5 posts tagged with "browser crypto"

⚠️ NOTE: This document and related project is not finished. The details in this document are subject to change.

What if you could combine multiple encryption algorithms like layers of an onion, where each layer provides independent protection? What if breaking one encryption layer still left your data protected by two or three more?

In this article, we'll explore how to build a cascading cipher system that chains multiple encryption algorithms together for defense-in-depth security. We'll walk through a browser-based JavaScript implementation that combines MLS (Message Layer Security), Signal Protocol's Double Ratchet, Diffie-Hellman key exchange, and AES-GCM encryption—all working together to create a robust, multi-layered encryption solution.

⚠️ WARNING: This document is not finished. The details in this document are subject to change.

End-to-end encrypted messaging for two people is a solved problem—Signal Protocol has set the gold standard. But what happens when you want to scale that security to group chats with dozens or hundreds of participants? Traditional pairwise encryption becomes a nightmare: N participants require N(N-1)/2 encrypted channels, each with its own key management overhead.

Enter MLS (Message Layer Security), the IETF's RFC 9420 standard designed specifically for scalable group messaging. MLS provides the same strong security guarantees as Signal Protocol—forward secrecy, post-compromise security, authentication—but does so efficiently for groups of any size.

In this article, we'll explore how MLS works, why it's a game-changer for group messaging, and walk through a complete browser-based implementation using the ts-mls library. We'll cover everything from the TreeKEM algorithm to practical P2P integration with WebRTC.

⚠️ NOTE: This is still a work-in-progress and far from finished. It is free to use and not sold or monetized in any way. It has NOT been audited or reviewed. For testing purposes only, not a replacement for your current messaging app. I have open source examples of various parts of the app and I'm sure more investigation needs to be done for all details of this project. USE RESPONSIBLY!

This post serves as a technical update and roadmap for the P2P messaging project. Rather than promoting the project, I want to clearly explain how it works, what's currently implemented, what's in progress, and what's planned for the future. Cybersecurity is a constantly evolving field and no system can be completely secure. I've created an exhaustive list of features and practices that help make the messaging app as secure as possible.

Demo

Current Status: Implemented Features​

The following features are currently working and implemented:

• P2P Architecture - The app is fully decentralized and does not rely on a central server for exchanging messages. WebRTC is used to establish direct peer-to-peer connections between browsers.

• Peer Discovery - Peer IDs are cryptographically random, generated automatically client-side with good conflict resilience to prevent ID guessing attacks. The peerjs-server (open source, self-hostable) is used as a connection broker to establish WebRTC connections.

• End-to-End Encryption - Messages are protected with an application-level cascading cipher layered on top of WebRTC's built-in encryption. The cascading cipher combines multiple protocols including Signal Protocol, MLS, and AES. While there has been some pushback on the cascading cipher approach, it functions at the application level and ensures that the strongest algorithm provides protection. Any failure results in a cascading failure, providing redundancy on top of WebRTC's mandated encryption. I plan to add more protocols to this cascade to investigate post-quantum solutions.

• Perfect Forward Secrecy - If a key is compromised, past messages remain protected. WebRTC already provides reasonable forward secrecy support in Firefox, and the Signal and MLS protocols in the cascading cipher contribute additional resilience in this regard.

• Key Management - Users manage their own keys without relying on a central authority. The focus is on local-only encryption keys. Key sets are generated for each new connection and reused in future sessions.

• Secure Signaling - The initial connection between peers is established securely. While exchanging connection data offline is a good approach, I'm working on providing more options. It's possible to establish a WebRTC connection without a connection-broker as demonstrated here.

• Minimal Infrastructure - Fewer points of failure and attack. With WebRTC, messages can be sent without a central server and will work in offline hotspot networks.

• Multimedia Support - Users can share animations and videos. This is important for providing an appealing user experience. Progress has been made on the UI component library to provide various features and functionality users expect in a messaging app.

