Clear JSON?
Is there anything to encrypt JSON data?
Something more secure than HTTPS only? (open to MitM via network or mobile VPN attacks)
An end-to-end encryption based on:
- generated public keys for client and server via HKDF
- securely stored keys in the app (private client / public server)
- salt can be based on timestamp
JSON can be encrypted with these shared keys.
And, for a better security, in-app keys can be used only once for /register
, by providing a client public key for future exchanges.
In /register
, server can send its own public key.
And, after that, JSON can be encrypted using new keys.
Keys can rotate after each exchange.
It becomes really difficult, after cracking HTTPS, to understand what happened.
Because everything start on the first HTTPS connection, it's difficult to obtain dynamic keys.
Themis open-source framework is available for Swift, Java and more.