Public Encryption Link
How this works?
This uses Elliptic-curve cryptography to exchange keys and Advanced Encryption Standard (AES) to encrypt the files and messages. The encryption link contains the public key. The decryption link contains the private key.
You might find these YouTube videos helpful:
Elliptic Curves - Computerphile
Secret Key Exchange (Diffie-Hellman) - Computerphile
AES Explained (Advanced Encryption Standard) - Computerphile
Wikipedia:
Elliptic-curve cryptography
Elliptic-curve Diffie–Hellman
Advanced Encryption Standard (AES)
How secure is this?
This uses Elliptic-curve cryptography to exchange keys, Elliptic-curve cryptography is also used in Bitcoin to authenticate the billion of dollars of transactions every day.
Advanced Encryption Standard (AES) is then uses to encrypt the files and messages. According to Wikipedia:
In addition everything is done in the browser. Nothing leaves your device and I do not collect any of your information. I don't even have a server that can process users information (can't afford one). Try disconnecting your device from the internet, this site would still work!
The source code for this website is publicly available on Github anyone can read it since I have nothing to hide.
Give me some of that juicy technical details.
Elliptic-curve Diffie–Hellman (ECDH) is used for both sides to establish a shared secret. I chose Curve25519 because it seems popular. The shared secret is then pass through PBKDF2 with 3000000 iterations (3000000 iterations takes around 1 second on my phone and laptop) and 16 bits of random data as salt to derive a 256 bit AES key. The message or file is then encrypted with AES-GCM. Other than the PBKDF2 key derivation operation, all other delays are artificially added. EC and AES are actually really fast. Besides PBKDF2, all other operations are done in less than a second on my laptop (other than large files for AES). When multiple files are encrypted, each file will have its own EC key pair.
Encryption links are of the form:
https://SecretDrop.io/encrypt/#key=[public key]
Decryption links are of the form:
https://SecretDrop.io/decrypt/#key=[private key]
Encrypted messages are of the form:
+-------------+---------------+-----------------+
| size (byte) | type | description |
+-------------+---------------+-----------------+
| variable | string | VersionCode |
+-------------+---------------+-----------------+
| 1 | string | "." |
+-------------+---------------+-----------------+
| variable | base64 string | EncryptedBuffer |
+-------------+---------------+-----------------+
Encrypted files are of the form:
+-------------+--------+-----------------+
| size (byte) | type | description |
+-------------+--------+-----------------+
| 1 | uint8 | VersionCode |
+-------------+--------+-----------------+
| variable | buffer | EncryptedBuffer |
+-------------+--------+-----------------+
VersionCode (uint8)
+---------+--------------+
| version | version code |
+---------+--------------+
| 1 | 1 |
+---------+--------------+
EncryptedBuffer (all data are stored in big endian)
+-------------+--------+------------------------+
| size (byte) | type | description |
+-------------+--------+------------------------+
| 32 | uint32 | encrypter's public key |
+-------------+--------+------------------------+
| 16 | uint16 | key import salt |
+-------------+--------+------------------------+
| 12 | buffer | iv |
+-------------+--------+------------------------+
| variable | buffer | encrypted data |
+-------------+--------+------------------------+
| 16 | buffer | authentication tag |
+-------------+--------+------------------------+