DEV Community: Evgeny The latest articles on DEV Community by Evgeny (@vaazhen). https://dev.to/vaazhen https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3904623%2F4d74b835-7ab5-449c-a25f-1064726b33df.jpg DEV Community: Evgeny https://dev.to/vaazhen en I Built an End-to-End Encrypted Messenger with Spring Boot and WebCrypto Evgeny Wed, 29 Apr 2026 15:59:14 +0000 https://dev.to/vaazhen/i-built-an-end-to-end-encrypted-messenger-with-spring-boot-and-webcrypto-1if5 https://dev.to/vaazhen/i-built-an-end-to-end-encrypted-messenger-with-spring-boot-and-webcrypto-1if5 <p>Most chat pet projects follow the same path: authentication, user search, a <code>messages</code> table, WebSocket delivery, and a React UI.</p> <p>That is a good way to learn realtime development, but it has one architectural problem:</p> <p><strong>the server knows everything.</strong></p> <p>It knows the message text.<br><br> It can read the history.<br><br> It can return the last message in a chat list.<br><br> It can log private conversations by accident.<br><br> It can expose message content through an admin panel, a SQL query, a bug, or a compromised backend.</p> <p>I wanted to build something different.</p> <p>Not just another WebSocket chat, but a messenger where the backend is not a trusted party.</p> <p>The rule was simple:</p> <blockquote> <p>the browser encrypts, the server routes, the database stores ciphertext.</p> </blockquote> <p>That project became <strong>Chaos Messenger</strong> — a full-stack end-to-end encrypted messenger built with Spring Boot 3, React, WebSocket/STOMP, PostgreSQL, Redis, and WebCrypto API.</p> <p>Repository: <a href="https://github.com/vaazhen/chaos-messenger" rel="noopener noreferrer">github.com/vaazhen/chaos-messenger</a></p> <p><strong>Tech stack:</strong> Spring Boot 3, React 18, WebCrypto API, PostgreSQL, Redis, WebSocket/STOMP, Prometheus, Grafana.</p> <h2> A short note about web-based E2EE </h2> <p>When I say that the server cannot read messages, I mean the backend, database, WebSocket layer, logs, and already stored ciphertext envelopes. They do not receive plaintext or private keys.</p> <p>But web-based E2EE has an important limitation: the frontend code itself is served by a server.</p> <p>In theory, a compromised server could ship modified JavaScript that steals keys or plaintext before encryption happens. This is not a problem specific to this project. It is a general limitation of browser-based encrypted applications.</p> <p>So the correct statement is:</p> <blockquote> <p>the backend does not receive message keys and cannot decrypt already transmitted or stored messages.</p> </blockquote> <p>Protecting against malicious client-code delivery is a separate security layer: signed builds, independent client verification, desktop/mobile apps, reproducible builds, and platform-level key storage.</p> <h2> Why the usual chat architecture is not enough </h2> <p>Most GitHub messenger projects have some variation of this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="n">message</span><span class="o">.</span><span class="na">setContent</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getText</span><span class="o">());</span> <span class="n">messageRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">message</span><span class="o">);</span> </code></pre> </div> <p>This is easy to build and easy to reason about.</p> <p>But the server owns the message.</p> <p>If the database leaks, the conversation leaks.<br><br> If the backend is compromised, the conversation leaks.<br><br> If logging is misconfigured, the conversation leaks.<br><br> If an admin panel exposes the wrong field, the conversation leaks.</p> <p>End-to-end encryption changes the boundary.</p> <p>The message is encrypted on the sender's device before it is sent over the network. It is decrypted only on the recipient's device. The backend receives an opaque encrypted envelope and routes it to the right device.</p> <p>This is no longer a privacy policy promise like "we do not read your messages".</p> <p>It is an architectural restriction:</p> <blockquote> <p>if the server does not have the key, it cannot turn ciphertext back into plaintext.</p> </blockquote> <h2> The main idea: encrypted envelopes </h2> <p>In the database, the message itself looks intentionally boring:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="n">messages</span><span class="p">.</span><span class="n">content</span> <span class="o">=</span> <span class="s1">'[encrypted]'</span> <span class="c1">-- the server does not know what is inside</span> <span class="n">message_envelopes</span><span class="p">.</span><span class="n">ciphertext</span> <span class="o">=</span> <span class="s1">'qzgHSg7zbwU6h8j8...'