The Problem of Data Security
Data privacy could not exist without encryption. For example, TLS (HTTPS), secures traffic between client and server. Once your data reaches the server, the server can read it. But what if you don't want the server to be able to read your data?
Enter End-to-End Encryption (E2EE)
End-to-end-encryption goes a step further than TLS by making it impossible for a server to read your data. A popular example of this are password managers such as LastPass or BitWarden, which secure your data with a master password that only you know, and thus, the password management company can never access the passwords you've stored. Other examples are the Signal secure messaging app, which ensures that only sender and recipient can view messages, and Proton Mail, which encrypts email body content when sending to another Proton Mail user.
The Right to Privacy
Ensuring that your data is encrypted on the server protects you not only from data breaches - it also protects your privacy. And privacy is linked to freedom:
"Privacy is the right to a free mind," Snowden said. "Without privacy, you can't have anything for yourself. Saying you don't care about privacy because you have nothing to hide is like saying you don't care about free speech because you have nothing to say."
- Edward Snowden
Making writing E2EE apps more convenient
As of the start of this project, there weren't any free javascript libraries that make it easy to set up authentication and encryption for an app that uses E2EE. For this, I created:
The browser library contains the majority of the functionality, as most of the encryption action in an app using E2EE happens on the client side. The node library contains a couple of utilities to facilitate the authentication process. Both libraries depend on @cyphercider/e2ee-appkit-shared-models, which contains type definitions.
Functionality includes:
- Generation of keys (asymmetric signing, asymmetric encrypting, and symmetric ecrypting)
- Encryption and decryption of content with asymmetric and symmetric keys
- Signing and verification of signatures
- Encryption and decryption of strings (including serialized keys) with a password by deriving a key from the password using PBKDF2. This is important for storing encrypted keys on the server and decrypting them in the browser using the user's password.
- Managing key storage in the browser using, powered by
session-keystore
- User signup and login functions, calling backend APIs for obtaining and submitting signing challenges
- Session token (jwt) storage and decoding
For usage, see the README of each library.
Go here for the code base.
Happy E2EE!
Top comments (0)