Store secret key in react securely after creating secure channel

Question

My question is -> where can I secure one secret key in the frontend.

The context is, the server is using RSA to create a public and private key, the client will do the same.

They will negotiate a secret key for AES encryption, for example, therefore creating a supposedly secure channel.

So now backend stores the secret key they agreed, which is alright because no one can access it (normally), and frontend as to store it too, otherwise it can't encrypt or decrypt the information received or sent to the backend.

So now the problem is:

• react app are not secure to have secrets stored, and even if I store the key in a variable people can access it if they use dev tools right? So how can someone create a secure channel with the frontend, if my key is never safe? Am I missing something?

Answer 1

Disclaimer: I am not a front-end expert, I would make a comment but have not enough reputation :P

I will take as an example telegram app.

Telegram does not support E2E chats on web browsers. And the reason of that I guess is because the best practice to store a shared key is on RAM and for long-term on your local storage (hard disk) and not in plaintext.

If you want to save a shared key on browser, I guess the only way to do so, is on session storage or I guess most secure using redux like solutions (Redux State is stored in Primary Memory (or) Secondary Memory?).

Now let's go on the encryption protocol part...

I don't know if this is just a mini project, but if you want to make it right, you should dig more to the encryption, authorization and verification process.

So I suggest you to check about MTProto: https://core.telegram.org/mtproto

And here they describe the E2E preparation (If you need to use somewhere hashing, do NOT go below sha256): https://core.telegram.org/api/end-to-end

I hope my answer helped you even a bit.