-
Notifications
You must be signed in to change notification settings - Fork 7
Phase IV: Key Handshake
Code outlining the encryption/decryption process can be found at this link.
The security libraries used are CryptoJS and Kbpgp.
The App Uses PGP to generated public/private key pairs for the users. On Message send, two psuedo-random strings are generated and hashed with SHA256 two create two unique AES Keys. The first AES key is used to encrypt the plain text message. Then the encrypted plain text (cipher text), is hashed with HMACSHA256 to obtain a tag, which is then encrypted by the second AES key. This encrypted tag and cipher text are concatenated into a JSON object. The two AES keys used to encrypt the tag and message are concatenated into a JSON Object and is then encrypted using the receiving user's public PGP key. The two JSON objects are then stored on the server. Once the receiver receives the encrypted JSON, the reverse process happens, using the receiver's private PGP key, to decrypt and obtain the original plain text.
Since the app is end-to-end encrypted, private PGP keys do not leave the server. Only public PGP keys are stored on the server.
Both Public and Private pgp keys are stored on clients, and verified against keys that come from the server. Warnings appear if any key has not yet been verified:
Kumin In, Aaron Turner. CECS 478. 2016