Challenges With Building End-to-End Encrypted Challenges With - - PowerPoint PPT Presentation

challenges with building end to end encrypted challenges
SMART_READER_LITE
LIVE PREVIEW

Challenges With Building End-to-End Encrypted Challenges With - - PowerPoint PPT Presentation

Nov 27, 2023 41 likes •362 views

Challenges With Building End-to-End Encrypted Challenges With Building End-to-End Encrypted Applications Learnings From Etesync Applications Learnings From Etesync stosb.com/talks Tom Hacohen tom@stosb.com FOSDEM 2019 @TomHacohen

slide-1
SLIDE 1

Tom Hacohen FOSDEM 2019

Challenges With Building End-to-End Encrypted Challenges With Building End-to-End Encrypted Applications – Learnings From Etesync Applications – Learnings From Etesync

stosb.com/talks tom@stosb.com @TomHacohen

slide-2
SLIDE 2

Who Am I? Who Am I?

Long time Open Source developer Privacy and digital security enthusiast Maintainer and creator of EteSync Building a security startup with Entrepreneur First

slide-3
SLIDE 3

Secure, end-to-end encrypted and fully versioned personal information sync for Android, the desktop and the web. Currently supports contacts, calendars and tasks, with more on the way.

slide-4
SLIDE 4

EteSync Overview EteSync Overview

Encrypted and Tamper-Proof Journal Encrypted and Tamper-Proof Journal

slide-5
SLIDE 5

EteSync Overview EteSync Overview

How Are the Encryption Keys Derived How Are the Encryption Keys Derived

# The key from all of the others are derived master_key = Scrypt(user_email, password) # An encryption key for each journal and its contents journal_key = HMAC_SHA256(journal_uid, master_key) journal_key_enc = HMAC_SHA256("aes", journal_key) journal_key_mac = HMAC_SHA256("hmac", journal_key)

slide-6
SLIDE 6

EteSync Overview EteSync Overview

How Is the Data Encrypted How Is the Data Encrypted

# The journal itself (meta information) journal_info_enc = iv + AES_CBC_PKCS7(iv, journal_key_enc, journal_info_clear) journal_info_mac = HMAC_SHA256(journal_info_enc + version, journal_key_mac) journal_info = journal_info_mac + journal_info_enc journal_uid = RANDOM_SHA256() # A random sha256 like blob # The journal entries: prev_uid = PREVIOUS_UID # The uid of the previous entry entry_info = iv + AES_CBC_PKCS7(iv, journal_key_enc, entry_info_clear) entry_uid = HMAC_SHA256(prev_uid + entry_info + version, journal_key_mac)

slide-7
SLIDE 7

So Let's Talk About the Challenges… So Let's Talk About the Challenges…

slide-8
SLIDE 8

Platform Portability Platform Portability

Everything is implemented on the client, so… All clients need libraries for all crypto primitives Want library support on all platforms (e.g. iCal support) Need to write the same code for all platforms

slide-9
SLIDE 9

Account Init & Protocol Upgrade Account Init & Protocol Upgrade

Everything is implemented on the client, so… On every client: Account init code - set initial state Account upgrade code - changes in data format Support for past and current protocol versions Partial "solution": only implement in master clients

slide-10
SLIDE 10

Protocol Upgrade Protocol Upgrade

Every client needs to support the new version, so either… Update all apps simultaneously (hard with F-Droid) First deploy support, and then deploy upgrade logic

slide-11
SLIDE 11

Protocol Upgrade (Part 2) Protocol Upgrade (Part 2)

You can't transform the data on the server, so… You can't support multiple API versions at

  • nce

Gracefully handle future unsupported versions

slide-12
SLIDE 12

What's Considered a Protocol Upgrade? What's Considered a Protocol Upgrade?

