cryptag: building encrypted, taggable, searchable zero-knowledge systems
TRANSCRIPT
CRYPTAGBUILDING ENCRYPTED, TAGGABLE,SEARCHABLE ZERO-KNOWLEDGE
SYSTEMSSteven Phillips / @elimisteve
DEF CON's Crypto & Privacy Village
2015.08.08
THE PROBLEM/NEEDWe need to be able access our data over the internetwithout trusting the party storing it
Non-technical users can't or won't self-host (when self-hosting is even possible)
CURRENTCOMPROMISES
Data is stored unencrypted (loss of privacy)
Almost everything we use is like thisDropbox, Box, Google Drive, etc
Data is stored encrypted, but can't be searched by theserver
Encrypted backup (e.g., Tarsnap)
Encrypted backup (e.g., Tarsnap)
CURRENTCOMPROMISES (2)
Data stays on one deviceThen you can't access your own data from your owndevices
None of these compromise "solutions" (1) allow the serverto store your encrypted data, (2) let you remotely query thisdata and get back just the data you want (without having todownload all of it, which can be impractical), and (3) revealnothing about the nature of the data to the server storing it.
BOTTOM LINEOur data needs to be stored in encrypted storage systems
for privacy, accessible from anywhere for convenience, butthese systems need to be more practical -- and server-side
search would help.
"But the server can't search through your encrypted datawithout the encryption key!" Or can it?
WHAT IS CRYPTAG?CrypTag is a Go library for building encrypted, taggable,searchable zero-knowledge systems
Lets you send a search query to a server that's storingyour encrypted data, and only send you back thematching pieces of data
E.g., "Of all my data, just give me my photos of Paris"
WHAT IS CRYPTAG? (2)The server searching through this data has no idea what itis, and it doesn't know what you're searching for. And yet,it finds it for you.
HOW CRYPTAG WORKSTwo concepts: TagPairs, and Rows.
TagPairs associate the human-readable plain text tag (e.g.,'paris' or 'gmail') with a randomly-generated string that the
server stores in plain text.
HOW CRYPTAG WORKS(2)
Example TagPairs stored on server: { "plain_encrypted": "NtZ+WzjTtyWdjOPX6uqr308voeOE", "random": "9xvv87937" }
{ "plain_encrypted": "/1BijKByz4JqYzOTtJEoD4TlPy2FwZf0WrXG2gwZOX1ATN3/MA==", "random": "fqmt5fkw8" }
HOW CRYPTAG WORKS(3)
Data is stored in "Rows". Rows store arbitrary data andassociated tags. Example Row stored on server:
{ "data": "OcSufyNLTXwrjWW3ZSkWiVOBaM4OqJwevuFAO5RM", "tags": ["9xvv87937", "fqmt5fkw8"] }
DEMO: ROW ANDTAGPAIR CREATION,
STEP BY STEPUsing the cryptpass demo app, tell CrypTag to create a new
Row (of arbitrary data) + associated tagscryptpass create mycr4zy4ssp4ss gmail email [email protected] tag4
CrypTag then...
1. Fetches all existing TagPairs from the server
2. Decrypts the encrypted human-readable tags (e.g.,'email')
3. Locally creates new TagPairs for the tags that don'talready exist, generating new random tags associated
4. Locally creates a Row consisting of encrypted data (e.g.,'mycr4zy4ssp4ss') and the associated randomly-generated plaintext tags
5. Uploads the TagPairs and Row to the server
FEATURESNaCl-based crypto
("Networking and Cryptography Library", not NativeClient)Libraries in many languages (JS, Python, etc)
Pluggable backendsNext: Amazon S3 bucketWebserver + filesystemWebserver + databaseSSH (coming soon)
MORE ON PLUGGABLEBACKENDS
(Used by client programs)type Backend interface { Encrypt(plain []byte, nonce *[24]byte) ([]byte, error) Decrypt(cipher []byte, nonce *[24]byte) ([]byte, error)
AllTagPairs() (types.TagPairs, error) TagPairsFromRandomTags(randtags []string) (types.TagPairs, error) SaveTagPair(*types.TagPair) (*types.TagPair, error)
RowsFromPlainTags(plaintags []string) (types.Rows, error) SaveRow(*types.Row) (*types.Row, error) }
COMPARINGALTERNATIVES (2)
CRYPTON (FROM SPIDEROAK)More complex
"Session objects are required to interact withTransaction-based classes, like Containers andMessages."Node, Postgres, RedisWebSockets
Transactions
COMPARINGALTERNATIVES (3)
TAHOE-LAFSGood sharing model
Different key for each fileAwesome replication modelBuilt-in file versioningI can't wait for RAIC and MagicFolders!
Unfortunately, to get your data, you need the URL +contained password of every file/directory
Idea: how about storing these URLs using CrypTag? :-)
No search
MY FANTASY (WELL,ONE OF THEM)
CrypTag app + Cheap, untrusted storage => Tag-searchable, zero-knowledge _______
DropboxStore all your data in S3? your own server?
Mailpile emails?"...you can use Mailpile with an existing GMailaccount, improving your privacy by configuringMailpile to download the mail and then delete itfrom Google's servers."
Notes?Bookmarks? (my original use case)Contacts?Anything but rapidly-updating data? or GIANT data youdon't want to query?
UPCOMING ADDITIONSTO CRYPTAG
Timestamps"Give me the latest 10 files with the tags 'paris' and'type:photo'"Allows for efficient updating of locally-cached TagPairEnables easy versioning!
"Give me the most recent Row with tag'filename:mydocument.doc'"
Sharing(?)
Different key for each piece of encrypted data (Row)?Problem: which key is used to encrypt the TagPairs?
Encrypt TagPairs with your own key?You can search your own server, others can't?Then you can still link people to individual pieces ofdata without giving up your main key, just the key forthat data
Need to think more about this
Row deletion might be handy...
MOBILE SUPPORTGo 1.5 supports Android and iOS!
Go 1.5rc1 hit 2 days agoCall CrypTag-wielding Go program/library from yourmobile app
Ubuntu Touch apps can be written in Go (or JS, or C++)
MY GOALS WITHCRYPTAG
Convince project developers to use CrypTag
...or at least the idea of CrypTag (mostlyTagPairs)
Build useful apps with CrypTag
Send me requests/ideas: @elimisteve
Create CrypTag libraries for Python, JavaScript
Create CrypTag libraries for Python, JavaScript
MY GOALS WITHCRYPTAG (2)
Write more CrypTag storage backendsWebserver + file system storage backend almostdoneNext: Amazon S3 bucketGoogle Drive? Azure Cloud Storage?Web server + actual database?
Write data migration/re-keying tool
Other devices just need crypto key and server info (authcredentials and URL)
Explicit threat model
Proper security audit of all < 1000 SLOC
TECHNICAL THANKYOUS
Jonathan Rudenberg
Crypto recommendation: AES -> NaCl'ssecretbox
Joe Andrieu, Garrett Holmstrom, Sam Dolan
Data migration, re-keying, sharing