openpgp加密工具
by Mateja Trifunovski
通过Mateja Trifunovski
In a world where privacy is being constantly invaded, people tend to start to care about it. Private messaging platforms are becoming more and more popular. They should be, because privacy does matter.
在一个不断侵犯隐私的世界中,人们倾向于开始关心它。 专用消息传递平台变得越来越受欢迎。 应该如此,因为隐私确实很重要。
This article will be about email end-to-end encryption. My experience comes from building a decentralized end-to-end encrypted email system called Lemon Email. The email encryption can apply to pretty much any system, using the same or similar cryptographic algorithms.
本文将介绍电子邮件端到端加密。 我的经验来自于构建名为Lemon Email的分散式端到端加密电子邮件系统。 使用相同或相似的加密算法,电子邮件加密几乎可以应用于任何系统。
The basic idea is that to retain the privacy of the data, we need to make it unreadable to possible intruders. The best way to do that is to encrypt it at the source, that is, at the client side. We need to make sure that even if the data gets intercepted on it’s way to the server or a database, it is impossible to distinguish what that piece of data is.
基本思想是,为了保留数据的私密性,我们需要使可能的入侵者无法读取它。 最好的方法是在源(即客户端)对其进行加密。 我们需要确保即使数据在到达服务器或数据库的途中被截获,也无法区分该数据是什么。
We will be using a cryptographic system called Public-key cryptography , also known as asymmetric cryptography. For actual implementation we will be using an open source library OpenPGP.js. The implementation will be very simple, omitting any back-end code due to simplicity.
我们将使用称为公钥密码学 (也称为非对称密码学)的密码系统。 对于实际的实现,我们将使用开源库OpenPGP.js 。 实现将非常简单,由于简单起见,将省略任何后端代码。
The first step is to generate our private and public keys which we will use to encrypt/decrypt our emails. In the code snippet below we add some options like how long is the key. The length of the key will determine the key’s strength and also the time to generate it. We also add a user-specified passphrase used to lock the private key.
第一步是生成我们的私钥和公钥,我们将使用它们对电子邮件进行加密/解密。 在下面的代码片段中,我们添加了一些选项,例如密钥多长时间。 密钥的长度将决定密钥的强度以及生成密钥的时间。 我们还添加了用户指定的密码短语,用于锁定私钥。
let keyOptions = {
numBits: 2048,
passphrase: "secret-passphrase"
//you would get the passphrase from an input field normally
};
let user = {};
openpgp.generateKey(keyOptions)
.then((key) => {
user.privateKey = key.privateKeyArmored;
user.publicKey = key.publicKeyArmored;
});
The passphrase is very important since the private key can’t be used without it. It’s the only thing preventing other people from using the private key. This is useful because we usually store our private key in persistent storage, such as a database, where someone can see it. The passphrase should be only remembered on the client side, in the user’s memory.
密码短语非常重要,因为没有它就无法使用私钥。 这是防止其他人使用私钥的唯一方法。 这很有用,因为我们通常将我们的私钥存储在持久性存储中,例如有人可以看到的数据库。 密码短语应仅在客户端的用户内存中记住。
After creating our keys, in order for users to exchange messages, well we need at least two users. So for simplicity sake let’s say another user created his keys somewhere and we now have two users.
创建密钥后,为了使用户能够交换消息,我们至少需要两个用户。 因此,为简单起见,假设另一个用户在某个地方创建了他的密钥,现在我们有两个用户。
In this scenario a user named Bob is sending a message to John. If we want only John to be able to read the message, we get John’s public key and use it to encrypt the full message. Later John will be able to read the message using his private key.
