SecretChat

In these months, I attended  course of Computability and Complexity, ending with some concepts of cryptography.

It’s been really interesting, so I wanted to experiment something about it.

I created a little web page using Angular.JS¬†and just a little PHP, to implement some kind of “secure chat”, which uses a given passphrase to encrypt every message directly on the client, and then stores the messages in an online database. This chat can host multiple users with the same passphrase, which will be able to see each other messages, doing all the encryption/decription on the client side.

This means that all the traffic going through the internet has already been encrypted, so everything is stored in the database must be decrypted with the key to be read. In theory, even accessing to the database wouldn’t give any information about the messages sent through the chat.

I really don’t know exactly how commercial messaging systems do work, but I always suspected that if the provider of the service wanted to, it would be able to read the messages going through its servers, because the ‘secure’ connection (if any) is established between the server and the clients, and not between the very two endpoints of the communication.

In the system I implemented, instead, the server makes only the ‘buffering’ of the data, it never gets in touch with the encryption keys, so that it can’t read the messages it saves to the database.

I don’t really believe commercial systems work exactly that way, but the doubt was enough to get me developing this little project :)

The software uses the encryption standard AES, implemented in javascript with Crypto-JS.

The AES encryption is a simmetric key encryption, which means that every user share a secret key and then use it to encrypt the data sent through an unsecure channel.

Here’s the link to the chat, if you want to be sure i’m not reading your messages in the database, you should inspect the javascript of the page, understanding that the encryption is made with your passphrase, in the client side of the application. This should be enough to understand I can’t read anything without the key.

Here’s the (still in development) link.