What is end-to-end encryption? How to apply it?

Asked

Viewed 2,435 times

7

According to everything I researched and with the help of @Maniero I came to the conclusion:

"Cryptography end-to-end is done when only the connection points have access to the key that will decrypt the content, ie the data can UNTIL pass or stay on the server, but they should be there in an encrypted form so that it is unreadable and null data for others".

Honestly I find this amazing and I am very excited to adapt my application to this kind of encryption, at the moment I use an internal global key to encrypt the data of my database using the algorithm AES-128 ECB.

I will not be able to adapt my entire project to this type of encryption because otherwise a good part of it would be dismembered, "search for users" would be practically impossible to accomplish... anyway it is not the focus of the issue, I just got carried away.

I have a chat where at the moment all your data is recorded encrypted on database and I would like to adapt it to end-to-end. Taking into account that for this a key should be created for each point (user to receive and to send), my three questions are:

  • There are specifications to create these keys?
  • As I will inform the user at the other end of my key to decrypt my messages I will send?
  • My biggest question is: What means of communication can I use between users websockets?
  • I believe that you are talking about RSA, but both the ESA and the RSA have different purposes and have their respective positive and negative points. Generally speaking, RSA is only interesting when it is intended to share confidential information with third parties through an unsecured channel. The ideal would be to make the encryption by AES (because it is faster) and to match the AES key using RSA (Public-Key)

  • @Interesting tobymosque you said, could you tell me more? PHP usage.

  • I don’t have knowhow in PHP, but I can tell you that an HTTPS connection uses SSL, and SSL uses RSA, so you could send your keys via a secure link (HTTPS) and the encrypted file via an unsecured link (HTTP)but in this case it is interesting to use a different Key/IV to each transmission.

2 answers

2

Regarding your question:

As I will inform the user at the other end of my key to it decrypt my messages I’ll send?

My suggestion number 1 would be that you have, at the time of the user’s creation, the creation of the public and private keys. Let your server handle the public key distribution. For example: User A will chat with user B. Then your server will leave the public key of A in the B session and the public key of B in the A session. So B could decrypt what comes from A and vice versa.

My suggestion 2, would be much easier, taking into account that you already have a server taking care of everything... would be to have only the server have a private key and each user would have the server’s public key. So the user would send the encrypted message to the server using the server’s public key and the server would decrypt it using his private key. The idea is that only users would be able to understand what the server "says". If someone tried a "man-in-the-Middle", he would not have access to the message.

And completing more specifically, use a web server to do the field medium. I believe that 100% of them are able to handle things related to cryptography. Some are simpler to configure and others more complex. Will you just play with crypto (academic) or is it something for work? These are some things to take into consideration.

  • It is academic and future at work, see that in this area of security everything and everyone can be suspicious, MITM can be performed on the server side and then the end-to-end is invalid. Thanks for the help !

1

I advise you to do a search on the key deal. The simplest example is Diffie-Hellman.

I don’t advise you public key encryption like RSA with every user having a public and private key because it would be a big overhead unnecessary. Nor use RSA with everyone encrypting with a server public key, since in this case the server could open all user messages, which from the security point of view not very cool.

For your account Diffie-Elman case quietly. Even more being for study, understand protocols like Diffie-Elman are essential in cryptography.

  • Hi, see that I ended up opting for the two options, the user establishes a secure connection (with the server) using RSA to exchange parameters and then it falls on AES using key created via DH. To exchange data between users I opted for RSA with public/private key because I don’t have much choice anyway.

  • Ok. It is better option, I would prefer to use ECC for these things. It is lighter and the keys are smaller, but if there is no other RSA option it serves.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.