eSeGeCe
software
E2EE (End-To-End Encryption) Groups for Delphi
Starting with eSeGeCe All-Access 2026.2.0, the TsgcWSPClient_E2EE protocol extends end-to-end encryption beyond direct peer-to-peer chat and adds first-class support for encrypted group traffic. The important part is that the server still behaves as a relay and coordinator only: payloads stay encrypted from sender to recipients and plaintext never crosses the server boundary.
What is included in 2026.2.0
- Encrypted direct messages (already available) and encrypted group messages in the same protocol component.
- Group lifecycle methods: create, join, leave, delete, and encrypted group send.
- Membership and delivery callbacks so the client can keep UI and local state synchronized.
- A sender-key oriented flow for group encryption with membership-driven key rotation.
How Group Encryption Works
The cryptographic model is aligned with the E2EE protocol documentation and is designed to keep the cost of group broadcast low without losing confidentiality or integrity guarantees.
1) Pairwise trust and key agreement
Each client owns its identity keys and performs ECDH-based key agreement for pairwise secure channels. Private keys are never moved to the server. HKDF-SHA-256 is used to derive working keys, and payload encryption uses AEAD (AES-256-GCM)).
2) Sender-key state per group
For each group, each sender maintains a sender-key state (chain key + message counter). For every outbound group message, the chain advances and derives a one-time message key. The message key encrypts the content, including authentication tag generation.
3) Initial sender-key distribution
When a user joins a group, the sender key state is distributed to current authorized members over already established pairwise E2EE sessions. Once all recipients have sender-key material, regular group messages follow the fast path (single encryption operation per outgoing payload).
4) Membership updates and key rotation
When users join or leave, sender-key rotation is mandatory to preserve forward/backward secrecy expectations:
- Join: rotate to avoid exposing old history by default.
- Leave/remove: rotate immediately to block future decrypt from removed members.
During rotation, clients can briefly accept previous key id values in a transition window and then retire old material.
Client API surface in TsgcWSPClient_E2EE
Configuration points
- UserId: unique identifier for the local user. This value is used by the server to route direct and group messages.
- Ack.RcvDirectMessage: when enabled, the client emits acknowledgments for received direct messages.
- Ack.RcvGroupMessage: when enabled, the client emits acknowledgments for received group messages.
- SendDirectMessage(ToUserId, Text)
- CreateGroup(Group)
- JoinGroup(Group)
- LeaveGroup(Group)
- DeleteGroup(Group)
- SendGroupMessage(Group, Text)
- OnConnect / OnDisconnect: fired when the underlying WebSocket connection changes state.
- OnError / OnException / OnE2EEError: fired for transport, runtime, or E2EE protocol errors.
- OnE2EEMessageText / OnE2EEMessageBinary: fired when a decrypted direct message is received.
- OnE2EEGroupMessageText: fired when a decrypted group text message is received.
- OnE2EEMessageAck: fired when the server or peer acknowledges a direct/group message.
- OnE2EEUserCreated / OnE2EEUserDeleted: fired when users are registered or removed from the E2EE user list.
- OnE2EEGroupCreated / OnE2EEGroupDeleted: fired when groups are created or deleted.
- OnE2EEGroupJoin / OnE2EEGroupLeave: fired when the local user joins or leaves a group. OnE2EEGroupJoin includes the current member list.
- OnE2EEGroupMemberJoin / OnE2EEGroupMemberLeave: fired when other users join or leave a group you belong to.
Delphi Sample
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.
