Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building End-to-End Encrypted Apps

Nikolaus Graf
June 19, 2024
Technology
0
21

Building End-to-End Encrypted Apps

Nikolaus Graf

June 19, 2024
Tweet

More Decks by Nikolaus Graf

See All by Nikolaus Graf
Secsync - Utility to persit & relay end-to-end encrypted CRDTs
nikgraf
0
18
Creating an Augmented Reality App - Using ViewAR and React
nikgraf
2
160
Type Systems & Props Design - Exploring PropTypes, TypeScript, Flow & Reason
nikgraf
0
360
Reason and GraphQL
nikgraf
2
63
Get started with Reason
nikgraf
2
440
React Vienna November Intro
nikgraf
0
6.2k
Rich text editing with Draft.js
nikgraf
0
250
Introduction to React + Redux
nikgraf
1
570
React on ES6+
nikgraf
1
600

Other Decks in Technology

See All in Technology
Classmethod AI Talks(CATs) #1 司会進行スライド(2024.09.19) / classmethod-ai-talks-aka-cats_moderator-slides_vol1_2024-09-19
shinyaa31
0
220
不動産 x AIことはじめ~データの真価を拓くために
estie
0
130
Developer Experienceを向上させる基盤づくりの取り組み事例集
coconala_engineer
0
160
20240911_New_Relicダッシュボード活用例
speakerdeckfk
0
110
Tricentisにおけるテスト自動化へのAI活用ご紹介/20240910Shunsuke Katakura
shift_evolve
0
210
Discovering AI Models
picardparis
4
3.9k
Road to Single Activity
yurihondo
2
240
Agile in Automotive Industry, puzzles and lights.
hiranabe
3
1.4k
OCI で始める!! Red Hat OpenShift / Get Started OpenShift on OCI
oracle4engineer
PRO
1
190
ネットワークだけ隔離されたコンテナ作成デモ / Kichijoji.pm36
tenforward
1
250
Cloud Run と GitHub Template Repository による軽量なアプリケーションプラットフォーム/ #nikkei_tech_talk
nikkei_engineer_recruiting
0
120
Mocking in Rust Applications
taiki45
2
420

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.1k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
89
16k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
38
9.2k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
248
20k
Web Components: a chance to create the future
zenorocha
309
42k
Typedesign – Prime Four
hannesfritz
39
2.3k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
1
55
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
326
21k
The Invisible Customer
myddelton
119
13k
Writing Fast Ruby
sferik
623
60k
Designing for Performance
lara
604
68k
Fontdeck: Realign not Redesign
paulrobertlloyd
80
5.1k

Transcript

  1. Building End-to-End Encrypted Apps

  2. What?

  3. Why?

  4. Lini lini.app github.com/serenity-kit/lini

  5. None
  6. None

  7. "my todo"

  8. "my todo"

  9. None

  10. key = "c0be"

  11. key = "c0be" "a6ea178" = encrypt("my todo", key)

  12. key = "c0be" "a6ea178" = encrypt("my todo", key) "a6ea178" "a6ea178"

    "a6ea178"

  13. key = "c0be" "a6ea178" = encrypt("my todo", key) key =

    "c0be" "my todo" = decrypt("a6ea178", key) "a6ea178" "a6ea178"

  14. What do we encrypt?

  15. encrypt({ todoListKey: "8-Aw_2UhSVrgKGp77jsnT", content: JSON.stringify({ "1": { text: "Wash the

    dishes", checked: false }, "2": { text: "Order sweets", checked: true }, }), }); Encrypt & send the entire list

  16. encrypt({ todoListKey: "8-Aw_2UhSVrgKGp77jsnT", content: JSON.stringify({ "1": { text: "Wash the

    dishes", checked: false }, "2": { text: "Order sweets", checked: true }, }), }); Encrypt & send the entire list content: JSON.stringify({ "1": { text: "Wash the dishes", checked: false }, "2": { text: "Order sweets", checked: true }, }),

