问题
I am making an application in which chatting is also a feature for which I am using firebase realtime database. Though all the data stored in firebase is via SSL but I want that even the administration is not able to see that messages. I thought of implementing the end-to-end encryption by using the public and private key architecture, but storing the private key on device won't be good as a new private key will be created when the phone is uninstalled or even when the app is used in another device and also previous messages won't be decrypted.
I also thought of, if the new messages could be encrypted with the new private key, when generated, and storing the previous chat history in google drive or iCloud as backup, but since this not entirely a chat application I think this won't be feasible.
http://www.geero.net/2017/05/how-to-encrypt-a-google-firebase-realtime-database/
I also went through this article but again the keys will be with the administration.
How should I proceed ?
回答1:
I recomend you to encrypt your messages with AES. And you should not store the secret key on devices. Otherwise, users can make key agreement to generate shared secret key, using Diffie-Hellman key exchange algorithm: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
回答2:
Though all the data stored in firebase is via SSL but I want that even the administration is not able to see that messages.
There are already some end-to-end secured messaging protocols (e.g. Signal), you may have a look how they work.
when the app is used in another device and also previous messages won't be decrypted
That's the price for the end-to-end encryption.
You could still somehow distribute the private key between multiple devices e.g. encrypt the private key with user's password and decrypt the key when user authenticates only on the user's device (I am just shooting ideas, you may think it through if it is secure enough)
storing the previous chat history in google drive or iCloud as backup
Viber and WhatsUp are doing it, the question is if users will trust you enough to give you permissions to access their cloud storage
来源:https://stackoverflow.com/questions/54705518/encrypt-chat-messages-stored-in-firebase-database