Everything. Changing cryptography methods (e.g. elliptic curves) Changing cryptography parameters (e.g. for Scrypt) Changing the structure of the data Every other thing you can think of

slide-13
SLIDE 13

Development Speed Development Speed

Did I mention everything needs to be implemented on every client?

slide-14
SLIDE 14

Debugging Debugging

You can't ask for data, and when you do, you oen won't get it No access to data make it hard to investigate issues Can't test changes and fixes on existing data Can't look in the data for affected users Have to rely on users to test and reproduce on their own devices

slide-15
SLIDE 15

3rd Party Applications 3rd Party Applications

We can't trust 3rd parties with encryption passwords, so… We can't easily add integrations with 3rd party apps Never let users enter credentials in 3rd party apps

slide-16
SLIDE 16

Data Immutability Data Immutability

Because the journal is immutable: You can't fix saved malformed data Can't update the saved format Always need to support old formats and malformed data You guessed it. On all the clients!

slide-17
SLIDE 17

Usability Issues Usability Issues

Having both an encryption and a login password Encryption password recovery is not straightforward

slide-18
SLIDE 18

You Are Held to a Higher Standard You Are Held to a Higher Standard

  • secure web

app delivery As mentioned before: can't ask for data Watch out with what you put in logs and debug info Signed Pages

slide-19
SLIDE 19

A Few More Things to Watch out For… A Few More Things to Watch out For…

slide-20
SLIDE 20

Performance Considerations Performance Considerations

No server-side search or processing Have to download all the data, or at least an index However, most operations are fast because they are local

slide-21
SLIDE 21

A False Sense of Security A False Sense of Security

Revoking or changing encryption passwords: Encrypt the old key with the new key (potentially insecure) Re-encrypt the whole data (problematic) Old key for past data, new key for new data (complex) Offer alternatives? How do you educate users about the trade‑offs?

slide-22
SLIDE 22

Replay and Downgrade Attacks Replay and Downgrade Attacks

slide-23
SLIDE 23

Leaking User Data Leaking User Data

Sensitive information in logs and debug info Mixing together user-controlled and non-user controlled data Optimisations oen leak data, for example: Compressing data can oen lead to leaks De-duplicating files using clear-text SHA256 sum Variable bitrate audio and video

slide-24
SLIDE 24

The UI Can Make All the Difference The UI Can Make All the Difference

Informing users when data is changed Showing users how many devices are active There are other potential flaws and safeguards

slide-25
SLIDE 25

Improving the EteSync Protocol Improving the EteSync Protocol

slide-26
SLIDE 26

Untying the Username and Encryption Key Untying the Username and Encryption Key

Deriving the key from the username proved problematic Was a useful shortcut but a big pain Can't easily change the username It accidentally made the user inconsistently case sensitive

slide-27
SLIDE 27

Improve Integrity Assurances Improve Integrity Assurances

Sign journal items (rather than just HMAC) HMAC the global state + have a counter

slide-28
SLIDE 28

Move to Per-Device Keys Move to Per-Device Keys

Can better use hardware tokens Sometimes built-in hardware! Can better handle lost devices Useful infrastructure for 3rd party apps Can have a key per app, not just device…

slide-29
SLIDE 29

Finishing Notes Finishing Notes

End-to-end encryption is the only way forward! Privacy is a sacred right, don't give it up! You're the weakest link:

slide-30
SLIDE 30

Useful Links Useful Links

My blog: EteSync's website: EteSync's sources: Signed Pages: https://stosb.com https://www.etesync.com https://github.com/etesync https://github.com/tasn/webext-signed- pages

slide-31
SLIDE 31

Tom Hacohen FOSDEM 2019

Questions? Questions?

stosb.com/talks tom@stosb.com @TomHacohen

slide-32
SLIDE 32

Attribution Attribution

Icon by from is licensed under Icon by from is licensed under by the by Randall Munroe ( ) Freepik flaticon.com CC 3.0 BY Smashicons flaticon.com CC 3.0 BY Compression example unicode.org Security XKCD