What is end-to-end encryption? How to apply it?

Question

What is end-to-end encryption? How to apply it?

Navigation

#1 by (1 votes)
#2 by (0 votes)

6

According to everything I researched and with the help of @bigown I came to the conclusion:

"End-to-end encryption is done when only the connection's points have access to the key that will decrypt the content, that is, the data can UP or DOWN on the server, but they should be there in an encrypted way in such a way that they are illegible and null data for the others. "

I honestly think this is incredible and I'm very excited to adapt my application to this type of encryption, I currently use an internal global key to encrypt the data in my database using the AES-128 ECB algorithm .

I will not be able to adapt my entire project to this type of encryption because if not a good part of it would be dismantled, "searching for users" would be practically impossible to do ... anyway it's not the focus of the question, p>

I have a chat where at the moment all your data is encrypted in the database and I would like to adapt it to the end-to-end . Given that a key must be created for each point (user to receive and send), my three questions are:

Is there a specification for creating these keys?
How will I tell the user at the other end of my key to decrypt my messages that I will send?
My biggest question is: What kind of communication can I use between websockets users?

criptografia aes

asked by anonymous 06.02.2015 / 23:07

2 answers

How do I deploy using Grunt? Enter Password to continue

score 1 · Answer 1

About your question:

How do I inform the user at the other end of my key to him to decrypt my messages that I will send?

My number 1 suggestion would be to have the creation of the public and private keys at the time of the user's creation. Let your server take care of public key distribution. For example: User A will talk to user B. Then your server will let the public key of A in the session of B and the public key of B in the session of A. Thus, B could decrypt what comes from A and vice versa.

My suggestion 2 would be a lot easier, considering that you already have a server taking care of everything ... would be to have only the server have a private key and each user would have the public key of the server. So the user would send the encrypted message to the server using the public key of the server and the server would encrypt it using his private key. The idea is that only users would be able to understand what the server "says". If someone tried a man-in-the-middle, he would not have access to the message.

And completing more specifically, use a web server to do the middle field. I believe that 100% of them are capable of dealing with things related to encryption. Some are simpler to set up and others are more complex. Are you just playing with crypto (academic) or is it something to work with? That's a few things to keep in mind.

score 0 · Answer 2

I advise you to search for a key agreement. The simplest example is Diffie-hellman.

I do not advise you to encrypt public key as RSA with each user having a private and public key because that would be an unnecessary big overhead. Nor would you use RSA with everyone encrypting with a public key from the server, since in that case the server could open all the users' messages, which from a security point of view is not very legal.

Pro your account case Diffie-helman quietly. Even more being for study, understanding protocols like Diffie-helman are essential in cryptography.