[joepa]

aren;'t you describing gpg light?

[amn319]

Something like this could be built on top of Telegram. You would need to build an unofficial client to support adding keys and they would be only stored on your client end. Public keys be automatically handed out. It is very possible and doable and wouldn't take a long time to develop since telegram desktop client is open source. I have thought about building this earlier since people are reluctant to move away from Telegram. But I unfortunately can't afford to do this right now since it wouldn't pay me. I don't think other apps would appreciate it, like Whatsapp or Signal and they will never accept add-ons being built for the app.

Well, thanks for sharing your knowledge, you bring some very interesting points which i didn't really think of, i'm not a great programmer but maybe i could just work on it in the future, even if it's just for me.

I found someone on github who started this project in Python 4 years ago, but never completed it. He highlighted the necessary features of such a client. This would also apply to any other app you would build this type of client for apart from Telegram.

• Uses Elliptic Curve Diffie-Hellman to get a shared key
  
• Messages are encrypted using AES
  
• Initially, ECDH public key is uploaded to a server.
  
• A client willing to chat will fetch this public key and derives a shared secret
  
• This shared secret will be used to encrypt the conversations
  

Your only concern will be how to keep your private key secure since it is stored on your hard drive. It would require meticulous OPSEC. For a 100% security you would need a system that you will use this telegram client and download no other software on it, and even then your security would be 99.99% and not 100% (because of vulnerabilities like EternalBlue we have seen in the past, something like this happening again is so small but never impossible). As we have seen many times in the past, normal trusted software can be tainted with malware, either by the company that created it, or by threat actors.

Thanks again, the image is much clearer, i guess an initial solution is to create a simple python app, do all the cryptography coding on that app and then maybe send and receive the encrypted content using an API if available, similar to this https://core.telegram.org/tdlib.
I think that for OPSEC, maybe using an isolated environment or adding a password protected layer to the app, could enhance security.

Exactly, the picture is now very clear, and you're right about the isolated environment. The only thing keeping this from being developed are man-hours. Best of luck if you're attempting this!

Thanks for your help, and well, man-hours are the most difficult part.

---

aren;'t you describing gpg light?

well not exactly, but inspiring approach