</span> <span class="c1">-- AES-GCM ciphertext</span> </code></pre> </div> <p>And this is what the backend returns when the chat list is requested:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"chatId"</span><span class="p">:</span><span class="w"> </span><span class="mi">32</span><span class="p">,</span><span class="w"> </span><span class="nl">"lastMessage"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[encrypted]"</span><span class="p">,</span><span class="w"> </span><span class="nl">"lastMessageAt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-04-28T22:27:35.537016"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Not <code>***</code>.<br><br> Not <code>[hidden]</code>.<br><br> Literally <code>[encrypted]</code>.</p> <p>Because the server has no other value to return.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiuad4m4wjerfl9dq6we6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiuad4m4wjerfl9dq6we6.png" alt=" " width="800" height="378"></a></p> <p>This design looks simple, but it forces you to rethink a lot of normal backend habits. I will return to this later when we get to the "last message preview" bug.</p> <h2> Where the keys come from: X3DH </h2> <p>The first real question is:</p> <blockquote> <p>how do Alice and Bob get a shared secret if they have never talked before?</p> </blockquote> <p>For that I used <strong>X3DH</strong> — Extended Triple Diffie-Hellman, a key agreement protocol from the Signal ecosystem.</p> <p>The server stores public key material for each device. The private parts stay on the client.</p> <h3> Device key bundle </h3> <p>When a device is registered, the browser creates a local key bundle:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// crypto-engine.js — key generation during device registration</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">buildNewDeviceBundle</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">identity</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateX25519KeyPair</span><span class="p">();</span> <span class="c1">// long-term device key</span> <span class="kd">const</span> <span class="nx">signedPreKey</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateX25519KeyPair</span><span class="p">();</span> <span class="c1">// should be rotated periodically</span> <span class="kd">const</span> <span class="nx">oneTimePreKeys</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="mi">50</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">kp</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateX25519KeyPair</span><span class="p">();</span> <span class="nx">oneTimePreKeys</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">preKeyId</span><span class="p">:</span> <span class="mi">1000</span> <span class="o">+</span> <span class="nx">i</span><span class="p">,</span> <span class="na">publicKey</span><span class="p">:</span> <span class="k">await</span> <span class="nf">exportRawPublicKey</span><span class="p">(</span><span class="nx">kp</span><span class="p">.</span><span class="nx">publicKey</span><span class="p">),</span> <span class="na">privateKeyPkcs8</span><span class="p">:</span> <span class="k">await</span> <span class="nf">exportPkcs8PrivateKey</span><span class="p">(</span><span class="nx">kp</span><span class="p">.</span><span class="nx">privateKey</span><span class="p">)</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// ...</span> <span class="p">}</span> </code></pre> </div> <p>Only public keys are uploaded to the backend.</p> <p>Private keys remain local to the device and are never sent to the server.</p> <p>There is also an honest security tradeoff here: in the current version, private keys are serializable and stored locally by the web client. This is not the ideal model. It is vulnerable to XSS and malicious client-side JavaScript.</p> <p>For a browser project, the usual options are:</p> <ul> <li>serializable keys in local storage — simpler, but weaker against XSS;</li> <li>non-extractable WebCrypto keys with IndexedDB — better, but more complex;</li> <li>Android Keystore / iOS Secure Enclave — stronger, but requires native clients.</li> </ul> <p>The current implementation chooses the first option as a practical open-source project compromise. Moving to non-extractable keys is on the roadmap.</p> <h3> Session setup </h3> <p>When Alice wants to start a conversation with Bob, she fetches Bob's prekey bundle from the server and runs X3DH locally.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// crypto-engine.js — X3DH from the initiator side</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">createInitiatorSessionWrapped</span><span class="p">(</span><span class="nx">localBundle</span><span class="p">,</span> <span class="nx">targetDevice</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">identityPrivate</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">importPkcs8PrivateKey</span><span class="p">(</span><span class="nx">localBundle</span><span class="p">.</span><span class="nx">identity</span><span class="p">.