Login/Register
How to build a highly secure End to End Encryption React Native messaging app
Asked Answered
encryptiondiffie-hellmannode.jswebsocketend-to-end-encryption
V

1

11

I am currently working on an instant React Native messaging app and I want to implement E2EE (End to End Encryption between the sender and the receiver) for better security. The libraries/frameworks I use are NodeJS for the backend, Socket.io for real-time communication, MongoDB for data management and obviously React Native for the frontend.

At this point, I am able to send messages back and forth from sender to the server and back to the receiver but the server can actually read the messages which are quite annoying because I want to save the messages (encrypted) in my database and retrieve them for the user to see his history.

Recently I found that the Diffie-Hellman key-exchange was a good solution to generate a shared secret key on each endpoint device but I don't know how to implement it in my app.

I also found that big messaging app (like WhatsApp, Facebook Messenger, Signal,... ) uses the Signal Protocol which is based on an X3DH (Extended Triple Diffie-Hellman) and I was wondering if it is possible to implement such a good thing in my RN app. But the problem is that even after reading the Signal Protocol's documentation I could not figure out how to implement it.

In conclusion, my question is how can I implement the Signal Protocol in my RN app and uses Socket.io to send and receive encrypted messages? And if for some reason this is not possible, how can I implement the Diffie-Hellman key-exchange on my own?

Thanks to anyone who can help me!

Vermilion answered 5/1, 2021 at 14:53 Comment(7)
Thank you guys, I am going to move this question to stackoverflow and hope someone can help me! Have a nice dayVermilion
Related: security.stackexchange.com/questions/238011/…Vancevancleave
Signal Protocol library for JavaScript. Messages that are encrypted by Signal Protocol cannot be restored from server because message key is deleted by the client when the message is received by the recipient. For server side history, let client uploads chat backup encrypted with a key derived from user's password. Use some crypto javascript library to encrypt chat backup before upload.Approve
@Approve Thank you for your answer but I am not sure if I fully understand what you meant. When the client side encrypts the message and send it to the server, I don't know how to store it in the database and retrieve all messages when I need to. "Let the client uploads chat backup encrypted with a key derived from user's password" how do you actually do that? Is that coming from the Signal Protocol library?Vermilion
@Vermilion Make a backup image of chats after every 24 hours, encrypt it using a key derived from user's password and upload it to the server. In E2EE, keys are frequently deleted and regenerated and static keys should be avoided. So the only way is to let client uploads its chats after encrypting them with a key which can be known only to the user.Approve
So if I understand correctly, the user encrypts his message (client-side) and send it to the server so it can be sent to the recipient. After 24 hours all messages sent are backed up and stored in the database with a key derived from user's password. Does that mean all messages are saved client-side during these 24 hours? And also how do you decrypt messages if the user changes his password?Vermilion
@Vermilion See how Signal does it.Approve
H
0

I believe you have already solved your problem by now. I would love to know how you did it.

I haven't implemented any apps with E2E security but here are some of the things I would have done

I would try messaging protocols that support E2EE like Signal Protocol, OTR protocol, and PGP. Based on the protocol I chose, I would encrypt and decrypt the data

Other than that, I would also take care of the authentication, storage security, and other required security measures.

Hermineherminia answered 2/3, 2023 at 6:12 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.