Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building End-to-End Encrypted Apps

Nikolaus Graf
June 19, 2024
Technology
0
24

Building End-to-End Encrypted Apps

Nikolaus Graf

June 19, 2024
Tweet

More Decks by Nikolaus Graf

See All by Nikolaus Graf
Secsync - Utility to persit & relay end-to-end encrypted CRDTs
nikgraf
0
22
Creating an Augmented Reality App - Using ViewAR and React
nikgraf
2
160
Type Systems & Props Design - Exploring PropTypes, TypeScript, Flow & Reason
nikgraf
0
360
Reason and GraphQL
nikgraf
2
63
Get started with Reason
nikgraf
2
460
React Vienna November Intro
nikgraf
0
6.2k
Rich text editing with Draft.js
nikgraf
0
250
Introduction to React + Redux
nikgraf
1
570
React on ES6+
nikgraf
1
610

Other Decks in Technology

See All in Technology
10分でわかるfreeeのQA
freee
1
3.4k
顧客が本当に必要だったもの - パフォーマンス改善編 / Make what is needed
soudai
24
6.8k
最速最小からはじめるデータプロダクト / Data Product MVP
amaotone
5
740
プロダクトチームへのSystem Risk Records導入・運用事例の紹介/Introduction and Case Studies on Implementing and Operating System Risk Records for Product Teams
taddy_919
1
170
AWSコンテナ本出版から3年経った今、もし改めて執筆し直すなら / If I revise our container book
iselegant
15
4k
Datachain会社紹介資料(2024年11月) / Company Deck
datachain
3
16k
小規模に始めるデータメッシュとデータガバナンスの実践
kimujun
3
590
visionOSでの空間表現実装とImmersive Video表示について / ai-immersive-visionos
cyberagentdevelopers
PRO
1
110
いまさらのStorybook
ikumatadokoro
0
150
AWS CDKでデータリストアの運用、どのように設計する?~Aurora・EFSの実践事例を紹介~/aws-cdk-data-restore-aurora-efs
mhrtech
4
660
独自ツール開発でスタジオ撮影をDX!「VLS(Virtual LED Studio)」 / dx-studio-vls
cyberagentdevelopers
PRO
1
180
現地でMeet Upをやる場合の注意点 〜反省点を添えて〜
shotashiratori
0
530

Featured

See All Featured
Automating Front-end Workflow
addyosmani
1365
200k
Designing Experiences People Love
moore
138
23k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Typedesign – Prime Four
hannesfritz
39
2.4k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
92
16k
YesSQL, Process and Tooling at Scale
rocio
167
14k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Statistics for Hackers
jakevdp
796
220k
Product Roadmaps are Hard
iamctodd
PRO
48
10k
Into the Great Unknown - MozCon
thekraken
31
1.5k
Designing for humans not robots
tammielis
249
25k

Transcript

  1. Building End-to-End Encrypted Apps

  2. What?

  3. Why?

  4. Lini lini.app github.com/serenity-kit/lini

  5. None
  6. None

  7. "my todo"

  8. "my todo"

  9. None

  10. key = "c0be"

  11. key = "c0be" "a6ea178" = encrypt("my todo", key)

  12. key = "c0be" "a6ea178" = encrypt("my todo", key) "a6ea178" "a6ea178"

    "a6ea178"

  13. key = "c0be" "a6ea178" = encrypt("my todo", key) key =

    "c0be" "my todo" = decrypt("a6ea178", key) "a6ea178" "a6ea178"

  14. What do we encrypt?

  15. encrypt({ todoListKey: "8-Aw_2UhSVrgKGp77jsnT", content: JSON.stringify({ "1": { text: "Wash the

    dishes", checked: false }, "2": { text: "Order sweets", checked: true }, }), }); Encrypt & send the entire list

  16. encrypt({ todoListKey: "8-Aw_2UhSVrgKGp77jsnT", content: JSON.stringify({ "1": { text: "Wash the

    dishes", checked: false }, "2": { text: "Order sweets", checked: true }, }), }); Encrypt & send the entire list content: JSON.stringify({ "1": { text: "Wash the dishes", checked: false }, "2": { text: "Order sweets", checked: true }, }),