</span><span class="nx">privateKeyPkcs8</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">ephemeral</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateX25519KeyPair</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">remoteIdentityPub</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">importRawPublicKey</span><span class="p">(</span><span class="nx">targetDevice</span><span class="p">.</span><span class="nx">identityPublicKey</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">remoteSignedPreKeyPub</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">importRawPublicKey</span><span class="p">(</span><span class="nx">targetDevice</span><span class="p">.</span><span class="nx">signedPreKey</span><span class="p">.</span><span class="nx">publicKey</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">dh1</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">derive32</span><span class="p">(</span><span class="nx">identityPrivate</span><span class="p">,</span> <span class="nx">remoteSignedPreKeyPub</span><span class="p">);</span> <span class="c1">// IK_alice · SPK_bob</span> <span class="kd">const</span> <span class="nx">dh2</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">derive32</span><span class="p">(</span><span class="nx">ephemeral</span><span class="p">.</span><span class="nx">privateKey</span><span class="p">,</span> <span class="nx">remoteIdentityPub</span><span class="p">);</span> <span class="c1">// EK_alice · IK_bob</span> <span class="kd">const</span> <span class="nx">dh3</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">derive32</span><span class="p">(</span><span class="nx">ephemeral</span><span class="p">.</span><span class="nx">privateKey</span><span class="p">,</span> <span class="nx">remoteSignedPreKeyPub</span><span class="p">);</span> <span class="c1">// EK_alice · SPK_bob</span> <span class="kd">const</span> <span class="nx">parts</span> <span class="o">=</span> <span class="p">[</span><span class="nx">dh1</span><span class="p">,</span> <span class="nx">dh2</span><span class="p">,</span> <span class="nx">dh3</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">remoteOneTimePub</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">dh4</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">derive32</span><span class="p">(</span><span class="nx">ephemeral</span><span class="p">.</span><span class="nx">privateKey</span><span class="p">,</span> <span class="nx">remoteOneTimePub</span><span class="p">);</span> <span class="c1">// EK_alice · OPK_bob</span> <span class="nx">parts</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">dh4</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">combined</span> <span class="o">=</span> <span class="nf">concat</span><span class="p">(...</span><span class="nx">parts</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">rootKey</span><span class="p">,</span> <span class="nx">chainKey</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">deriveRootAndChainKey</span><span class="p">(</span><span class="nx">combined</span><span class="p">);</span> <span class="c1">// ...</span> <span class="p">}</span> </code></pre> </div> <p>Bob performs the corresponding operations with his private keys and gets the same shared material.</p> <p>The server only sees public keys. It cannot compute the shared secret from them.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftdi5lxsqukxbdebjcowh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftdi5lxsqukxbdebjcowh.png" alt=" " width="800" height="280"></a></p> <h2> How every message gets its own key: Symmetric Ratchet </h2> <p>After the initial shared secret is established, every message is encrypted with a unique message key.</p> <p>The current implementation uses a symmetric ratchet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// crypto-engine.js — one ratchet step</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">ratchetStep</span><span class="p">(</span><span class="nx">chainKeyBytes</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">importKey</span><span class="p">(</span> <span class="dl">'</span><span class="s1">raw</span><span class="dl">'</span><span class="p">,</span> <span class="nx">chainKeyBytes</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">HMAC</span><span class="dl">'</span><span class="p">,</span> <span class="na">hash</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SHA-256</span><span class="dl">'</span> <span class="p">},</span> <span class="kc">false</span><span class="p">,</span> <span class="p">[</span><span class="dl">'</span><span class="s1">sign</span><span class="dl">'</span><span class="p">]</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">mkBits</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="dl">'</span><span class="s1">HMAC</span><span class="dl">'</span><span class="p">,</span> <span class="nx">key</span><span class="p">,</span> <span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">([</span><span class="mh">0x01</span><span class="p">])</span> <span class="p">);</span> <span class="c1">// messageKey</span> <span class="kd">const</span> <span