How it works
QRTalk implements end-to-end message encryption, information time-to-live and client-server secure communications.
All exchanged contents are protected by end-to-end encryption: no one but the sender and recipient can access them.
Devices generate RSA key pairs for encryption. The private key is saved in the device private storage and the public key is sent to the QRTalk server, where it is associated with a anonymous random user ID.
Outgoing messages are individually encrypted using AES with secure random initialization vector and key. The random key is encrypted using the corresponding public key for each of the recipient devices and then dispatched to the server for delivery. Only routing information (i.e. user IDs and TTL) is not end-to-end encrypted since it must be accessible to the server.
Users’ public keys are downloaded from server and can be accessed only by registered users.
Identity and public key of other users can be verified using fingerprints.
Messages can be signed with sender’s private key.
Public key verification together with message signing makes message-forging and man-in-the-middle attacks totally impossible.
Messages and media are queued on QRTalk server only if recipient is temporarily off-line, else they are not stored at all and immediately forwarded to destination.
Users select message time-to-live at send time: few seconds, 5 minutes, 1 hour, 1 day, 1 week.
If message recipient is off-line at send time, encrypted message is temporarily stored on server and deleted either when it get delivered to its final destination or when associated time-to-live expires. No message is ever stored on QRTalk server for more than 7 days, no matter what the time-to-live might be.
From a server perspective, chat messages and tracking events are totally opaque objects and must be delivered to destination devices in order to be of any use.
Client application stores encrypted messages on device, in the private storage space. When time-to-live expires messages are deleted from device local storage too.
Secure network connections
Client/server connections are protected with end-to-end encryption and SSL/HTTPS secure transmission protocol.
✓ Request payloads are end-to-end encrypted using dedicated encryption keys generated on devices.
✓ All connections are short lived and transport only encrypted information.