• Minimal Metadata - The app minimizes metadata to prevent tracking of who's messaging whom or when. The metadata footprint is fairly minimal, though this is relative to how feature-rich the application becomes. Features like "user is typing" notifications can be disabled, though they're common in messaging apps. Similarly, read receipts can be useful but come with metadata overhead. I plan to discuss these features more in the future and provide the ability to disable them.

In Progress: Features Under Development​

The following features are currently being worked on:

• Open Source Strategy - Moving towards a hybrid approach where relevant repositories are open source.

• Registration-Free Operation - Creating a messaging app that eliminates the need for users to register is a feature desired in the cybersecurity space. The webapp approach offers these capabilities and is working. However, as I explore monetization options, I'm unable to see how registration can be completely avoided.

• Encrypted Storage - Browser-based cryptography is capable, and it's possible to have important data like encryption keys encrypted at rest. This works well when using passkeys to derive a password. This approach is still incomplete—improvements are needed to take advantage of the Filesystem API for better persistence. Passkeys won't address this easily because they get cleared when you clear site-data (and you lose the password for decrypting the data).

• User Education - The app is fairly technical, and I need more time to provide better information to users. The current website has a lot of technical details, but I think it's a mess if you want to find specific information. This needs to be improved.

• Offline Messaging - P2P messaging has limitations, but I have an idea for addressing this: a self-hosted version that remains online and proxies messages to users when they come online. This is still in the early stages of development and has yet to be demonstrated.

• Self-Destructing Messages - This is a common feature in secure messaging apps. It should be relatively simple to implement and will be added as a feature "soon".

• JavaScript Security Concerns - There's a lot of rhetoric against using JavaScript for a project like this because of concerns about code being served over the internet. This is understandable, but I think these concerns can be mitigated. I can provide a self-hostable static bundle to avoid fetching statics from the internet. There's additional investigation towards using service workers to cache necessary files for offline use. I would like to add an explicit button to "fetch latest statics". The functionality is working, but more needs to be done before rolling it out.

• Decentralized Profile - Users will want to continue conversations across devices with multi-device sync. It's possible to implement a P2P solution for this. This is an ongoing investigation.

• STUN/TURN Server Configuration - The app currently uses metered.ca TURN servers only for brokering P2P connections. You have the option to use your own API key to enable features like "relay-mode", which will proxy all messages. I'm open to making this as configurable as necessary if users want to add multiple of their own servers.

Future Work: Planned Features​

The following features are planned for future development:

• Regular Security Audits - This is important for identifying and fixing vulnerabilities promptly. Security audits are very expensive, and until there is funding, this won't be possible. An alternative is an in-house security audit. I have made attempts to create such audits for the Signal Protocol and MLS. I'm sure I can dive into more details, but ultimately an in-house audit is invalidated by any bias I might impart.

• Anonymity Features - Enabling users to communicate without revealing their identity is a feature many privacy advocates want. P2P messaging has nuanced tradeoffs. I'd like to further investigate onion-style routing to hide origins, but I also notice that WebRTC is generally discouraged when using the TOR network. It could help if users use a VPN, but that strays further from what I can offer as part of my app. This is an ongoing investigation.

Demo

Frequently Asked Questions​

Why are there closed source parts? - This project comes in two flavors: open-source and closed-source. To view the open source version, see here. I've tried several grant applications and places that provide funding for open source projects. I'm aware they exist—unfortunately, they rejected this project for funding. I'm sure many are inundated with project submissions that have more professional quality and are able to articulate details better than myself. Continuing with open source only seems to put me at a competitive disadvantage.

