The safest way of group chatting.

Providing real end-to-end encrypted group chat. The unmatched
tri-layer encryption ensures that no one can read your messages
except the participants who shares the same secret password.

Things to know before creating a group chat

Choose a complex secret password, then share it with the persons who you would like to chat with - preferably via phone, but for paranoid security level you should meet them face-to-face and remove batteries from all cell phones during the conversation.

The group's name and password have to be the same for all participants, username can be anything. Group name and username doesn't have to be handled as a secret information, unlike the password.


Let's take a look at the inner workings

CHATCRYPT's unique tri-layer encryption starts with a traditional secured WebSocket (wss) connection to the application server, then it builds up a custom Transport Layer Security within it, using ECDH (with NIST P-521 curve) for key exchange and AES-256 (in CTR mode) for ciphering. On this second layer the messages sent from the server are signed with ECDSA (using ED25519 curve) and verified with a public key at the client. This layer is responsible for that even transparent proxies with own CA certificates installed on the client cannot inspect or modify the communication (surely only if they didn't modify the chat client's source code - development of a browser extension and a smartphone app is planned).

The third layer inside the second one is responsible for the End-to-end encryption between the clients. They build up individual TLS connections with each other within a group, once again using ECDH (but now with Curve25519 curve) for key exchange and AES-256 (in CTR mode) for ciphering. Most importantly their ECDH shared keys are XORed with the SHA-256 hashed group password, which results in that their communication cannot be deciphered via participants using another password - if multiple groups being created under the same name but with different passwords, then each group member will be visible only to the ones that entered with the common one.

Thanks to the third layer's encryption and to the group password that never leaves the client, it is not possible to decode the messages even on server side. It acts as a dummy router between the group members and does not store any data it passes. The server's source code is available upon a well-founded request.

Being grateful to the developers of the following packages

Fast elliptic-curve cryptography in a plain JavaScript implementation.

A pure JavaScript implementation of the AES block cipher algorithm.

A simple SHA-256 / SHA-224 hash function for JavaScript.

Blazing fast and thoroughly tested WebSocket client and server for Node.js.

Generate RFC-compliant UUIDs in JavaScript.

Privacy policy

The privacy of our visitors is of extreme importance to us. This section outlines the types of personal information is received and collected by this website and how it is used.

This website makes use of log files. The information inside the log files includes internet protocol (IP) addresses, type of browser, Internet Service Provider (ISP), date/time stamp, referring/exit pages, and number of clicks to analyze trends, administer the site, track user's movement around the site, and gather demographic information. IP addresses, and other such information are not linked to any information that is personally identifiable.

We also use cookies provided by trusted third parties. Let's see which third party cookies you might encounter through this site.

This site uses Google Analytics which is one of the most widespread and trusted analytics solution on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content.

This site also uses Google AdSense, a Google Inc. advertising service. Its cookies are stored on your computer and which allow an analysis of the use of the website. Google AdSense also uses so-called Web Beacons (invisible graphics). Through these web beacons, information such as visitor traffic on these pages can be evaluated.

If you require any more information or have any questions about our privacy policy, please feel free to contact us by email at