  17. Con fl icts

  18. Add todo 1 Con fl icts

  19. Add todo 1 Change todo 1 Con fl icts Add

    todo 1 Change todo 1

  20. Add todo 1 Change todo 1 Change todo 1 Con

    fl icts Add todo 1 Change todo 1

  21. CRDT Con fl ict-free Replicated Data Type

  22. = CRDT Add todo 1 Add todo 1 Change todo

    1 Change todo 1 Change todo 1 Change todo 1

  23. c3 = encrypt( , key) Change todo 1 c1 =

    encrypt( , key) c2 = encrypt( , key) Add todo 1 Change todo 1

  24. c3 = encrypt( , key) c1 = encrypt( , key)

    c2 = encrypt( , key) c1 c1 c2 c2 c3 c3 Add todo 1 Change todo 1 Change todo 1

  25. End-to-end Encryption + CRDTs

  26. None

  27. import * as Yjs from "yjs"; // initializing CRDT document

    const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo);

  28. import * as Yjs from "yjs"; // initializing CRDT document

    const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); import * as Yjs from "yjs";

  29. import * as Yjs from "yjs"; // initializing CRDT document

    const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); // initializing CRDT document const doc = new Yjs.Doc();

  30. import * as Yjs from "yjs"; // initializing CRDT document

    const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); const todoList = doc.getMap("todos");

  31. import * as Yjs from "yjs"; // initializing CRDT document

    const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); // adding a todo const todo = new Yjs.Map();

  32. import * as Yjs from "yjs"; // initializing CRDT document

    const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false);

  33. import * as Yjs from "yjs"; // initializing CRDT document

    const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); todoList.set(generateId(), todo);

  34. doc.on("updateV2", (update) => { // send(update) }); Yjs.applyUpdateV2(doc, update); const

    docAsUpdate = Yjs.encodeStateAsUpdateV2(doc) doc.on("updateV2", (update) => { // send(update) });

  35. doc.on("updateV2", (update) => { // send(update) }); Yjs.applyUpdateV2(doc, update); const

    docAsUpdate = Yjs.encodeStateAsUpdateV2(doc) Yjs.applyUpdateV2(doc, update);

  36. doc.on("updateV2", (update) => { // send(update) }); Yjs.applyUpdateV2(doc, update); const

    docAsUpdate = Yjs.encodeStateAsUpdateV2(doc) const docAsUpdate = Yjs.encodeStateAsUpdateV2(doc)
  37. None

  38. Library to sync CRDTs end-to-end encrypted useYjsSync() useAutomergeSync()

  39. const yDocRef = useRef<Yjs.Doc>(new Yjs.Doc()); const [signatureKeyPair] = useState<KeyPair>(() =>

    sodium.crypto_sign_keypair() ); useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, websocketEndpoint: "ws://localhost:3030", getSnapshotKey: () => todoListKey, getNewSnapshotData: () => { return { key: todoListKey, data: Yjs.encodeStateAsUpdateV2(yDocRef.current), publicData: {}, }; }, shouldSendSnapshot: ({ snapshotUpdatesCount }) => snapshotUpdatesCount > 50, signatureKeyPair, isValidClient: () => true, sodium, });

  40. useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, key: todoListKey, websocketEndpoint: "ws://localhost:3030", });

  41. useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, key: todoListKey, websocketEndpoint: "ws://localhost:3030", });

    yDoc: yDocRef.current,

  42. useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, key: todoListKey, websocketEndpoint: "ws://localhost:3030", });

    documentId: todoListId,

  43. useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, key: todoListKey, websocketEndpoint: "ws://localhost:3030", });

    key: todoListKey,

  44. useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, key: todoListKey, websocketEndpoint: "ws://localhost:3030", });

    websocketEndpoint: "ws://localhost:3030",
  45. None

  46. key = "c0be" "a6ea178" = encrypt("my todo", key) key =

    "c0be" "my todo" = decrypt("a6ea178", key) "a6ea178" "a6ea178"

  47. Key Management "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U"

  48. CRDT Documents const keys = { "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo",

    };

  49. Locker L

  50. Locker

  51. “1” “2” Locker

  52. “1” “2” Locker CRDT Documents

  53. const lockerKey = '8-Aw_2UhSVrgKGp77jsnTF03DPBvjvdLSUwp4savq8Q'; const locker = encrypt({ lockerKey, content:

