When receiving messages
- Your browser generates a public key and a private key.
- The private key is stored in your browser’s local storage.
-
The public key is sent to the WhisperKey servers, where it is associated
with unique magic words which are sent back to your
browser.
You then give your magic words to the person who wants to send you a message,
and they use them to send a message.
- The WhisperKey servers send the encrypted message to your browser.
- Your browser uses the private key stored in local storage to decrypt
the message and display it on your screen.
When sending messages
- You input the magic words that someone gave you.
- The WhisperKey servers provide you with the public key associated with
those magic words.
- You type your message and your browser encrypts it using the public key
WhisperKey provided it.
- Your browser sends the encrypted message to WhisperKey. WhisperKey
associates it with the user it is intended for so that they will see it
in their list of messages.
Security limitations
- We have taken efforts to ensure your data is safe from snooping and
from us. But you must be sure that you are using the correct magic
words for the person you want to send to. If you use the wrong magic
words, your message might go to the wrong person.
- Performing cryptography in Javascript has
limitations.
You should perform your own validations to ensure that no one has
tampered with WhisperKey’s Javascript between our servers and your
computer and that WhisperKey is right for you.
- Your private key is stored unencrypted in your browser's local storage.
If someone gains access to your computer, they will be able to read any
messages sent to your session. This can be mitigated by always signing out
when you have finished using WhisperKey. WhisperKey will also expire your
session after 24 hours of it first being used).
Technical details
WhisperKey uses a combination of RSA and AES to achieve the desired
results. RSA has an inherent character limitation based on the length
of the key, and WhisperKey uses a relatively short RSA key length
(1024 bits). To stop you being limited to 117 characters your message
is first encrypted with AES-256 using a randomly generated passphrase.
This passphrase is then encrypted with your public key and the two
ciphertexts are sent to the WhisperKey servers. When the message is
decrypted the process is reversed: the receiver’s browser decrypts the
AES passphrase and then uses this to decrypt the original message.
This is a standard procedure using industry standards and similar
methods are used in SSL, OpenPGP and others.
Concerns?
If you have a security query please contact us on our priority security
email address:
security@pixielabs.io.