SURE

Secure URL Requests

No Javascript Detected

Unfortunately, this site requires Javascript in order to generate keypairs, save them in localstorage, and encrypt/decrypt data. Please enable Javascript and refresh the page.

How it Works:

The first thing to understand is how public key cryptography works.

Essentially, you generate a pair of keys that can undo the operations of each other. If you encrypt a message with your public key, it can only be decrypted by your private key.

Chart of the public key cryptography process

This is why you're safe to share your "Request URL" out in the open. Anyone who accesses this URL will receive your public key, and encrypt the message with it along with their own private key. When you receive the URL with their encrypted message, you take their public key and your private key to undo the operations of their private key and your public key.

But of course it's not as simple as that

Traditional public-key cryptography like RSA is limited in the messages it can encrypt by the size of the public key. To overcome this limitation, we use ECDH for short public keys that can encrypt an arbitrary amount of data by establishing a shared "symmetric" key for encryption/decryption, which is beyond the scope of this explanation. But the following chart should give you a general idea of how the process works.

Flowchart of the SURE process
FAQ
  • What is this?

    SURE is a system for securely sending information via a URL request. It uses the Elliptic Curve Diffie-Hellman algorithm to generate a shared secret between the sender and recipient, which is then used to encrypt the message in a response URL. The device that generated the URL request can then decrypt the message in the URL sent back to them using their private key.

  • What if I want all of my devices to be able to decrypt messages from the same request?

    If you want to be able to decrypt messages from the same request on multiple devices, you'll need to export the keypair from the device that generated the request, and then import it into the other devices. You can do this by clicking the "Manage Keys" link at the bottom of the page, and then clicking the "Export Keys" button. This will give you a JSON file that you can import on other devices via the "Import Keys" button.

  • What if I lose my keys?

    If you lose your keys, either from clearing your localstorage or losing your device, you won't be able to decrypt any messages sent to you. You'll need to send over the new request URL from your device to anyone who wants to send you a message.

  • Why was this built?

    This was built as a proof of concept for a secure messaging system that doesn't require a user to sign up for an account or download an app. It can even work entirely offline if you build the app from source and open the HTML file in your browser. You can also manage your keys so that all of your devices can decrypt messages from the same request URL.