Monetization - I'm investigating introducing Clerk. I hope to use that to create a subscription model. I would like to charge $1 per month as per the minimum allowed by Clerk. I started off thinking I could avoid charging users entirely, given that it seems a norm for secure messaging apps to be free. But given the grant rejections and the lack of donations on GitHub Sponsors (completely understandable), it's clear that it won't be able to sustain the project. I tried Google AdSense on the website/blog, but it was making practically nothing; so I disabled it because it wasn't a good look when it goes against the whole "degoogling" angle. This project is currently not funded or monetized in any way. (It's not for lack of trying)

How does it compare against Signal, SimpleX, Element, etc? - The project is far from finished, and it wouldn't make sense to create something as clear as a comparison table. Especially because core features like group messaging aren't working. Some technical details can be seen here if you want to draw your own comparison:

• https://positive-intentions.com/docs/projects/chat
• https://positive-intentions.com/docs/category/sparcle

JavaScript over the internet is not secure - I'm investigating using service workers to cache files. This is working to some degree, but needs improvement before I fully roll it out. I would like to aim for something like a button on the UI called "Update" that would invalidate the service-worker cache to trigger an update. I hope to have something more elegant than self-hosting on localhost or using a dedicated app. It's possible to provide a static bundle that can work from running index.html in a browser without the need to run a static server. The static bundle of the open source version can be seen and tested to work from this directory: https://github.com/positive-intentions/chat/tree/staging/Frontend. When I reach a reasonable level of stability on the app, I would like to investigate things like a dedicated app as is possible on the open source version: https://positive-intentions.com/blog/docker-ios-android-desktop

How is this different from any other messaging app? - The key distinction between this project and others like Signal and SimpleX is that it's presented as a PWA. A key cybersecurity feature of this form-factor is that it can avoid installation and registration. It's understandable that such a feature doesn't appeal to everyone, but along with the native build, it should cover all bases depending on your threat model.

What about Chat Control? - I see a lot of fear mongering in the cybersecurity community around chat control. I aim to create something that doesn't have the censorship pitfalls of a traditional architecture. A previous post on the matter: https://www.reddit.com/r/europrivacy/comments/1ndbkxn/help_me_understand_if_chatcontrol_could_affect_my

Is it AI-generated? - AI is being used appropriately to help me in various aspects. I hope it doesn't undermine the time and effort I put into the project.

The goal is to provide industry-grade security encapsulated into a standalone webapp. Feel free to reach out for clarity on any details or check out the following links:

• Docs: https://positive-intentions.com
• Mastodon: https://infosec.exchange/@xoron

IMPORTANT NOTE: It's worth repeating: this is still a work in progress and not ready to replace any existing solution. Many core features like group messaging are not working. Provided for testing, demo, and feedback purposes only.

⚠️ WARNING: This document is not finished. The details in this document are subject to change.

The Signal Protocol has become the gold standard for end-to-end encrypted messaging, powering applications like WhatsApp, Signal, and Facebook Messenger. But what happens when you want to implement the same level of security in a truly peer-to-peer environment—one without centralized servers managing pre-keys and message routing?

In this article, we'll explore how to adapt the Signal Protocol's X3DH (Extended Triple Diffie-Hellman) key agreement and Double Ratchet algorithm for direct peer-to-peer communication over WebRTC. We'll discuss the challenges unique to P2P environments, propose practical solutions, and walk through a browser-based JavaScript implementation that maintains the security guarantees of the original protocol.

⚠️ NOTE: This is an experimental implementation for testing purposes. Post-quantum cryptography is an active area of research. While ML-KEM is a NIST standard, this JavaScript implementation has not undergone formal security audits. Use responsibly.

We're excited to announce that our P2P messaging application now supports quantum-resistant encryption using ML-KEM (CRYSTALS-Kyber), a NIST-standardized post-quantum key encapsulation mechanism. This addition brings quantum-resistant security to our cascading cipher system, providing protection against future quantum computing attacks.

What is Post-Quantum Cryptography?​

Quantum computers pose a significant threat to current public-key cryptography. While quantum computers are still in early stages, they could eventually break widely used algorithms like RSA, ECC (Elliptic Curve Cryptography), and Diffie-Hellman using Shor's algorithm. Quantum-resistant cryptography uses mathematical problems that quantum computers struggle to solve.

