Question about key exchange.

[842Mono]

Hi.

I have a question about key exchange. I can see in the code that the keys are transferred as they are to the other party. Isn't that a security vulnerability? The server can simply use the keys to decrypt the messages being sent. How is that addressed? What's the solution to that?

What I'm trying to achieve in my application is end to end encryption.

[akash4393]

Hey Mina,

Sorry I've been busy with work and didn't see this message. What you're talking about is preventing the server from doing a MITM (man in the middle) attack and signal won't directly provide that. But there are ways in which you can creatively do that. Simplest example being comparing the keys that two parties have to make sure that the key sent was the one that is being used and the server didn't swap it out. I think WhatsApp has implemented this in some form.

Also, this was something I was working on during my school days, if you look at one of my other repos, you can see a rough implementation of what I'm talking about in Java. I think that project is called EmailSecurity

Akash

On Thu, Jun 18, 2020 at 9:24 AM Mina William Michael < [email protected]> wrote:

Hi.

I have a question about key exchange. I can see in the code that the keys are transferred as they are to the other party. Isn't that a security vulnerability? The server can simply use the keys to decrypt the messages being sent. How is that addressed? What's the solution to that?

What I'm trying to achieve in my application is end to end encryption.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/akash4393/libsignal-javascript-example/issues/1, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACGGWUYY43B35MAOBRDKKMDRXI5VDANCNFSM4OB5ZNWQ .