class="nx">ckBits</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="dl">'</span><span class="s1">HMAC</span><span class="dl">'</span><span class="p">,</span> <span class="nx">key</span><span class="p">,</span> <span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">([</span><span class="mh">0x02</span><span class="p">])</span> <span class="p">);</span> <span class="c1">// nextChainKey</span> <span class="kd">const</span> <span class="nx">messageKey</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">importKey</span><span class="p">(</span> <span class="dl">'</span><span class="s1">raw</span><span class="dl">'</span><span class="p">,</span> <span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="nx">mkBits</span><span class="p">),</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AES-GCM</span><span class="dl">'</span> <span class="p">},</span> <span class="kc">false</span><span class="p">,</span> <span class="p">[</span><span class="dl">'</span><span class="s1">encrypt</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">decrypt</span><span class="dl">'</span><span class="p">]</span> <span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">messageKey</span><span class="p">,</span> <span class="na">nextChainKey</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="nx">ckBits</span><span class="p">)</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Conceptually it looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>chainKey₀ ──HMAC(·,0x02)──► chainKey₁ ──HMAC(·,0x02)──► chainKey₂ │ │ │ HMAC(·,0x01) HMAC(·,0x01) HMAC(·,0x01) ▼ ▼ ▼ messageKey₁ messageKey₂ messageKey₃ (AES-GCM msg #1) (AES-GCM msg #2) (AES-GCM msg #3) </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcvl2xankx313ratywboy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcvl2xankx313ratywboy.png" alt=" " width="800" height="300"></a></p> <p>The <code>messageKey</code> encrypts exactly one message and is then discarded.</p> <p>If an attacker somehow compromises <code>messageKey₂</code>, they can decrypt only message #2. They cannot derive <code>chainKey₀</code> from it because HMAC is one-way.</p> <p>This is the encrypted envelope that goes to the server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"envelope"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ciphertext"</span><span class="p">:</span><span class="w"> </span><span class="s2">"qzgHSg7zbwU6h8j8RqCPUYBWHJLi78eR9C0tj9I="</span><span class="p">,</span><span class="w"> </span><span class="nl">"nonce"</span><span class="p">:</span><span class="w"> </span><span class="s2">"6KPcVjbpM4FUB0Vz"</span><span class="p">,</span><span class="w"> </span><span class="nl">"senderIdentityPublicKey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"B4pERe0xKmSdiQPR+kLWWmI0nloC8Za3RBTg+occHF0="</span><span class="p">,</span><span class="w"> </span><span class="nl">"targetDeviceId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"device-2aa3ae0e-ee08-4261-aa09-7d8f800b61e9"</span><span class="p">,</span><span class="w"> </span><span class="nl">"messageType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PREKEY_WHISPER"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F92021tg7z3pufhycjpvk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F92021tg7z3pufhycjpvk.png" alt=" " width="800" height="436"></a></p> <h2> Important limitation: this is not full Double Ratchet yet </h2> <p>This part matters.</p> <p>The current implementation has X3DH and a symmetric ratchet, but it does not yet implement the full Double Ratchet algorithm.</p> <p>In Signal's Double Ratchet, there is also a DH ratchet step. Both sides periodically perform a new Diffie-Hellman exchange and update the root key. That provides break-in recovery: even if some state is compromised, future DH ratchet steps can restore security once the attacker loses access.</p> <p>My current version does not have that yet.</p> <p>So the honest description is:</p> <blockquote> <p>X3DH session setup + symmetric message ratchet + AES-GCM encryption.</p> </blockquote> <p>Not full Signal Protocol. Not production-grade secure messaging. Not audited cryptography.</p> <p>The DH ratchet step is the first major item on the roadmap.</p> <h2> Multi-device delivery: one user, many envelopes </h2> <p>A normal messenger user may have a laptop, a phone, and maybe another browser session.</p> <p>In a non-E2EE system, the server could store the plaintext once and show it everywhere.</p> <p>In an E2EE system, the server cannot do that.