Secure Message Exchange

A Python implementation of secure message exchange using JSON Web Encryption (JWE) and JSON Web Signature (JWS).

Overview

This project implements a secure message exchange system using:

• JSON Web Encryption (JWE) for confidentiality
• JSON Web Signature (JWS) for authenticity and integrity
• Hybrid encryption (RSA + AES) for efficiency
• Digital signatures for message authentication

Key Features

• Hybrid encryption combining RSA and AES
• Secure key exchange using RSA-OAEP-256
• Payload encryption using AES-256-GCM
• Message signing using RSA-SHA256
• Complete message integrity and authenticity verification

Technical Details

JWE (JSON Web Encryption)

JWE provides a way to encrypt content with a two-step encryption process:

1. Key Encryption

   • Generates a random Content Encryption Key (CEK)
   • Encrypts CEK with recipient's public key using RSA-OAEP-256
   • This allows secure key sharing between parties

2. Content Encryption

   • Encrypts actual payload using AES-256-GCM with the CEK
   • Uses randomly generated IV for each encryption
   • GCM mode provides authenticated encryption

JWE Structure:

base64url(header).
base64url(encrypted_key).
base64url(iv).
base64url(ciphertext).
base64url(auth_tag)

JWS (JSON Web Signature)

JWS provides a way to digitally sign content:

1. Takes the entire JWE as input
2. Creates a signature using sender's private key
3. Uses RSA-SHA256 for signing

JWS Structure:

base64url(header).
base64url(payload).
base64url(signature)

How It Works

Encryption & Signing Process

1. Generate and Encrypt CEK

   cek = generate_random_key()
   encrypted_cek = rsa_encrypt(cek, receiver_public_key)

2. Encrypt Payload

   iv = generate_random_iv()
   ciphertext, auth_tag = aes_gcm_encrypt(payload, cek, iv)

3. Create JWE

   • Combine all components with base64url encoding
   • Format: header.encrypted_key.iv.ciphertext.auth_tag

4. Sign JWE

   • Create signing input: jws_header.jwe_string
   • Generate signature using sender's private key
   • Create final JWS: jws_header.jwe_string.signature

Decryption & Verification Process

1. Verify Signature

   • Split JWS into components
   • Verify signature using sender's public key
   • Extract JWE if signature is valid

2. Decrypt Content

   • Split JWE into components
   • Decrypt CEK using receiver's private key
   • Use CEK to decrypt payload
   • Verify authentication tag

Usage

from encrypt_and_sign import JWEJWSCrypto
from decrypt_and_verify import JWEJWSDecryptor

# Initialize with keys
crypto = JWEJWSCrypto(receiver_public_key, sender_private_key)
decryptor = JWEJWSDecryptor(sender_public_key, receiver_private_key)

# Encrypt and sign
encrypted_message = crypto.encrypt_and_sign("Secret message")

# Verify and decrypt
decrypted_message = decryptor.verify_and_decrypt(encrypted_message)

Installation

1. Clone the repository:

git clone https://github.com/adimyth/secure-message-exchange.git

2. Install requirements:

pip install cryptography

Security Considerations

• Use strong key pairs (minimum 2048 bits for RSA)
• Securely manage private keys
• Use secure random number generation
• Each message uses fresh CEK and IV
• OAEP padding prevents padding oracle attacks