one-time-link
A Java webapp that encrypts a secret in the browser and stores encrypted information on the server (without the secret) that can only be read once by the link. That link is the link you would pass to an associate preferrably via some secure protocol (like WhatsApp). The advantage of passing a one-time link is that even if someone gets access to the history of your messages they won't get access to the secret.
Features
- uses AES 256 bit CCM encryption (Stanford Javascript Crypto Library)
- self-contained war that saves encrypted messages to the file system
Status: Deployed to Maven Central
Demo
How to run locally
mvn jetty:run
Then go to http://localhost:8080.
How to deploy to a java servlet container
Either
- download the WAR file from Maven Central or
- build from source
To build from source:
mvn clean install
Then deploy target/one-time-link*.war
to your servlet container (Tomcat, Jetty, etc).
Encrypted values are stored on the server file system in the ${java.io.tmpdiri}/one-time-link
directory (/tmp/one-time-link
on Linux).
Security considerations
Of course this application is ALL about security!
Important things to note:
- AES 256 is considered strong enough for top secret encryption by the NSA
- The server side never sees the unencrypted value nor the secret key used for the encryption
- Sending a one-time use link by email is problematic because a man-in-the-middle attack might intercept an email, use the link, and create a new link from the secret to pass on to the recipient in the edited email. Ideally your communication channel will be secure enough that man-in-the-middle attacks are not possible.
- The message key and the password are 16 characters long generated from random lower case and upper case letters (2.8 x 1027 variations).
AWS
Discussion of a scalable AWS implementation is here.