</p> <p>If Bob has two devices, Alice must create a separate encrypted envelope for each target device. The server cannot decrypt one envelope and re-encrypt it for another device because it does not have the key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// crypto-engine.js — fanout to all target devices</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">buildFanoutRequest</span><span class="p">(</span><span class="nx">api</span><span class="p">,</span> <span class="nx">chatId</span><span class="p">,</span> <span class="nx">plainText</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">localBundle</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">ensureDeviceRegistered</span><span class="p">(</span><span class="nx">api</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">resolved</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">api</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/crypto/resolve-chat-devices/</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">chatId</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">envelopes</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">targetDevice</span> <span class="k">of</span> <span class="nx">resolved</span><span class="p">.</span><span class="nx">targetDevices</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">targetDevice</span><span class="p">.</span><span class="nx">deviceId</span> <span class="o">===</span> <span class="nx">localBundle</span><span class="p">.</span><span class="nx">deviceId</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">encrypted</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">encryptSelfEnvelope</span><span class="p">(</span><span class="nx">localBundle</span><span class="p">,</span> <span class="nx">plainText</span><span class="p">);</span> <span class="nx">envelopes</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="p">...</span><span class="nx">encrypted</span><span class="p">,</span> <span class="na">messageType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SELF_WHISPER</span><span class="dl">'</span> <span class="p">});</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="kd">let</span> <span class="nx">session</span> <span class="o">=</span> <span class="nf">getSession</span><span class="p">(</span><span class="nx">localBundle</span><span class="p">.</span><span class="nx">deviceId</span><span class="p">,</span> <span class="nx">targetDevice</span><span class="p">.</span><span class="nx">deviceId</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">ephemeralPublicKey</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">created</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">createInitiatorSessionWrapped</span><span class="p">(</span><span class="nx">localBundle</span><span class="p">,</span> <span class="nx">targetDevice</span><span class="p">);</span> <span class="nx">session</span> <span class="o">=</span> <span class="nx">created</span><span class="p">.</span><span class="nx">session</span><span class="p">;</span> <span class="nx">ephemeralPublicKey</span> <span class="o">=</span> <span class="nx">created</span><span class="p">.</span><span class="nx">ephemeralPublicKey</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">encrypted</span><span class="p">,</span> <span class="nx">messageIndex</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">encryptWithRatchet</span><span class="p">(</span><span class="nx">session</span><span class="p">,</span> <span class="nx">plainText</span><span class="p">);</span> <span class="nf">storeSession</span><span class="p">(</span><span class="nx">localBundle</span><span class="p">.</span><span class="nx">deviceId</span><span class="p">,</span> <span class="nx">targetDevice</span><span class="p">.</span><span class="nx">deviceId</span><span class="p">,</span> <span class="nx">session</span><span class="p">);</span> <span class="nx">envelopes</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">targetDeviceId</span><span class="p">:</span> <span class="nx">targetDevice</span><span class="p">.</span><span class="nx">deviceId</span><span class="p">,</span> <span class="na">ciphertext</span><span class="p">:</span> <span class="nx">encrypted</span><span class="p">.</span><span class="nx">ciphertext</span><span class="p">,</span> <span class="na">nonce</span><span class="p">:</span> <span class="nx">encrypted</span><span class="p">.</span><span class="nx">nonce</span><span class="p">,</span> <span class="nx">messageIndex</span><span class="p">,</span> <span class="nx">ephemeralPublicKey</span><span class="p">,</span> <span class="na">messageType</span><span class="p">:</span> <span class="nx">ephemeralPublicKey</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">PREKEY_WHISPER</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">WHISPER</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">chatId</span><span class="p">,</span> <span class="nx">envelopes</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>This is one of the places where E2EE directly affects backend design.</p> <p>The backend does not store "a message". It stores a logical message plus multiple device-specific envelopes.</p> <h2> Backend: storing and routing ciphertext </h2> <p>On the backend side, the message content is intentionally replaced with a placeholder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// MessageService.java</span> <span class="n">message</span><span class="o">.