Member-only story
End-to-End Encrypted Chat with the Web Crypto API
When transmitting or storing user data, especially private conversations, it’s essential to consider employing cryptographic techniques to ensure privacy.
By reading this tutorial, you’ll learn how end-to-end encrypt data in web applications using nothing but JavaScript and the Web Crypto API, which is a native browser API.
Please note that this tutorial is very basic and strictly educational, may contain simplifications, and rolling your own encryption protocol is not advisable. The algorithms used can contain certain ‘gotchas’ if not employed properly with the help of security professionals
You can also find the full project in this GitHub repo if you happen to get lost. And if you have any questions, feel free to reach out to me on Twitter :).
What Is End-to-End Encryption?
End-to-end encryption is a communication system where the only people who can read the messages are the people communicating. No eavesdropper can access the cryptographic keys needed to decrypt the conversation-not even a company that runs the messaging service.
What Is the Web Crypto API?
The Web Cryptography API defines a low-level interface to interacting with cryptographic key material that is managed or exposed by user agents. The API itself is agnostic of the underlying implementation of key storage but provides a common set of interfaces that allow rich web applications to perform operations such as signature generation and verification, hashing and verification, encryption and decryption, without requiring access to the raw keying material.
Onto the Basics
In the following steps, we’ll declare the essential functions involved in end-to-end encryption. You can copy each one into a dedicated .js file under a lib folder. Note that all of them are async functions due to the Web Crypto API's asynchronous nature.