  17. Con fl icts

  18. Add todo 1 Con fl icts

  19. Add todo 1 Change todo 1 Con fl icts Add

    todo 1 Change todo 1

  20. Add todo 1 Change todo 1 Change todo 1 Con

    fl icts Add todo 1 Change todo 1

  21. CRDT Con fl ict-free Replicated Data Type

  22. = CRDT Add todo 1 Add todo 1 Change todo

    1 Change todo 1 Change todo 1 Change todo 1

  23. c3 = encrypt( , key) Change todo 1 c1 =

    encrypt( , key) c2 = encrypt( , key) Add todo 1 Change todo 1

  24. c3 = encrypt( , key) c1 = encrypt( , key)

    c2 = encrypt( , key) c1 c1 c2 c2 c3 c3 Add todo 1 Change todo 1 Change todo 1

  25. End-to-end Encryption + CRDTs

  26. None

  27. import * as Yjs from "yjs"; // initializing CRDT document

    const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo);

  28. import * as Yjs from "yjs"; // initializing CRDT document

    const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); import * as Yjs from "yjs";

  29. import * as Yjs from "yjs"; // initializing CRDT document

    const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); // initializing CRDT document const doc = new Yjs.Doc();

  30. import * as Yjs from "yjs"; // initializing CRDT document

    const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); const todoList = doc.getMap("todos");

  31. import * as Yjs from "yjs"; // initializing CRDT document

    const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); // adding a todo const todo = new Yjs.Map();

  32. import * as Yjs from "yjs"; // initializing CRDT document

    const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false);

  33. import * as Yjs from "yjs"; // initializing CRDT document

    const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); todoList.set(generateId(), todo);

  34. doc.on("updateV2", (update) => { // send(update) }); Yjs.applyUpdateV2(doc, update); const

    docAsUpdate = Yjs.encodeStateAsUpdateV2(doc) doc.on("updateV2", (update) => { // send(update) });

  35. doc.on("updateV2", (update) => { // send(update) }); Yjs.applyUpdateV2(doc, update); const

    docAsUpdate = Yjs.encodeStateAsUpdateV2(doc) Yjs.applyUpdateV2(doc, update);

  36. doc.on("updateV2", (update) => { // send(update) }); Yjs.applyUpdateV2(doc, update); const

    docAsUpdate = Yjs.encodeStateAsUpdateV2(doc) const docAsUpdate = Yjs.encodeStateAsUpdateV2(doc)
  37. None

  38. Library to sync CRDTs end-to-end encrypted useYjsSync() useAutomergeSync()

  39. const yDocRef = useRef<Yjs.Doc>(new Yjs.Doc()); const [signatureKeyPair] = useState<KeyPair>(() =>

    sodium.crypto_sign_keypair() ); useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, websocketEndpoint: "ws://localhost:3030", getSnapshotKey: () => todoListKey, getNewSnapshotData: () => { return { key: todoListKey, data: Yjs.encodeStateAsUpdateV2(yDocRef.current), publicData: {}, }; }, shouldSendSnapshot: ({ snapshotUpdatesCount }) => snapshotUpdatesCount > 50, signatureKeyPair, isValidClient: () => true, sodium, });

  40. useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, key: todoListKey, websocketEndpoint: "ws://localhost:3030", });

  41. useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, key: todoListKey, websocketEndpoint: "ws://localhost:3030", });

    yDoc: yDocRef.current,

  42. useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, key: todoListKey, websocketEndpoint: "ws://localhost:3030", });

    documentId: todoListId,

  43. useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, key: todoListKey, websocketEndpoint: "ws://localhost:3030", });

    key: todoListKey,

  44. useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, key: todoListKey, websocketEndpoint: "ws://localhost:3030", });

    websocketEndpoint: "ws://localhost:3030",
  45. None

  46. key = "c0be" "a6ea178" = encrypt("my todo", key) key =

    "c0be" "my todo" = decrypt("a6ea178", key) "a6ea178" "a6ea178"

  47. Key Management "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U"

  48. CRDT Documents const keys = { "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo",

    };

  49. Locker L

  50. Locker

  51. “1” “2” Locker

  52. “1” “2” Locker CRDT Documents

  53. const lockerKey = '8-Aw_2UhSVrgKGp77jsnTF03DPBvjvdLSUwp4savq8Q'; const locker = encrypt({ lockerKey, content:

    JSON.stringify({ "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", }), }); const lockerKey = '8-Aw_2UhSVrgKGp77jsnTF03DPBvjvdLSUwp4savq8Q';