    JSON.stringify({ "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", }), }); const lockerKey = '8-Aw_2UhSVrgKGp77jsnTF03DPBvjvdLSUwp4savq8Q';

  54. const lockerKey = '8-Aw_2UhSVrgKGp77jsnTF03DPBvjvdLSUwp4savq8Q'; const locker = encrypt({ lockerKey, content:

    JSON.stringify({ "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", }), }); const locker = encrypt({ });

  55. const lockerKey = '8-Aw_2UhSVrgKGp77jsnTF03DPBvjvdLSUwp4savq8Q'; const locker = encrypt({ lockerKey, content:

    JSON.stringify({ "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", }), }); lockerKey,

  56. const lockerKey = '8-Aw_2UhSVrgKGp77jsnTF03DPBvjvdLSUwp4savq8Q'; const locker = encrypt({ lockerKey, content:

    JSON.stringify({ "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", }), }); content: JSON.stringify({ "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", }),

  57. const { addItem, content } = useLocker(); await addItem({ documentId,

    key }); const key = content[documentId]; const { addItem, content } = useLocker();

  58. const { addItem, content } = useLocker(); await addItem({ documentId,

    key }); const key = content[documentId]; await addItem({ documentId, key });

  59. const { addItem, content } = useLocker(); await addItem({ documentId,

    key }); const key = content[documentId]; const key = content[documentId];
  60. None

  61. “1” “2” Locker CRDT Documents

  62. Username / Password

  63. None
  64. None

  65. username & password Login sessionKey sessionKey

  66. username & password Registration exportKey

  67. username & password Login exportKey

  68. Opaque Locker

  69. const { register, isPending } = useRegister(); const result =

    await register({ userIdentifier: username, password, }); result?.exportKey const { register, isPending } = useRegister();

  70. const { register, isPending } = useRegister(); const result =

    await register({ userIdentifier: username, password, }); result?.exportKey const result = await register({ userIdentifier: username, password, });

  71. const { register, isPending } = useRegister(); const result =

    await register({ userIdentifier: username, password, }); result?.exportKey result?.exportKey

  72. const { clientRegistrationState, registrationRequest } = opaque.startRegistration({ password }); const

    { registrationResponse } = await registerStartMutation.mutateAsync({ userIdentifier, registrationRequest, }); const { registrationRecord, exportKey } = opaque.finishRegistration({ clientRegistrationState, registrationResponse, password, }); await registerFinishMutation.mutateAsync({ userIdentifier, registrationRecord, }); const { clientRegistrationState, registrationRequest } = opaque.startRegistration({ password });

  73. const { clientRegistrationState, registrationRequest } = opaque.startRegistration({ password }); const

    { registrationResponse } = await registerStartMutation.mutateAsync({ userIdentifier, registrationRequest, }); const { registrationRecord, exportKey } = opaque.finishRegistration({ clientRegistrationState, registrationResponse, password, }); await registerFinishMutation.mutateAsync({ userIdentifier, registrationRecord, }); const { registrationResponse } = await registerStartMutation.mutateAsync({ userIdentifier, registrationRequest, });

  74. const { clientRegistrationState, registrationRequest } = opaque.startRegistration({ password }); const

    { registrationResponse } = await registerStartMutation.mutateAsync({ userIdentifier, registrationRequest, }); const { registrationRecord, exportKey } = opaque.finishRegistration({ clientRegistrationState, registrationResponse, password, }); await registerFinishMutation.mutateAsync({ userIdentifier, registrationRecord, }); const { registrationRecord, exportKey } = opaque.finishRegistration({ clientRegistrationState, registrationResponse, password, });

  75. const { clientRegistrationState, registrationRequest } = opaque.startRegistration({ password }); const

    { registrationResponse } = await registerStartMutation.mutateAsync({ userIdentifier, registrationRequest, }); const { registrationRecord, exportKey } = opaque.finishRegistration({ clientRegistrationState, registrationResponse, password, }); await registerFinishMutation.mutateAsync({ userIdentifier, registrationRecord, }); await registerFinishMutation.mutateAsync({ userIdentifier, registrationRecord, });
  76. None

  77. const { login, isPending } = useLogin(); const result =

    await login({ userIdentifier: username, password, }); result?.exportKey const { login, isPending } = useLogin();