</span><span class="na">setContent</span><span class="o">(</span><span class="s">"[encrypted]"</span><span class="o">);</span> <span class="n">messageRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">message</span><span class="o">);</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">MessageEnvelope</span><span class="o">&gt;</span> <span class="n">byDevice</span> <span class="o">=</span> <span class="n">persistEnvelopes</span><span class="o">(</span><span class="n">message</span><span class="o">,</span> <span class="n">sender</span><span class="o">,</span> <span class="n">request</span><span class="o">.</span><span class="na">getEnvelopes</span><span class="o">());</span> </code></pre> </div> <p>Then each envelope is delivered to a device-specific STOMP topic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// per-device delivery over WebSocket</span> <span class="kd">private</span> <span class="kt">void</span> <span class="nf">fanoutCreatedEvent</span><span class="o">(</span> <span class="nc">Message</span> <span class="n">message</span><span class="o">,</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">MessageEnvelope</span><span class="o">&gt;</span> <span class="n">byDevice</span> <span class="o">)</span> <span class="o">{</span> <span class="n">byDevice</span><span class="o">.</span><span class="na">forEach</span><span class="o">((</span><span class="n">deviceId</span><span class="o">,</span> <span class="n">envelope</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">messagingTemplate</span><span class="o">.</span><span class="na">convertAndSend</span><span class="o">(</span> <span class="s">"/topic/devices/"</span> <span class="o">+</span> <span class="n">deviceId</span> <span class="o">+</span> <span class="s">"/chats/"</span> <span class="o">+</span> <span class="n">message</span><span class="o">.</span><span class="na">getChatId</span><span class="o">(),</span> <span class="n">toDeviceEvent</span><span class="o">(</span> <span class="s">"MESSAGE_CREATED"</span><span class="o">,</span> <span class="n">message</span><span class="o">,</span> <span class="n">envelope</span><span class="o">,</span> <span class="n">envelope</span><span class="o">.</span><span class="na">getTargetUserId</span><span class="o">()</span> <span class="o">)</span> <span class="o">)</span> <span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>The important part is the destination:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/topic/devices/{deviceId}/chats/{chatId} </code></pre> </div> <p>It is not a global chat broadcast. It is per-device routing.</p> <p>That distinction matters because the encrypted payload is different for every target device.</p> <h2> The whole architecture </h2> <p>At a high level, the system looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Browser ├── crypto-engine.js ← X3DH · Symmetric Ratchet · AES-GCM · WebCrypto ├── REST /api/* ← auth · chats · devices · prekeys └── WebSocket /ws ← per-device STOMP topics Spring Boot ├── auth/ ← phone OTP · email · JWT ├── crypto/ ← device registry · prekey bundles · envelope fanout ├── message/ ← encrypted envelopes · receipts · events └── infra/ws/ ← WebSocket · JWT auth · device routing PostgreSQL ← users · devices · messages([encrypted]) · envelopes(ciphertext) Redis ← refresh tokens · online presence · SMS rate limits Observability ← Actuator · Prometheus · Grafana </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnhqcvycl6ktxy3ue7nqd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnhqcvycl6ktxy3ue7nqd.png" alt=" " width="800" height="333"></a></p> <h2> The bug I did not notice immediately </h2> <p>There is a chat list in the UI, and every chat needs a preview of the last message.</p> <p>In a normal app, this is trivial:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">select</span> <span class="n">content</span> <span class="k">from</span> <span class="n">messages</span> <span class="k">where</span> <span class="n">chat_id</span> <span class="o">=</span> <span class="o">?</span> <span class="k">order</span> <span class="k">by</span> <span class="n">created_at</span> <span class="k">desc</span> <span class="k">limit</span> <span class="mi">1</span><span class="p">;</span> </code></pre> </div> <p>So I implemented the backend query, opened the UI, and saw this in every chat:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[encrypted] </code></pre> </div> <p>Of course.</p> <p>The server does not know what the last message says.</p> <p>I spent some time thinking about how to solve this on the backend. Then the obvious answer finally clicked:</p> <blockquote> <p>you cannot solve this on the backend because the backend does not have the key.</p> </blockquote> <p>The preview must be a client-side concern.