Protect your data with PGP encryption in Flutter.
End to end encryption is a great way to ensure a private and secure communication on a platform. You might have heard of this concept while popular apps like WhatsApp and Telegram were integrating this in their services a few years back.
As a developer of a communication platform, you would want to ensure security on your product as well and for that, we have PGP (Pretty Good Privacy) to the rescue. In fact, PGP is the most widely used email encryption system in the world.
In simple terms, when PGP is in place, if a sender sends a message then that message can only be decrypted and read by the authorized recipient. This works because only the recipient has the key to convert the text back into the readable message on their device.
How does it all work?
Let’s look at the diagram above to understand what actually happens when the data is encrypted and decrypted.
- Encryption: First, a random session key is used to encrypt your data. Then, that same session key is encrypted using the receiver’s public key. Now, the combination of the encrypted message and the encrypted session key forms your encrypted message that is sent to the recipient.
- Decryption: Here, the receiver first decrypts the session key using their private key. Next, the decrypted session key would then be used to decrypt the encrypted message, in return of which the user would get a readable message.
Things to keep in mind:
- Session key used to encrypt should be completely random i.e. not easily guessable as someone who knows the session key can read the message. Also, a session key is unique for every message.
- Public keys are meant to be shared so no harm sharing it over your platform. On the other hand, private keys must never be transmitted. If at all there is a need to do that, one must consider encrypting that as well using a custom encryption technique unique to your platform.
Now that we are done with the basics, let’s move on to the implementation part.
For PGP in Flutter, we would be needing the openpgp package.
We would be following a mixture of symmetric encryption and public key encryption here.
We would be encrypting our message using symmetric encryption as a message could be huge and symmetric is more efficient that way.
Let’s have a look at the code now.
Encryption:
A typical encrypt method would look something like this:
static void encrypt(String textMessage, String receiversPublicKey,
Function(String, String, String) returnData) async {///Create a session key
String sessionKey = getRandomSessionKey();
///Encrypt data using session key
String encryptedMessage = await OpenPGP.encryptSymmetric(textMessage, sessionKey);
///Encrypt session key using receiver's public key
String encryptedSessionKey = await OpenPGP.encrypt(sessionKey, receiversPublicKey);
returnData(encryptedMessage, encryptedSessionKey);
}
Here, we followed the same flow as we had discussed earlier using the diagram above.
Decryption:
static Future<void> decrypt(String encryptedMessage, String encryptedSessionKey, Function(String) returnData) async { ///Decrypt session key with Private key of recipient
String decryptedSessionKey = await OpenPGP.decrypt(encryptedSessionKey, StreamChatManager.instance.decryptedPrivateKey, '');
///Decrypt message with decrypted session key
String decryptedText = await OpenPGP.decryptSymmetric(encryptedMessage, decryptedSessionKey);
returnData(decryptedText);
}
Here, we would be receiving the encrypted message and encrypted session key. Message would be decrypted symmetrically as it was encrypted symmetrically.
Here you go.
How many claps does this article deserve?
If you find this article useful, please click the 👏 button and share to help others find it! Feel free to clap many times (10💥, 20💥 , or maybe 50💥 ?) It fuels my focus to write more of it.
Connect with me on LinkedIn or say hi on Twitter, mentioning this article. You can drop an e-mail at annsh29@gmail.com as well.
Check out my series on various Flutter widgets here -