  54. const lockerKey = '8-Aw_2UhSVrgKGp77jsnTF03DPBvjvdLSUwp4savq8Q'; const locker = encrypt({ lockerKey, content:

    JSON.stringify({ "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", }), }); const locker = encrypt({ });

  55. const lockerKey = '8-Aw_2UhSVrgKGp77jsnTF03DPBvjvdLSUwp4savq8Q'; const locker = encrypt({ lockerKey, content:

    JSON.stringify({ "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", }), }); lockerKey,

  56. const lockerKey = '8-Aw_2UhSVrgKGp77jsnTF03DPBvjvdLSUwp4savq8Q'; const locker = encrypt({ lockerKey, content:

    JSON.stringify({ "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", }), }); content: JSON.stringify({ "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", }),

  57. const { addItem, content } = useLocker(); await addItem({ documentId,

    key }); const key = content[documentId]; const { addItem, content } = useLocker();

  58. const { addItem, content } = useLocker(); await addItem({ documentId,

    key }); const key = content[documentId]; await addItem({ documentId, key });

  59. const { addItem, content } = useLocker(); await addItem({ documentId,

    key }); const key = content[documentId]; const key = content[documentId];
  60. None

  61. “1” “2” Locker CRDT Documents

  62. Username / Password

  63. None
  64. None

  65. username & password Login sessionKey sessionKey

  66. username & password Registration exportKey

  67. username & password Login exportKey

  68. Opaque Locker

  69. const { register, isPending } = useRegister(); const result =

    await register({ userIdentifier: username, password, }); result?.exportKey const { register, isPending } = useRegister();

  70. const { register, isPending } = useRegister(); const result =

    await register({ userIdentifier: username, password, }); result?.exportKey const result = await register({ userIdentifier: username, password, });

  71. const { register, isPending } = useRegister(); const result =

    await register({ userIdentifier: username, password, }); result?.exportKey result?.exportKey

  72. const { clientRegistrationState, registrationRequest } = opaque.startRegistration({ password }); const

    { registrationResponse } = await registerStartMutation.mutateAsync({ userIdentifier, registrationRequest, }); const { registrationRecord, exportKey } = opaque.finishRegistration({ clientRegistrationState, registrationResponse, password, }); await registerFinishMutation.mutateAsync({ userIdentifier, registrationRecord, }); const { clientRegistrationState, registrationRequest } = opaque.startRegistration({ password });

  73. const { clientRegistrationState, registrationRequest } = opaque.startRegistration({ password }); const

    { registrationResponse } = await registerStartMutation.mutateAsync({ userIdentifier, registrationRequest, }); const { registrationRecord, exportKey } = opaque.finishRegistration({ clientRegistrationState, registrationResponse, password, }); await registerFinishMutation.mutateAsync({ userIdentifier, registrationRecord, }); const { registrationResponse } = await registerStartMutation.mutateAsync({ userIdentifier, registrationRequest, });

  74. const { clientRegistrationState, registrationRequest } = opaque.startRegistration({ password }); const

    { registrationResponse } = await registerStartMutation.mutateAsync({ userIdentifier, registrationRequest, }); const { registrationRecord, exportKey } = opaque.finishRegistration({ clientRegistrationState, registrationResponse, password, }); await registerFinishMutation.mutateAsync({ userIdentifier, registrationRecord, }); const { registrationRecord, exportKey } = opaque.finishRegistration({ clientRegistrationState, registrationResponse, password, });

  75. const { clientRegistrationState, registrationRequest } = opaque.startRegistration({ password }); const

    { registrationResponse } = await registerStartMutation.mutateAsync({ userIdentifier, registrationRequest, }); const { registrationRecord, exportKey } = opaque.finishRegistration({ clientRegistrationState, registrationResponse, password, }); await registerFinishMutation.mutateAsync({ userIdentifier, registrationRecord, }); await registerFinishMutation.mutateAsync({ userIdentifier, registrationRecord, });
  76. None

  77. const { login, isPending } = useLogin(); const result =

    await login({ userIdentifier: username, password, }); result?.exportKey const { login, isPending } = useLogin();

