End-to-end encryption (E2EE) in XMPP

Jaspreet Chhabra
Jaspreet Chhabra, Chief Architect at Scramble Apps
Published on Apr 15, 2019 in Custom Software Developers Resources
End-to-end encryption (E2EE) in XMPP

There are various end to end encryption algorithm written till date but I found holes in most of them. One of the best end to end encryption is OpenPGP, OX, OTR, and OMEMO. Some encryption doesn’t support Multiple Devices or Offline Messages or File Transfer or archiving.

The best one I found is OMEMO which is reliable and looks very promising. But some issues found in it as well for message archiving. It also need pep node subscription open for device list and bundle identifier which allow non rosters to see the data. Also OMEMO uses a signal protocol from whisper systems which makes it GPL license which prevents people from legally shipping forks or derivatives works that include our code to the App Store (without an exemption). Although many people and organizations have requested license exemptions.

I decided to write an encryption standard that can simplify things as we need it on each and every app for the security of end users. The purpose of writing this encryption standard is because I want to simplify the way encryption/decryption is done and make it more secure by moving the keys on a separate server.

This specification will support :

  • Multi-device
  • Group chat
  • Mam support
  • Search MAM message support
  • Offline message support
  • File transfer support
  • Per Message Overhead - Low


We can use Any encryption and decryption technique and keep that logic on a class on keys server. (I will suggest AES 256).

Keys are used for encrypting and decrypting messages. keys can be stored on a separate server / safe storage like Amazon S3 from where they can be called to decrypt the messages.

Authenticate to Key SRV (if not yet)
Client 1Client 2Key SRV
Authenticate to Key SRV (if not yet)
Create conversation row
Create Key
Return Key object (ID and real Key)
Gets Key object
Encrypt message and sends via XMPP with Key ID
Receives Encrypted message from XMPP
If key is not present locally GET key object from Key SRV
Check if receiver has permissions for this conversation
Returns key object
Decrypt the message with the key

Example message packet:

<message to='juliet@test.com’ from='romeo@test.com’ id='send1'> <encrypted xmlns = ‘jabber:encrypted’ objectid = ‘5YGC0FF90k’> 5MFUu9BmMxjkAhHs5OSqjQ== </encrypted> </message>

Now it's own us how soon we need to change object id may be every time user go to chat screen :)

Files will be stored on s3 bucket with KMS encryption. So client app will upload files through api server and api server will upload them to the s3 bucket with KMS encryption. Same way files will be downloaded.

In the case of files, the file URL should be encrypted with encryption key against object id sitting in a separate server.

Find more top mobile app developers worldwide on AppFutura.

Looking for an app or software development company?

You can post a project on AppFutura for free and explain your needs for app or software development. You will receive quotes from qualified companies and will be able to hire the best candidate through a safe payment system.

Post a project

About the author
Jaspreet ChhabraChief Architect at Scramble Apps

Jaspreet provides secure applications for banking, social or anything which needs good encryption. Jaspreet can help you create chat applications like WhatsApp, Google pay, Line, Kakao, Telegram, etc. or Taxi applications like Uber, Ola, etc or E-co...

You might also like