在这种情况下,名为Bob的用户正在向John发送消息。 如果我们只希望John能够阅读消息,则获取John的公共密钥,并使用它来加密完整的消息。 之后,John将能够使用其私钥阅读该消息。
// Bob{} (User 1), John{} (User 2)
const email = {
subject: "Hello John, I'm Bob!",
body: "Secret message"
}
const options = {
data: JSON.stringify(email),
// Here we use John's public key for encryption
publicKeys: openpgp.key.readArmored(John.publicKey).keys
};
let messageForJohn = "";
openpgp.encrypt(options)
.then((cipherText)=>{
messageForJohn = cipherText.data;
});
The variable messageForJohn
which holds the encrypted value of the email which now looks like the snippet below.
变量messageForJohn
包含电子邮件的加密值,现在看起来像下面的代码片段。
-----BEGIN PGP MESSAGE-----
Version: OpenPGP.js v2.5.4
Comment: http://openpgpjs.org
0mgBCFDGPx2Bz+cETU+PtCjKSzgB+U4pVvEakBlEdBHFnccqfSBI8+A1DCns
s1cOKrMtJ5SfZaYSlxdO+982UqgH8NEV5/+ZLn8OCx+/ppff4EIuN0ZuN4ps
LkbeHL93oA8Ja/rKGJp+kg==
=bf0/
-----END PGP MESSAGE-----
Now that we have the contents of the message encrypted, we should decrypt it so John can finally see his message. Now all we need is John’s passphrase (“john-passphrase”) and his private key.
现在我们已经加密了消息的内容,我们应该解密它,以便John最终可以看到他的消息。 现在,我们只需要John的密码短语 (“ john-passphrase”)和他的私钥 。
// John {} (User 2)
let privateKey = openpgp.key.readArmored(John.privateKey).keys[0];
if (privateKey.decrypt("john-passphrase")) {
openpgp.decrypt({
privateKey: privateKey,
message: openpgp.message.readArmored(messageForJohn)
})
.then((decryptedData) => {
decryptedData = JSON.parse(decryptedData.data);
console.log(decryptedData);
})
}
John’s message has been decrypted and he can read it now. If everything went well it should look like this.
John的消息已解密,现在可以阅读。 如果一切顺利,它应该看起来像这样。
{
"subject": "Hello John, I'm Bob!",
"body": "Secret message"
}
This was a brief demonstration of how two users can communicate privately. You can expand it according to your wishes. Try storing the public and private keys in a database, and create a login system that requires a user to enter a passphrase along the usual username and password. You could also try using other encryption libraries like crypto-js, just play with it!
这是两个用户如何私下通信的简短演示。 您可以根据自己的意愿进行扩展。 尝试将公用密钥和专用密钥存储在数据库中,并创建一个登录系统,该系统要求用户输入带有常规用户名和密码的密码。 您也可以尝试使用其他加密库,例如crypto-js ,就玩吧!
At first, might you think, “why isn’t everything encrypted?” Well, there are some drawbacks that come with encryption.
起初,您可能会想, “为什么不对所有内容进行加密?” 嗯,加密有一些缺点。
Clients like browsers are becoming more and more performant. Having only one main thread, the screen can freeze when doing intensive work like generating keys, or decrypting large data. Of course with web workers and future performance updates, this could become a standard.
诸如浏览器之类的客户端的性能越来越高。 只有一个主线程,当进行诸如生成密钥或解密大型数据之类的繁重工作时,屏幕可能会冻结。 当然,对于网络工作者和未来的性能更新,这可能成为标准。
Also, some features like search can become quite tricky, because you can’t easily search through encrypted data. But with new technologies like IndexedDB we might even see fully front-end search soon.
而且,诸如搜索之类的某些功能可能会变得非常棘手,因为您无法轻松地搜索加密数据。 但是,借助IndexedDB之类的新技术,我们甚至可能很快就会看到完整的前端搜索。
I’ve made an example showing basic encryption of a dummy email at this Github Link. So feel free to take a look at the code and play around with it!
我在这个Github链接上做了一个示例,显示了虚拟电子邮件的基本加密。 因此,随时查看代码并试用它!
翻译自: https://www.freecodecamp.org/news/handling-front-end-encryption-using-openpgp-3b0462bf5876/
openpgp加密工具