  78. const { login, isPending } = useLogin(); const result =

    await login({ userIdentifier: username, password, }); result?.exportKey const result = await login({ userIdentifier: username, password, });

  79. const { login, isPending } = useLogin(); const result =

    await login({ userIdentifier: username, password, }); result?.exportKey result?.exportKey

  80. const { clientLoginState, startLoginRequest } = opaque.startLogin({ password, }); const

    { loginResponse } = await loginStartMutation.mutateAsync({ userIdentifier, startLoginRequest, }); const loginResult = opaque.finishLogin({ clientLoginState, loginResponse, password, }); if (!loginResult) { return null; } const { finishLoginRequest, exportKey } = loginResult; const { success } = await loginFinishMutation.mutateAsync({ finishLoginRequest, userIdentifier, }); const { clientLoginState, startLoginRequest } = opaque.startLogin({ password, });

  81. const { clientLoginState, startLoginRequest } = opaque.startLogin({ password, }); const

    { loginResponse } = await loginStartMutation.mutateAsync({ userIdentifier, startLoginRequest, }); const loginResult = opaque.finishLogin({ clientLoginState, loginResponse, password, }); if (!loginResult) { return null; } const { finishLoginRequest, exportKey } = loginResult; const { success } = await loginFinishMutation.mutateAsync({ finishLoginRequest, userIdentifier, }); const { loginResponse } = await loginStartMutation.mutateAsync({ userIdentifier, startLoginRequest, });

  82. const { clientLoginState, startLoginRequest } = opaque.startLogin({ password, }); const

    { loginResponse } = await loginStartMutation.mutateAsync({ userIdentifier, startLoginRequest, }); const loginResult = opaque.finishLogin({ clientLoginState, loginResponse, password, }); if (!loginResult) { return null; } const { finishLoginRequest, exportKey } = loginResult; const { success } = await loginFinishMutation.mutateAsync({ finishLoginRequest, userIdentifier, }); const loginResult = opaque.finishLogin({ clientLoginState, loginResponse, password, }); if (!loginResult) { return null; } const { finishLoginRequest, exportKey } = loginResult;

  83. const { clientLoginState, startLoginRequest } = opaque.startLogin({ password, }); const

    { loginResponse } = await loginStartMutation.mutateAsync({ userIdentifier, startLoginRequest, }); const loginResult = opaque.finishLogin({ clientLoginState, loginResponse, password, }); if (!loginResult) { return null; } const { finishLoginRequest, exportKey } = loginResult; const { success } = await loginFinishMutation.mutateAsync({ finishLoginRequest, userIdentifier, }); const { success } = await loginFinishMutation.mutateAsync({ finishLoginRequest, userIdentifier, });
  84. None

  85. Opaque

  86. Opaque Locker

  87. Opaque “1” “2” Locker

  88. Opaque “1” “2” Locker CRDT Documents

  89. Opaque “1” “2” Locker CRDT Documents

  90. CRDT Documents Opaque “2” Locker

  91. Invitations

  92. example.com/invitation/123

  93. example.com/invitation/123#key=c0be

  94. const key = getHashParameter("key"); const data = await acceptDocumentInvitationMutation.mutateAsync({ token

    }); if (data?.documentId) { await addItem({ documentId: data.documentId, key, }); router.navigate({ pathname: `/list/${data.documentId}` }); } const key = getHashParameter("key");

  95. const key = getHashParameter("key"); const data = await acceptDocumentInvitationMutation.mutateAsync({ token

    }); if (data?.documentId) { await addItem({ documentId: data.documentId, key, }); router.navigate({ pathname: `/list/${data.documentId}` }); } const data = await acceptDocumentInvitationMutation.mutateAsync({ token });

  96. const key = getHashParameter("key"); const data = await acceptDocumentInvitationMutation.mutateAsync({ token

    }); if (data?.documentId) { await addItem({ documentId: data.documentId, key, }); router.navigate({ pathname: `/list/${data.documentId}` }); } await addItem({ documentId: data.documentId, key, });

  97. story for another time …

  98. story for another time … … read my blog in

    the coming months

  99. Simple Authentication Invitation Links

  100. Advanced Account recovery Key rotation Permissions Simple Authentication Invitation Links

  101. Thank you 👋 nikgraf.com lini.app secsync.com opaque-auth.com