CRYPTAGBUILDING ENCRYPTED, TAGGABLE,SEARCHABLE ZERO-KNOWLEDGE

SYSTEMSSteven Phillips / @elimisteve

DEF CON's Crypto & Privacy Village

2015.08.08

THE PROBLEM/NEEDWe need to be able access our data over the internetwithout trusting the party storing it

Non-technical users can't or won't self-host (when self-hosting is even possible)

CURRENTCOMPROMISES

Data is stored unencrypted (loss of privacy)

Almost everything we use is like thisDropbox, Box, Google Drive, etc

Data is stored encrypted, but can't be searched by theserver

Encrypted backup (e.g., Tarsnap)

Encrypted backup (e.g., Tarsnap)

CURRENTCOMPROMISES (2)

Data stays on one deviceThen you can't access your own data from your owndevices

None of these compromise "solutions" (1) allow the serverto store your encrypted data, (2) let you remotely query thisdata and get back just the data you want (without having todownload all of it, which can be impractical), and (3) revealnothing about the nature of the data to the server storing it.

BOTTOM LINEOur data needs to be stored in encrypted storage systems

for privacy, accessible from anywhere for convenience, butthese systems need to be more practical -- and server-side

search would help.

"But the server can't search through your encrypted datawithout the encryption key!" Or can it?

WHAT IS CRYPTAG?CrypTag is a Go library for building encrypted, taggable,searchable zero-knowledge systems

Lets you send a search query to a server that's storingyour encrypted data, and only send you back thematching pieces of data

E.g., "Of all my data, just give me my photos of Paris"

WHAT IS CRYPTAG? (2)The server searching through this data has no idea what itis, and it doesn't know what you're searching for. And yet,it finds it for you.

HOW CRYPTAG WORKSTwo concepts: TagPairs, and Rows.

TagPairs associate the human-readable plain text tag (e.g.,'paris' or 'gmail') with a randomly-generated string that the

server stores in plain text.

HOW CRYPTAG WORKS(2)

Example TagPairs stored on server:    {      "plain_encrypted": "NtZ+WzjTtyWdjOPX6uqr308voeOE",       "random":          "9xvv87937"     }

    {      "plain_encrypted": "/1BijKByz4JqYzOTtJEoD4TlPy2FwZf0WrXG2gwZOX1ATN3/MA==",      "random":          "fqmt5fkw8"     }

HOW CRYPTAG WORKS(3)

Data is stored in "Rows". Rows store arbitrary data andassociated tags. Example Row stored on server:

{   "data": "OcSufyNLTXwrjWW3ZSkWiVOBaM4OqJwevuFAO5RM",   "tags": ["9xvv87937", "fqmt5fkw8"] } 

DEMO: ROW ANDTAGPAIR CREATION,

STEP BY STEPUsing the cryptpass demo app, tell CrypTag to create a new

Row (of arbitrary data) + associated tagscryptpass create mycr4zy4ssp4ss gmail email cryptagdemo@gmail.com tag4

CrypTag then...

1. Fetches all existing TagPairs from the server

2. Decrypts the encrypted human-readable tags (e.g.,'email')

3. Locally creates new TagPairs for the tags that don'talready exist, generating new random tags associated

4. Locally creates a Row consisting of encrypted data (e.g.,'mycr4zy4ssp4ss') and the associated randomly-generated plaintext tags

5. Uploads the TagPairs and Row to the server

FEATURESNaCl-based crypto

("Networking and Cryptography Library", not NativeClient)Libraries in many languages (JS, Python, etc)

Pluggable backendsNext: Amazon S3 bucketWebserver + filesystemWebserver + databaseSSH (coming soon)

MORE ON PLUGGABLEBACKENDS

(Used by client programs)type Backend interface {     Encrypt(plain []byte, nonce *[24]byte) ([]byte, error)     Decrypt(cipher []byte, nonce *[24]byte) ([]byte, error) 

    AllTagPairs() (types.TagPairs, error)     TagPairsFromRandomTags(randtags []string) (types.TagPairs, error)    SaveTagPair(*types.TagPair) (*types.TagPair, error) 

    RowsFromPlainTags(plaintags []string) (types.Rows, error)     SaveRow(*types.Row) (*types.Row, error) } 

COMPARINGALTERNATIVES

TARSNAPSimple encrypted backups

Can query files byfilename

No search

COMPARINGALTERNATIVES (2)

CRYPTON (FROM SPIDEROAK)More complex

"Session objects are required to interact withTransaction-based classes, like Containers andMessages."Node, Postgres, RedisWebSockets

Transactions

But more full-featured

Auth built inMessaging :-)

No search

COMPARINGALTERNATIVES (3)

TAHOE-LAFSGood sharing model

Different key for each fileAwesome replication modelBuilt-in file versioningI can't wait for RAIC and MagicFolders!

Unfortunately, to get your data, you need the URL +contained password of every file/directory

Idea: how about storing these URLs using CrypTag? :-)

No search

MY FANTASY (WELL,ONE OF THEM)

CrypTag app + Cheap, untrusted storage => Tag-searchable, zero-knowledge _______

DropboxStore all your data in S3? your own server?

Mailpile emails?"...you can use Mailpile with an existing GMailaccount, improving your privacy by configuringMailpile to download the mail and then delete itfrom Google's servers."

Notes?Bookmarks? (my original use case)Contacts?Anything but rapidly-updating data? or GIANT data youdon't want to query?

UPCOMING ADDITIONSTO CRYPTAG

Timestamps"Give me the latest 10 files with the tags 'paris' and'type:photo'"Allows for efficient updating of locally-cached TagPairEnables easy versioning!

"Give me the most recent Row with tag'filename:mydocument.doc'"

Sharing(?)

Different key for each piece of encrypted data (Row)?Problem: which key is used to encrypt the TagPairs?

Encrypt TagPairs with your own key?You can search your own server, others can't?Then you can still link people to individual pieces ofdata without giving up your main key, just the key forthat data

Need to think more about this

Row deletion might be handy...

MOBILE SUPPORTGo 1.5 supports Android and iOS!

Go 1.5rc1 hit 2 days agoCall CrypTag-wielding Go program/library from yourmobile app

Ubuntu Touch apps can be written in Go (or JS, or C++)

MY GOALS WITHCRYPTAG

Convince project developers to use CrypTag

...or at least the idea of CrypTag (mostlyTagPairs)

Build useful apps with CrypTag

Send me requests/ideas: @elimisteve

Create CrypTag libraries for Python, JavaScript

Create CrypTag libraries for Python, JavaScript

MY GOALS WITHCRYPTAG (2)

Write more CrypTag storage backendsWebserver + file system storage backend almostdoneNext: Amazon S3 bucketGoogle Drive? Azure Cloud Storage?Web server + actual database?

Write data migration/re-keying tool

Other devices just need crypto key and server info (authcredentials and URL)

Explicit threat model

Proper security audit of all < 1000 SLOC

TECHNICAL THANKYOUS

Jonathan Rudenberg

Crypto recommendation: AES -> NaCl'ssecretbox

Joe Andrieu, Garrett Holmstrom, Sam Dolan

Data migration, re-keying, sharing

PERSONAL THANKYOUS

JacobAppelbaum

AJ Bahnken

Gabrielle Molina

CRYPTAGgithub.com/elimisteve/cryptag

Send me feedback/ideas: @elimisteve

THANK YOU to the Crypto & Privacy Village organizers!