0

Here is context:

I am using PGP to encrypt messages in a chat web app. After going through some articles, I get brief idea how PGP works and here is how I am doing it with openPGPJs :

  • Client(web browser) generate the public/private key-pairs and send public key to server to store it.
  • Sender use receiver's public key to encrypt data and send it.
  • Receiver use their own private key to decrypt the message.

As a chat app I need to store all messages and decrypt them when user wants to see old message. decryption of messages need the private key. here the client is web browser which neither can store the private keys for long nor can keep them safe. so I decided to store the private key on web server. Now client(web browser) asks server for the private key whenever decryption of message needed.

Considering PGP an End to End protocol, storing private key on server is vulnerable. my question is:

  • How PGP encryption works for web based applications where client is not able to keep private key safe and confidential?

  • Is it Okay to store private key on server?

  • Is there any better way to do this?

Thanks for any suggestions.

Suraj
  • 1,625
  • 1
  • 15
  • 33
  • (1) I don't see any reason to store private keys. (2) Don't implement your own crypto, especially chats are quite complex (when supporting some features) (3) If you want to do that: there are tons of projects and papers. Did you check them? What did you learn? (Signal @WhatsApp; Pidgin OTR...) (4) It's also a bit broad. – sascha Aug 12 '17 at 16:07
  • Are you talking about storing clients' keys on the server? This would give the server (or anyone in control of it) the ability to do MITM attacks or decrypt communication in turn making the security concept worthless. – ProgrammingMachine5000 Aug 12 '17 at 16:08
  • @sascha (1) "don't see any reason to store private keys." are u suggesting to generate new key pair for each message? In this case how if old key was not get stored how old message will be decrypted? (2) I am not implementing my own crypto, I am using https://github.com/openpgpjs/openpgpjs for this. (3) I am not using signal protocol, have to do this with PGP. share your thoughts please. – Suraj Aug 12 '17 at 16:17
  • 1
    *"is it Okay to store private key on server?"* - not if you want unbroken end-to-end encryption. – Artjom B. Aug 12 '17 at 16:24
  • I'm voting to close this question as off-topic because it is not about software development per se, but discusses information security principles in general and would be a better fit for the Information Security Stack Exchange sister site. – Jens Erat Aug 12 '17 at 18:05
  • @JensErat thanks. I will post it on Information security stack exchange. – Suraj Aug 12 '17 at 18:10
  • @JensErat updated my question https://security.stackexchange.com/questions/167348/pgp-encryption-for-the-server-based-app – Suraj Aug 12 '17 at 19:13

0 Answers0