encrypt the symmetric key using the recipient's public key and an encryption algorithm such as RSA.
Send the encrypted message, the encrypted symmetric key, and any necessary parameters (e.g., initialization vector) to the receiver.

Receiver:

Use the receiver's private key to decrypt the encrypted symmetric key, obtaining the original symmetric key.
Decrypt the message using the decrypted symmetric key and the corresponding decryption algorithm (e.g., AES).
Process and utilize the decrypted message as needed.

To summarize the protocol:

Sender generates a random symmetric key.
Sender encrypts the message with the symmetric key.
Sender encrypts the symmetric key with the recipient's public key.
Sender sends the encrypted message, encrypted symmetric key, and any necessary parameters.
Receiver decrypts the symmetric key using their private key.
Receiver decrypts the message using the decrypted symmetric key.
Receiver processes the decrypted message.

Note that this protocol assumes a secure method of exchanging public keys and ensuring the authenticity of the recipient's public key to prevent unauthorized access to the symmetric key. Additionally, proper key management and secure transmission of the encrypted message and encrypted symmetric key should be considered for a secure implementation.

PradyumnaKrishna commented 11 months ago

Thanks @AishwaryaSatpute1 for detailing the current protocol. Give me a week, I will provide an update for this issue.