dwyte / cipher-chat Goto Github PK

What is the license for this project? is it open source?

Please describe step by step how to run application and also all the dependencies to be installed.

The app lags due to large amounts of spam and user activity. other than that great app and i will definitely be glad to help work on this.

Hey it looks like you have a client collision problem. For example:
Client1 registers with
username: user1
Password: atotallygoodpassword

Client2 registers with
username: user
Password: 1atotallygoodpassword

That being said, here's some feedback on the overall security:

1. You need to bcrypt, Argon2, or PBKDF2 the passwords for auth. SHA256 is not sufficient

2. You're using the hash of the password, basically, to seed the private key generation. There is not enough entropy there, and you're likely to get very poorly distributed private keys

3. The passphrase should be used to encrypt the private key, not generate it. Use PBKDF2 to stretch the passphrase to an appropriate length

4. RSA 1024 is not large enough anymore. I'd skip RSA altogether. No mention of padding schemes or anything. At the very least, I'd switch to a hybrid scheme with AES doing the "bulk" session encryption. But ideally you'd use a scheme with better forward secrecy.

from u/nodeent on reddit