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">previewCache</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">chatId</span><span class="p">,</span> <span class="nx">decryptedText</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">60</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">preview</span> <span class="o">=</span> <span class="nx">previewCache</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">chatId</span><span class="p">)</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">🔒 Encrypted</span><span class="dl">'</span><span class="p">;</span> </code></pre> </div> <p>This was a useful mental shift.</p> <p>In a normal backend system, a message preview is a SQL problem.<br><br> In an E2EE system, a message preview is local decrypted client state.</p> <h2> Rate limiting: the boring security feature that matters </h2> <p>The endpoint <code>/api/auth/send-code</code> is dangerous if left unprotected.</p> <p>Without rate limiting, it becomes an SMS pumping endpoint.</p> <p>So I added Redis-based limits:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kt">void</span> <span class="nf">checkAndIncrement</span><span class="o">(</span><span class="nc">String</span> <span class="n">phone</span><span class="o">)</span> <span class="o">{</span> <span class="n">checkLimit</span><span class="o">(</span> <span class="s">"sms:rate:short:"</span> <span class="o">+</span> <span class="n">phone</span><span class="o">,</span> <span class="mi">3</span><span class="o">,</span> <span class="nc">Duration</span><span class="o">.</span><span class="na">ofMinutes</span><span class="o">(</span><span class="mi">10</span><span class="o">)</span> <span class="o">);</span> <span class="n">checkLimit</span><span class="o">(</span> <span class="s">"sms:rate:day:"</span> <span class="o">+</span> <span class="n">phone</span><span class="o">,</span> <span class="mi">10</span><span class="o">,</span> <span class="nc">Duration</span><span class="o">.</span><span class="na">ofHours</span><span class="o">(</span><span class="mi">24</span><span class="o">)</span> <span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="kt">void</span> <span class="nf">checkLimit</span><span class="o">(</span><span class="nc">String</span> <span class="n">key</span><span class="o">,</span> <span class="kt">int</span> <span class="n">maxAttempts</span><span class="o">,</span> <span class="nc">Duration</span> <span class="n">window</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Long</span> <span class="n">count</span> <span class="o">=</span> <span class="n">redisTemplate</span><span class="o">.</span><span class="na">opsForValue</span><span class="o">().</span><span class="na">increment</span><span class="o">(</span><span class="n">key</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">count</span> <span class="o">==</span> <span class="mi">1</span><span class="o">)</span> <span class="o">{</span> <span class="n">redisTemplate</span><span class="o">.</span><span class="na">expire</span><span class="o">(</span><span class="n">key</span><span class="o">,</span> <span class="n">window</span><span class="o">);</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="n">count</span> <span class="o">&gt;</span> <span class="n">maxAttempts</span><span class="o">)</span> <span class="o">{</span> <span class="kt">long</span> <span class="n">ttl</span> <span class="o">=</span> <span class="n">redisTemplate</span><span class="o">.</span><span class="na">getExpire</span><span class="o">(</span><span class="n">key</span><span class="o">,</span> <span class="nc">TimeUnit</span><span class="o">.</span><span class="na">SECONDS</span><span class="o">);</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">RateLimitException</span><span class="o">(</span><span class="s">"Too many requests"</span><span class="o">,</span> <span class="n">ttl</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>When the limit is exceeded, the backend returns HTTP <code>429</code> with a <code>Retry-After</code> header.</p> <p>This is not the most exciting part of the project, but it is exactly the kind of thing that separates a demo from a more realistic system.</p> <h2> WebSocket authentication </h2> <p>The WebSocket connection is authenticated with JWT during the STOMP <code>CONNECT</code> command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// WebSocketAuthChannelInterceptor.java</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">Message</span><span class="o">&lt;?&gt;</span> <span class="n">preSend</span><span class="o">(</span><span class="nc">Message</span><span class="o">&lt;?&gt;</span> <span class="n">message</span><span class="o">,</span> <span class="nc">MessageChannel</span> <span class="n">channel</span><span class="o">)</span> <span class="o">{</span> <span class="nc">StompHeaderAccessor</span> <span class="n">accessor</span> <span class="o">=</span> <span class="nc">StompHeaderAccessor</span><span class="o">.</span><span class="na">wrap</span><span class="o">(</span><span class="n">message</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="nc">StompCommand</span><span class="o">.