Current Vulnerabilities​

🔴 Vulnerable to Quantum Attacks:

• RSA (Shor's algorithm)
• Elliptic Curve Cryptography (Shor's algorithm)
• Diffie-Hellman key exchange (Shor's algorithm)

🟢 Quantum-Resistant:

• AES-256 (Grover's algorithm only reduces to AES-128 equivalent)
• SHA-256/SHA-3 (quantum advantage limited)
• ML-KEM (CRYSTALS-Kyber) - Lattice-based KEM
• ML-DSA (CRYSTALS-Dilithium) - Lattice-based signatures

The ML-KEM (CRYSTALS-Kyber) Standard​

ML-KEM (Modular Lattice-based Key Encapsulation Mechanism) is one of the first post-quantum algorithms standardized by NIST in 2024. It's designed as a key encapsulation mechanism (KEM) rather than direct encryption, making it ideal for establishing shared secrets between parties.

📚 Learn More:

• Crash Course: ML-KEM Beginner Tutorial - Quick introduction to ML-KEM concepts
• In-Depth Tutorial: ML-KEM Research Tutorial - Comprehensive technical deep dive

Key Properties:

• ⚡ Fast: ~30-50ms for key encapsulation/decapsulation
• 📦 Compact: 1184-byte public keys, 1088-byte encapsulated keys
• 🔒 Security: Based on Learning With Errors (LWE) problem
• 🎯 Standard: NIST FIPS 203 compliant
• 🌐 Pure JavaScript: No native dependencies

Integration with Cascading Cipher​

The ML-KEM implementation is integrated as a cipher layer in our cascading cipher architecture:

import {
  CascadingCipherManager,
  MLSCipherLayer,
  SignalCipherLayer,
  AESCipherLayer,
  MLKEMCipherLayer,  // New post-quantum layer
} from 'cryptography/CascadingCipher';

How It Works​

ML-KEM functions as a key exchange layer in the encryption cascade:

Encryption Flow:

1. ML-KEM Layer: Receiver's public key → encapsulated shared key
2. Signal Layer: Double Ratchet adds forward secrecy
3. MLS Group Layer: Group messaging support
4. AES Layer: Fast symmetric encryption

Why This Approach?​

Defense in Depth:

• ML-KEM protects against quantum attacks
• Signal Protocol provides forward secrecy
• MLS enables group messaging
• AES adds fast symmetric encryption

Each layer provides independent protection. If ML-KEM is broken, other layers still protect data.

Implementation Details​

ML-KEM Cipher Layer Architecture​

The MLKEMCipherLayer class implements the standard CipherLayer interface:

class MLKEMCipherLayer implements CipherLayer {
  readonly name = "ML-KEM-768";
  readonly version = "1.0.0";

  async encrypt(data: Uint8Array, keys: MLKEMKeys): Promise<EncryptedPayload>;
  async decrypt(payload: EncryptedPayload, keys: MLKEMKeys): Promise<Uint8Array>;
}

Key Properties​

• Public Key Size: 1184 bytes (for KEM-768 parameter set)
• Private Key Size: 64 bytes
• Encapsulated Key: 1088 bytes
• Shared Secret: 32-64 bytes (used as AES key material)

Security Features​

✅ Zeroization:

• All sensitive buffers are cleared after use
• Shared secrets, private keys, IVs are zeroized

✅ Timing Attack Protection:

• Constant-time key validation
• No early returns in validation logic

✅ IV Reuse Protection:

• Tracks used IVs per public key
• Random IV generation with collision detection

✅ Input Validation:

• Maximum plaintext size: 10MB (prevents DoS)
• Strict parameter size checks

Example Usage​

import { MlKem768 } from '@hpke/ml-kem';
import { MLKEMCipherLayer } from 'cryptography/CascadingCipher';

// Generate ML-KEM key pair
const kem = new MlKem768();
const keyPair = await kem.generateKeyPair();

// Create cipher layer
const layer = new MLKEMCipherLayer();

// Encrypt plaintext
const plaintext = new TextEncoder().encode('Quantum-secure message!');
const encrypted = await layer.encrypt(plaintext, {
  publicKey: keyPair.publicKey
});

// Decrypt
const decrypted = await layer.decrypt(encrypted, {
  privateKey: keyPair.privateKey
});

console.log(new TextDecoder().decode(decrypted)); // "Quantum-secure message!"

