AES key should be encrypted before exchange

[muke1908]

chat-e2ee/service/src/sdk.ts

Line 148 in 905c8c0

await sharePublicKey({ aesKey: aesPlain, publicKey: this.publicKey, sender: this.userId, channelId: this.channelId});

Right now AES encryption key is sent to server for exchange which is a vulnerability. It should be send via end-to-end encrypted channel.

[Jatin917]

Is anyone working on it ... if not can i ?

[muke1908]

@Jatin917 sure please go ahead

[Jatin917]

@muke1908
Hi, just to clarify — currently the AES key is being sent to the server in plaintext, which introduces a vulnerability.
Would it make sense to encrypt the AES key using the recipient’s public key before sending, so that only the recipient can decrypt it?
That way we maintain end-to-end encryption. Just wanted to confirm this is the intended direction before I proceed.

[muke1908]

Yes, that's correct.

…

On Sat, May 17, 2025 at 9:10 AM jAItin ***@***.***> wrote: @muke1908 <https://github.com/muke1908> Hi, just to clarify — currently the AES key is being sent to the server in plaintext, which introduces a vulnerability. Would it make sense to encrypt the AES key using the recipient’s public key before sending, so that only the recipient can decrypt it? That way we maintain end-to-end encryption. Just wanted to confirm this is the intended direction before I proceed. — Reply to this email directly, view it on GitHub <#378 (comment)> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AE23SBN6L44SALVTRW2UQXL263OFNBFKMF2HI4TJMJ2XIZLTS2BKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVIZDCMZQGE2TCMBYHCSG4YLNMWUWQYLTL5WGCYTFNSBKK5TBNR2WLKRSGEZTKOBZGY2TINVENZQW2ZNJNBQXGX3MMFRGK3ECUV3GC3DVMWVDEMRZGA3TKMJRHAYKI3TBNVS2S2DBONPWYYLCMVWKY43VMJVGKY3UL52HS4DFVREXG43VMVBW63LNMVXHJJTUN5YGSY3TSWBKI5DZOBS2U4TFOBXXG2LUN5ZHTJLWMFWHKZNJGI3TCNJUGQ2TENECUR2HS4DFUVUXG43VMWSXMYLMOVS2UMRVGM3TEMBQHA3DPAVEOR4XAZNFNRQWEZLMUV3GC3DVMWVDEMJTGAYTKMJQHA4IFJDUPFYGLJLMMFRGK3FFOZQWY5LFVIZDCMZVHA4TMNJUG2BKI5DZOBS2K3DBMJSWZJLWMFWHKZNKGIZDSMBXGUYTCOBQU52HE2LHM5SXFJTDOJSWC5DF> . You are receiving this email because you were mentioned. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

[Jatin917]

@muke1908

Hi! I noticed that the publicKey is currently being passed as a string in sdk.ts.
However, to use it with the built-in encryption function(encryptMessage in cryptoRSA.ts), it needs to be a CryptoKey.

Converting it at the point of use causes issues elsewhere in the code since other functions expect a string.

Just wanted to clarify:
Was there a design reason to keep the publicKey as a string throughout?
Or would it make sense to import it into a CryptoKey object at an earlier stage?

[Jatin917]

@muke1908 hey ?