Blindnet in web and mixed applications

To protect user data in your web application, blindnet provides an SDK for data encryption and decryption, and for managing encryption keys.

flowchat
Before you start

Blindnet provides a sandbox environment for you to try our SDKs in your applications before using them in production.

To use blindnet SDKs in production, you must first obtain your application_id, application_key, and application_key_id, which are needed for authenticating your users to blindnet. You can find this information on your dashboard. You must be very careful with managing your application_key, as it gives you or anyone in its possession the access to blindnet.

User authentication

Blindnet is compatible with your existing authentication mechanism, which means that you authenticate users of your application on your server independently of blindnet.

For your application users to access and use blindnet, they must authenticate with blindnet backend. This is done via JSON Web Tokens (JWT), which are generated on your server by using the application_id, application_key, and user_id. User_ids used for the generation of JWTs must be unique for each user of your application. We recommend that these user_ids are the same unique ids that you use to identify users in your application.

The payload of your JWTs must include application_id, user_id and token’s expiration datetime.

Blindnet provides an SDK for generation of JWTs on your backend. Since JWTs give access to blindnet, you must pass them only to those users who first authenticate on your server.


  private final String appId = "YOUR_BLINDNET_APP_KEY";
  private final String appKey = "YOUR_BLINDNET_APP_KEY";
  private String userId = "your_user_id";
  JWT userToken = BlindnetAuth.generateUserJwt(appId, appKey, userId);
Initialise SDK

When your users use your application and blindnet for the first time, the SDK needs to be initialised. This is done by invoking the initialisation method and passing to it the JWT obtained from your server.

During the process of initialisation, the SDK generates cryptographic key pairs for a user. Private keys are stored in users’ browser IndexedDB, while the public keys are published to blindnet and associated with user identity.


  const init = await Blindnet.initialize(userToken);
User deletion

At any given moment you can remove a user from blindnet, for example when a user deletes an account on your application, or when a user requests removal of his data. This is done by invoking the delete method, which results in permanent removal of all user keys from the browser IndexedDB, as well as removal of all user data from blindnet system. Use this carefully, since this action cannot be undone.


  const del = await Blindnet.delete(userToken);
End-to-end encryption

Blindnet SDKs allow you to encrypt and decrypt data by invoking the corresponding methods. When these methods are invoked, blindnet automatically manages encryption and decryption keys in the background via its backend service. You do not need to manage the keys yourself.

Encryption

To encrypt the data, you must provide the recipient’s user_id to the encrypt method. Blindnet SDK will retrieve the recipient’s public key and use it to encrypt the data. At this moment, the data is encrypted on the sender’s local device and can only be decrypted by the recipient.


  const encData = await Blindnet.encrypt(userToken, data, recipientId);
Decryption

Once you transfer the encrypted data to the recipient, you can call the decrypt method. Blindnet SDK will then use the recipient’s private key to decrypt the data on the recipient’s local device.


  const data = await Blindnet.decrypt(userToken, encData);
Backups

Users are initially able to access their data only from the device that they originally used to initialise blindnet SDK. To prevent users from losing their data in the case of a device loss, or in the case that they want to switch to a new device, blindnet provides the option to backup user private keys.

To ensure that user data remains private, blindnet requires a password from the user. This password is used to derive the encryption key, which is then used to encrypt the user’s private key. Blindnet SDK backups the encrypted private key to a secure storage.


  const backup = await Blindnet.backupKey(userToken, password);

Blindnet SDK provides a method to retrieve the user’s private key. When calling this method, a user must input the same password that was used when making the backup. Once the private key is retrieved, a user can use the new device and will be able to decrypt all old data.


  const retrieved = await Blindnet.retrieveKey(userToken, password);
Next: blindnet in mobile/desktop only applications