Score:2

Combining ECC and AES for a Web Chat system

us flag

I am working on a portable secure chat via desktop or mobile, which adopts OTP plus asymmetric encryption. The idea goes like this:

Suppose that Alice and Bob are clients, and the server is run by Steve. Steve generates the server private/public key pair, while Alice and Bob generates their client key pairs`. For each message, the client generates a random AES key for encrypting that specific message, that is then encrypted with the server's public key. The client also signs the message with its private key as well. The server decrypts such message, encrypts it with the public key of every online client, and broadcasts it to them.

Is there any problem with CPU load on the server or client, or problem with security breaches happening during message transfer, or is this idea just useless and needs to be scrapped? The ECC keypair would be 521 bits, while the AES key would be 256 bits.

Eugene Styer avatar
dz flag
Any particular reason for not using TLS (which does much of the same thing)?
Red Sun avatar
us flag
@EugeneStyer I want this chat application to run on a port other than 443 or 8080, therefore TLS might be unusable.
Eugene Styer avatar
dz flag
Port 443 is used for HTTPS (which uses TLS), but TLS itself is not limited to those ports. You can specify the port # to be used when you create the TLS/SSL socket.
Paul Uszak avatar
cn flag
What use were you going to make of OTPs?
Red Sun avatar
us flag
@PaulUszak I am going to encrypt each message with a different random AES key. That's what I mean for OTP.
Score:1
cn flag

I refer to your own answer.

using TLS is good enough

Is there any problem with ...snip... security breaches happening during message transfer,

Well yes, there is a problem. Have you understood the implication of @forest 's cryptic comment? E2E = end to end. À la Signal.

With TLS, client/server messaging will be encrypted, but the messages will be plaintext as they pass through the server. That means anyone with physical/judicial access to the server will be able to read all the messages. And initiate Man in the Middle attacks. Read about all the troubles with Blackberry phones.

It's all about what you want to achieve, and some of that can be troublesome.

Score:0
us flag

So I have found the answer. The answer provided in the comment by Eugene Styer states that just using TLS is good enough, as TLS is not limited to a specific port.

forest avatar
vn flag
Well, it certainly won't be E2E...
Ben Voigt avatar
cn flag
@forest: The question does not describe an end-to-end system either
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.