Is End-to-end encryption possible in Javascript?

Dominique picture Dominique · Feb 15, 2015 · Viewed 13.9k times · Source

I'm currently researching the possibilities for creating a (peer2peer) messaging client in terms of encryption thus security. This application will be based on web technologies (if possible).

My questions are: is end-to-end encryption possible with only javascript (client & node.js/peer.js)? If yes: is it correct to look into the HMAC (RSA) kind of encryption techniques? I already tried to understand a bit how these libraries work but I have no luck so far :)

lib's I find interesting but i don't (completely) understand and know how to implement (in this use-case):

I can try to elaborate more if needed.

UPDATE: The application is going to be a mobile application. The use of web technologies is a bit proof-of-concept.

Answer

Maarten Bodewes picture Maarten Bodewes · Feb 15, 2015

You are currently looking at security implementations. If you don't understand the security model & cryptography behind these libraries, your solution will - to a high certainty - not be secure.

Artjom is correct in indicating that for peer to peer encryption you most likely need authentication of both parties. That is not provided by normal SSL/TLS, you'll need client authentication. But for client and server authentication you need to have established trust. On normal browsers this is provided by the internal certificate store. It is however much trickier to trust the clients.

All the other stuff (like how RSA is not a HMAC) are implementation details. You should however not be implementing anything related to security right now. First focus on your use case, threat scenario and protocol design.