End-to-End Encrypted Messaging Application with Aadhaar-Based User Authentication: Design, Implementation, and Security Analysis
Sairaj Kad • Janak Keche • Jay Kangate • Ajay Dasalkar
PRN: 72231141K PRN: 72231195J PRN: 72231170C PRN: 72230902D
Department of Computer Engineering, Sinhgad College of Engineering (SCOE) Savitribai Phule Pune University, Pune, Maharashtra, India — 411041 Academic Year 2025–26
Abstract
The widespread adoption of instant messaging for personal, academic, and professional communication has made the security and authenticity of digital conversations a paramount concern. While end-to-end encryption (E2EE) effectively prevents eavesdropping by ensuring that only the communicating parties can read message content, it does not address the fundamental question of identity — whether the person behind an account is genuinely who they claim to be. Existing platforms such as WhatsApp, Telegram, and Signal allow account creation with any phone number, creating fertile ground for fake profiles, impersonation attacks, social engineering, and coordinated spam. This paper presents the design, implementation, and evaluation of a secure web-based messaging application that closes this gap by integrating Aadhaar-based identity verification with robust end-to-end encryption. Aadhaar — India's government-administered biometric identity system managed by the Unique Identification Authority of India (UIDAI) — provides OTP-based authentication that cryptographically links every registered account to a verified, unique individual. Message payloads are encrypted at the sender's client using the recipient's public key and decrypted exclusively at the recipient's device, ensuring that intermediary servers handle only ciphertext. The system is implemented as a full-stack web application using React and JavaScript for the frontend, Spring Boot (Java) for the backend, and MySQL for persistent storage. Real-time message delivery is achieved via HTTP long-polling, avoiding the infrastructure complexity of WebSockets while maintaining sub-second perceived latency. Session security is enforced using JSON Web Tokens (JWT). Comprehensive testing — including unit, integration, system, and user-acceptance testing — validates all functional and non-functional requirements. The evaluation demonstrates zero server-side plaintext exposure, successful blocking of duplicate and fake registrations, and consistent message confidentiality. The proposed architecture is extensible to support forward secrecy, post-quantum cryptography, mobile platforms, and AI-driven threat detection, constituting a significant step toward trustworthy digital communication aligned with India's national digital identity infrastructure.
Index Terms — End-to-End Encryption (E2EE), Aadhaar Authentication, UIDAI, Secure Messaging, Asymmetric Cryptography, RSA, AES, JSON Web Token (JWT), Spring Boot, React.js, Long Polling, Key Management, Identity Verification, Digital Privacy.