  78. const { login, isPending } = useLogin(); const result =

    await login({ userIdentifier: username, password, }); result?.exportKey const result = await login({ userIdentifier: username, password, });

  79. const { login, isPending } = useLogin(); const result =

    await login({ userIdentifier: username, password, }); result?.exportKey result?.exportKey

  80. const { clientLoginState, startLoginRequest } = opaque.startLogin({ password, }); const

    { loginResponse } = await loginStartMutation.mutateAsync({ userIdentifier, startLoginRequest, }); const loginResult = opaque.finishLogin({ clientLoginState, loginResponse, password, }); if (!loginResult) { return null; } const { finishLoginRequest, exportKey } = loginResult; const { success } = await loginFinishMutation.mutateAsync({ finishLoginRequest, userIdentifier, }); const { clientLoginState, startLoginRequest } = opaque.startLogin({ password, });

  81. const { clientLoginState, startLoginRequest } = opaque.startLogin({ password, }); const

    { loginResponse } = await loginStartMutation.mutateAsync({ userIdentifier, startLoginRequest, }); const loginResult = opaque.finishLogin({ clientLoginState, loginResponse, password, }); if (!loginResult) { return null; } const { finishLoginRequest, exportKey } = loginResult; const { success } = await loginFinishMutation.mutateAsync({ finishLoginRequest, userIdentifier, }); const { loginResponse } = await loginStartMutation.mutateAsync({ userIdentifier, startLoginRequest, });

  82. const { clientLoginState, startLoginRequest } = opaque.startLogin({ password, }); const

    { loginResponse } = await loginStartMutation.mutateAsync({ userIdentifier, startLoginRequest, }); const loginResult = opaque.finishLogin({ clientLoginState, loginResponse, password, }); if (!loginResult) { return null; } const { finishLoginRequest, exportKey } = loginResult; const { success } = await loginFinishMutation.mutateAsync({ finishLoginRequest, userIdentifier, }); const loginResult = opaque.finishLogin({ clientLoginState, loginResponse, password, }); if (!loginResult) { return null; } const { finishLoginRequest, exportKey } = loginResult;

  83. const { clientLoginState, startLoginRequest } = opaque.startLogin({ password, }); const

    { loginResponse } = await loginStartMutation.mutateAsync({ userIdentifier, startLoginRequest, }); const loginResult = opaque.finishLogin({ clientLoginState, loginResponse, password, }); if (!loginResult) { return null; } const { finishLoginRequest, exportKey } = loginResult; const { success } = await loginFinishMutation.mutateAsync({ finishLoginRequest, userIdentifier, }); const { success } = await loginFinishMutation.mutateAsync({ finishLoginRequest, userIdentifier, });
  84. None

  85. Opaque

  86. Opaque Locker

  87. Opaque “1” “2” Locker

  88. Opaque “1” “2” Locker CRDT Documents

  89. Opaque “1” “2” Locker CRDT Documents

  90. CRDT Documents Opaque “2” Locker

  91. Invitations

  92. example.com/invitation/123

  93. example.com/invitation/123#key=c0be

  94. const key = getHashParameter("key"); const data = await acceptDocumentInvitationMutation.mutateAsync({ token

    }); if (data?.documentId) { await addItem({ documentId: data.documentId, key, }); router.navigate({ pathname: `/list/${data.documentId}` }); } const key = getHashParameter("key");

  95. const key = getHashParameter("key"); const data = await acceptDocumentInvitationMutation.mutateAsync({ token

    }); if (data?.documentId) { await addItem({ documentId: data.documentId, key, }); router.navigate({ pathname: `/list/${data.documentId}` }); } const data = await acceptDocumentInvitationMutation.mutateAsync({ token });

  96. const key = getHashParameter("key"); const data = await acceptDocumentInvitationMutation.mutateAsync({ token

    }); if (data?.documentId) { await addItem({ documentId: data.documentId, key, }); router.navigate({ pathname: `/list/${data.documentId}` }); } await addItem({ documentId: data.documentId, key, });

  97. story for another time …

  98. story for another time … … read my blog in

    the coming months

  99. Simple Authentication Invitation Links

  100. Advanced Account recovery Key rotation Permissions Simple Authentication Invitation Links

  101. Thank you 👋 nikgraf.com lini.app secsync.com opaque-auth.com