Encrypted CRUD Messaging
Working example at http://messenger.zydev.space
- Easily host interoffice or private messaging service with confidence your data is secure
- Images and Files are embedded into the plaintext and converted before DB storage
- Secrets are created at login so there is no key management
- Ciphertext is not held on the client. It is only decrypted upon message opening.
- Search for message by "Fingerprint"
- Nest messages into user threads
- Sort messages by Timestamp, Username, or Size
- Quickly send messages by searching their username in the Contact list
- Mobile friendly single page application
- Apache server running PHP
- MongoDB Server
- MongoDB PHP Driver 1.1.1
- libsodium 1.0.8
- libsodium-php 1.0.2
- SASS to compile CSS
git clone this project to your servers public directory.
If you don't have the php-mongodb package in your distro repository you can:
pecl install mongodb/mongodb
The requirement is to have the
mongodb.so shared object in your
/usr/lib/php/modules folder. PHP7 will automatically load this. No need to add it to your
Next you can place the php-MongoDB classes with composer:
cd /path/to/this/repo composer install
You will need to manually install the libsodium-php shared object:
pecl install libsodium
Once you have all of the prerequisites, you will need to compile
sass main.scss to get your completed CSS template. There is no user verification implemented so simply type in a username and password and a profile is created for you.
- Due to MongoDB's maximum document size, messages have a maximum size of 16MB
- When changing your user password a new secret key is created. Thus, all your previously recieved messages will not be decryptable as the original secret key is lost.
- When changing your display name, only your future messages will reflect the name change
- Usernames can only consist of letters and numbers. They also have a maximum length of 64.
- Passwords can consist of anything with any length.
Files for editing
global-template.scssis where the main css editing is done
phpSrc/contains all the DB interaction classes
index.phpis the main entry point for the application
js/index.jsis the main application logic
At login, the password is immediately hashed and a secret is derived. A challenge secret is also derived from the password to verify identity whenever interacting with the DB. This gives you the ability to use stronger hashing at login and faster verification when interacting with the database. The public key, secret key, and challenge key are held in $_SESSION variables to encrypt and decrypt messages.
There is a public and private MongoDB Collection. The public collection holds each persons username, public key, last login timestamp, and avatar. The private collection holds the persons username, last login timestamp, hashed password, public key, salt, nonce, encrypted challenge, settings, messages, and contacts.
Each messages details are stored in the users private document. The senders username, display name, public key, and the messages size, nonce, and ID mapping are stored by user and timestamp.
Each message document holds the ID mapping and ciphertext.