Add security paragraph

2 files changed, 14 insertions, 1 deletions

diff --git a/client-web/source/room.ts b/client-web/source/room.ts
index 71e26bb..3268510 100644
--- a/client-web/source/room.ts
+++ b/client-web/source/room.ts
@@ -44,7 +44,6 @@ export class Room {
             this.users.delete(p.id)
             this.remote_users.delete(p.id)
         }
-
     }
     relay_handler(sender_id: number, message: RelayMessage) {
         const sender = this.users.get(sender_id)
diff --git a/readme.md b/readme.md
index 941fd03..c3ae098 100644
--- a/readme.md
+++ b/readme.md
@@ -21,6 +21,20 @@ a web conferencing application
 -   Prevent server from changing message sender
 -   Have a security professional look at the code
 -   Test some options like `camera_facing_mode`
+-   Signing key for each user
+-   Built-in storage for known keys
+
+## Security
+
+keks-meet _tries_ to be secure. However I am not a security expert. The current system works as follows:
+
+-   The room name is set in the section of the URL (-> not sent to the server)
+-   The server receives a salted hash of the room name to group client of a room
+-   We use PBKDF2 (constant salt; 250000 iterations) to derive a 256-bit AES-GCM key
+-   
+-   All relayed message contents are encrypted with this key.
+    -   Message recipient is visible to the server
+    -   The server assigns user ids
 
 ## Usage