Encryption

Cryptography is encryption + decryption.

Encryption is the process of converting legible text into cipher text by passing it through an encryption function which takes a ‘key’ as an input.

Two types of cryptography

1. Symmetric 

   • only one key

   • the same key is used to encrypt and decrypt messages

2. Asymmetric

   • Two different keys

   • public key 

     • belongs to the recipient of the message 

     • sender encrypts the message with this key

   • private key

     • message recepient will decrypt the message with this key

     • this key is not share with anyone

   • In this sense, 

     • public key is used to close the lock 🔐

     • private key is used to open the lock 🔓️

We are talking encryption for a note taking app thinkdeli. Data won’t be shared between different users. But between different devices belonging to the same user. But that won’t really matter. The sender needs to look up the user and the device to get the correspoding public key.

Is the key pair the same across all the devices. Or should each device get its own key pair. 

• I think each device should get its own key pair.

• The public key should be stored in the db in the cloud against the username.

• The private key should be encrypted with a password set by the user and stored locally on the device.

The client (app) generates the key pair. Public key must be stored in the cloud somewhere so that it can be shared with anyone who needs to encrypt data for this device.

But when working with multiple devices of the same user, the message will have to be encrypted using the public key of each device. this won’t work. So the keys need to be same. Maybe asymmetric cryptography is not the solution.

I read the signal protocol paper. There are three types of key pairs generated and seems like every message is encrypted using a different key. Basically, it appears that key exchange is a big problem by itself. Generating keys is trivial now using the amazing crypto libraries like sodium. 

So the problem that apps need to solve is key management.

For thinkdeli the approach that makes the most sense is private key cryptography. 

1. Ask the user for a password.

2. Create a key from the password. 

3. Encrypt all updates to yjs using the key.

4. Decrypt all updates to yjs using the key.

On other devices too, ask the users to enter the password before they start.

I need to use the AEAD variation of the private key cryptography to

1. authenticate that the message was indeed sent by the sender who claims it

2. add additional meta data for ydoc to work