In light of recent privacy concerns (reddit canary removed, Apple vs FBI), citizen's personal messages are in danger of being given to the public by huge corporations. Privacy is a right that every citizen has; that is why we made Crypto Chat. When we explored End to End encryption services, we found that every platform requires you to either only communicate on their own closed channel (such as iMessages), or is much too bulky for the modern consumer. This results in NO solutions for automated, secure, hassle-free end to end encryption using the services that we love (Facebook messenger, Google Hangouts, GroupMe).
What it does
Crypto Chat is a Chrome Extension and iOs keyboard that provides two services: we manage all the behind-the-scenes work that make end to end encryption possible, and we automatically encrypt and decrypt messages and handle generation of new keys. The user will never need to know that their messages are encrypted!
Because we encrypt the messages client side, when a user sends the message over ANY channel (Facebook, Google Hangouts, Slacks) the server will only see (and store) the encrypted message. When a second user receives the message, they will be able to properly decrypt the message automatically (given that the user has permissions).
Our companion iOS keyboard also works with any channel. It replaces the normal iOS keyboard with our custom version, that has built in encryption/decryption capabilities.
How we built it
Lots of love, sweat, and friendship.
We use a NodeJS server on the backend with MySQL to handle the organization of the keys. We only store the encrypted chat keys on the server, so that a high standard of security is maintained.
All generation, encryption and decryption functions are performed client side using the C implementation of OpenSSL. This also ensures that only the client will ever have the power to generate keys and encrypt/decrypt messages, while also having a completely platform-independent security library.
The user can highlight a text selection and press Ctl+Shift+V to encrypt the message with their active key, and then they can press Ctl+Shift+F in order to decrpt any encrypted text on a webpage.
We were left with just one problem: How can we verify that a user is actually who he says he is? If a user's account were hacked, then all of their keys would be compromised.
The Knurld Voice Recognition API solved this problem perfectly. When registering with out platform, the user also registers with Knurld. We will only allow the user to access the key library if they pass Knurld's test.
Challenges we ran into
The second problem is still existing: for websites that are built with AngularJS or other more advanced frameworks, the DOM manipulation required to extract and insert encrypted text is a bit more tricky.
By far the biggest challenge was writing a comprehensive system that did not compromise the user's security one bit - we were very rigorous in making sure that in our system design, the security remains airtight!!!
Accomplishments that we're proud of
Istvan - Being able to design an entire system that maintains a high standard of security is definitely my proudest accomplishment!
Blaise - Learning the secrets of the microphone, and how to implement it all in JS/HTML.
Aron - Being able to implement my first iOS platform all by myself! The keyboard as well as the companion app were tricky to create together, but in the end it was worth it because they work with any messaging app flawlessly!!
Matt - Writing the wrapper functions for the secure C code was definitely a difficult task.
What we learned
How to make a more advanced RESTful API, and how to work in a remote team while maintaining a positive mental attitude.
What's next for Crypto Chat
Implementing signed messages (Use knurld to optionally sign your encrypted messages)
Various small fixes