</span><span class="na">CONNECT</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">accessor</span><span class="o">.</span><span class="na">getCommand</span><span class="o">()))</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">token</span> <span class="o">=</span> <span class="n">accessor</span><span class="o">.</span><span class="na">getFirstNativeHeader</span><span class="o">(</span><span class="s">"Authorization"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">token</span> <span class="o">==</span> <span class="kc">null</span> <span class="o">||</span> <span class="o">!</span><span class="n">token</span><span class="o">.</span><span class="na">startsWith</span><span class="o">(</span><span class="s">"Bearer "</span><span class="o">))</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">AuthException</span><span class="o">(</span><span class="s">"Missing WebSocket auth token"</span><span class="o">);</span> <span class="o">}</span> <span class="nc">Authentication</span> <span class="n">auth</span> <span class="o">=</span> <span class="n">jwtAuthProvider</span><span class="o">.</span><span class="na">authenticate</span><span class="o">(</span><span class="n">token</span><span class="o">.</span><span class="na">substring</span><span class="o">(</span><span class="mi">7</span><span class="o">));</span> <span class="n">accessor</span><span class="o">.</span><span class="na">setUser</span><span class="o">(</span><span class="n">auth</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="n">message</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p>JWT alone is not enough, though.</p> <p>For this architecture, the server must also validate the device identity. A client should not be able to subscribe as any arbitrary <code>deviceId</code>.</p> <p>Otherwise per-device encryption would degrade into a routing illusion.</p> <p>The device must be registered and must belong to the authenticated user.</p> <h2> What I built </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb8dxwpl7g89yetdm6712.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb8dxwpl7g89yetdm6712.png" alt=" " width="800" height="350"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdhnaj7ivejfpuh9rkenj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdhnaj7ivejfpuh9rkenj.png" alt=" " width="800" height="267"></a></p> <p>Current features:</p> <ul> <li>X3DH-based session setup;</li> <li>symmetric ratchet with AES-GCM message encryption;</li> <li>encrypted per-device envelopes;</li> <li>multi-device delivery;</li> <li>direct and group chats;</li> <li>WebSocket/STOMP realtime messaging;</li> <li>typing indicators;</li> <li>online presence;</li> <li>read receipts;</li> <li>message editing;</li> <li>soft deletion;</li> <li>photo attachments;</li> <li>phone OTP and email/password authentication;</li> <li>JWT access/refresh tokens;</li> <li>Redis-based SMS rate limiting;</li> <li>PostgreSQL + Flyway migrations;</li> <li>Prometheus + Grafana observability;</li> <li>backend tests with Testcontainers;</li> <li>frontend tests with Vitest;</li> <li>GitHub Actions CI.</li> </ul> <p>What is intentionally still on the roadmap:</p> <ul> <li>full Double Ratchet with DH ratchet step;</li> <li>non-extractable client keys;</li> <li>Android client with Android Keystore;</li> <li>real SMS provider integration;</li> <li>push notifications;</li> <li>encrypted voice messages;</li> <li>encrypted media storage;</li> <li>WebRTC calls.</li> </ul> <h2> The main lesson </h2> <p>The main lesson from this project is simple:</p> <blockquote> <p>E2EE is an architecture decision, not a library.</p> </blockquote> <p>You cannot take a normal Spring Boot chat and just "turn encryption on".</p> <p>If the backend is not supposed to be trusted, that decision affects everything:</p> <ul> <li>database schema;</li> <li>API shape;</li> <li>WebSocket topics;</li> <li>multi-device delivery;</li> <li>message previews;</li> <li>logs;</li> <li>file attachments;</li> <li>device management;</li> <li>frontend state;</li> <li>threat model.</li> </ul> <p>A messenger is not just "a chat with WebSocket".</p> <p>In an E2EE model, it is a system for delivering encrypted envelopes to specific devices.</p> <p>Once that idea becomes clear, many strange-looking implementation decisions start to make sense.</p> <h2> Repository </h2> <p>The project is open source:</p> <p><a href="https://github.com/vaazhen/chaos-messenger" rel="noopener noreferrer">github.com/vaazhen/chaos-messenger</a></p> <p>The repository includes English and Russian README files, diagrams, screenshots, security audit notes, Docker Compose setup, and one-command local startup.</p> <p>I would be especially interested in feedback on:</p> <ul> <li>prekey rotation;</li> <li>non-extractable WebCrypto keys;</li> <li>browser-based E2EE limitations;</li> <li>DH ratchet implementation;</li> <li>encrypted media design;</li> <li>multi-device state synchronization.</li> </ul> privacy java react opensource