Module Federation Integration​

The cryptography module is exposed via module federation for import in the P2P application:

// cryptography/webpack.config.js
module.exports = {
  // Module federation config
  name: 'cryptography',
  exposes: {
    './CascadingCipher': './src/crypto/CascadingCipher/index.ts',
    './MLKEMUtils': './src/crypto/MLKEMUtils.ts',
    // ... other exports
  }
};

The P2P app imports via remote:

// p2p/webpack.config.js
module.exports = {
  remotes: {
    cryptography: 'cryptography@http://localhost:8083/remoteEntry.js'
  }
};

Storybook Examples​

Interactive Storybook stories demonstrate ML-KEM functionality:

• MLKEMBeginnerTutorial.stories.js - Step-by-step ML-KEM basics
• MLKEMDemo.stories.js - Real encryption/decryption examples
• MLKEMTimingTests.stories.js - Performance benchmarks

Try the Live Demo:

• ML-KEM Standalone Demo - Interactive encryption/decryption playground

Examples available at:

• ML-KEM Demo Story: https://cryptography.positive-intentions.com/?path=/story/cascading-cipher-ml-kem-demo--mlkem-standalone
• P2P Messaging Demo: https://p2p.positive-intentions.com/iframe.html?globals=&id=demo-p2p-messaging--p-2-p-messaging&viewMode=story

Performance Characteristics​

Encryption Benchmarks:

• Key Generation: ~10-15ms
• Encapsulation: ~15-25ms
• Decapsulation: ~15-25ms
• Total Operation: ~30-50ms

Overhead Analysis:

• Message Size: Adds ~1100 bytes (encapsulated key + IV + salt)
• Processing Time: +30-50ms compared to classical-only encryption
• Memory: Minimal (key material cached)

Comparison: Classical vs Post-Quantum​

Security Considerations​

Current Status​

✅ Implemented:

• ML-KEM-768 key pair generation
• Key encapsulation/decapsulation
• Integration with cascading cipher
• Security hardening (zeroization, timing protection)

⚠️ Limitations:

• JavaScript implementation (not FIPS 140-2 validated)
• No formal security audit
• Experimental/educational use only
• Performance overhead vs classical algorithms

Recommendations​

✅ Suitable For:

• Long-term confidential data storage
• Future-proofing sensitive communications
• Experimental/educational projects
• Low-volume secure messaging

❌ Not Recommended For:

• Production without formal security review
• High-performance applications
• Regulatory compliance without validation

Future Roadmap​

Planned Enhancements:

1. ML-DSA Integration - Post-quantum digital signatures
2. Hybrid Key Exchange - Combine classical + post-quantum
3. FIPS 140-2 Validation - Formal certification
4. WASM Optimization - Improve performance
5. Multiple Parameter Sets - Support KEM-512/1024 variants
6. Self-Certified Public Keys - Simplified identity verification

Conclusion​

The addition of ML-KEM post-quantum cryptography brings quantum-resistant security to our P2P messaging platform. By integrating it within the cascading cipher architecture, we provide defense-in-depth protection against both classical and quantum attacks.

While this implementation is still experimental, it demonstrates that building quantum-resistant applications in JavaScript is feasible. As quantum computing capabilities evolve, having quantum-resistant layers in place positions the project for long-term security.

Resources​

• 🚀 Live Demo: ML-KEM Standalone Demo
• 📚 Crash Course: ML-KEM Beginner Tutorial
• 🔬 In-Depth Tutorial: ML-KEM Research Tutorial
• 💻 Code Examples: See the ML-KEM Storybook Demo and P2P Messaging Demo