Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Zero Knowledge Architectures for mobile Applica...

vixentael
October 05, 2017

Zero Knowledge Architectures for mobile Applications

#iosdev #security #trust #keys

- why we need ZKA
- what is ZKA, what are parts of ZKA system
- messaging, auth, data: how to use ZKA in these usecases
- ZKA data management example
- implementation details
- other possible usecases
- recap

--------------------------------------

If you can't tap on the link inside slides, please open as pdf (button on the right).

--------------------------------------

With intensifying threat access, snooping governments and insecure-internet-of-everything, the importance of zero-knowledge application architectures and end-to-end trust, for things more complicated than simple messaging, becomes more and more obvious for the app developers.

We will talk about real-world problems that ZKA fights against, learn typical cryptographic designs and progress in different spheres of ZKA. We will find out how to make data sharing, user collaboration on data in the cloud with your app provably secure.

--------------------------------------

text:
https://medium.com/@vixentael/zero-knowledge-architectures-for-mobile-applications-b00a231fda75

--------------------------------------

video from MobiConf17
https://youtu.be/79iqPsPc6ZE

--------------------------------------

Links to follow:

Hermes
https://github.com/cossacklabs/hermes-core

Anatomy of a Zero-Knowledge Web Application, 2007
https://clipperz.is/blog/2007/08/24/anatomy_zero_knowledge_web_application/

Zero Knowledge Protocols Without Magic
https://www.cossacklabs.com/zero-knowledge-protocols-without-magic.html

Why We Develop Zero Knowledge Software
https://brainsware.at/blog/9-zero-knowledge-saas

Keybase launches encrypted git
https://keybase.io/blog/encrypted-git-for-everyone

Why We Will No Longer Use the Phrase Zero Knowledge to Describe Our Software
https://spideroak.com/articles/why-we-will-no-longer-use-the-phrase-zero-
knowledge-to-describe-our-software/

Explain Like I’m 5: End-to-end Encryption
https://medium.com/@cossacklabs/eli5-end-to-end-encryption-ae46821db74f

Explain Like I’m 5: Zero Knowledge Proof
https://hackernoon.com/eli5-zero-knowledge-proof-78a276db9eff

Zero Knowledge Proofs: An illustrated primer
https://blog.cryptographyengineering.com/2014/11/27/zero-knowledge-proofs-illustrated-primer/

vixentael

October 05, 2017
Tweet

More Decks by vixentael

Other Decks in Programming

Transcript

  1. @vixentael Mobile Tech Lead Feel free to reach me with

    any mobile security questions. I do check my inbox :)
  2. We put it to the “cloud” Everything runs on smbd’s

    software, on smbd’s computer, is maintained by someone else @vixentael
  3. We have sensitive data We put it to the “cloud”

    Everything runs on smbd’s software, on smbd’s computer, is maintained by someone else @vixentael
  4. to trust other ppl’s software, computers, and maintenance practices -

    to know how secure cloud is We don’t want @vixentael
  5. to think about sensitive data leakage - to trust other

    people’s software, computers, and maintenance practices - to know how secure cloud is We don’t want @vixentael
  6. - to think about sensitive data leakage - to trust

    other people’s software, computers, and maintenance practices - to know how secure cloud is We don’t want @vixentael
  7. Data ??? - store encrypted - share with others -

    manage access to parties @vixentael
  8. ZKA is a design principle that enables software to provide

    services over protected client data without having an unencrypted access to it. @vixentael
  9. e2ee clients all operations are on encrypted data: – control

    access to data from different users – CRUD – search (in encrypted data) ZKA includes @vixentael
  10. give access to certain blocks of data to exact users

    https://github.com/cossacklabs/ hermes-core Our take @vixentael
  11. ZKA relies on trust to the client Mobile stores keys

    safely* Mobile runs code safely* @vixentael
  12. Mobile stores keys safely* ZKA relies on trust to the

    client Mobile runs code safely* Mobile is a good client Brent @vixentael
  13. { "personal_data": { "name": "Cat", "surname": "Black", "age": 25, "home_address":

    "large box in living room", "birth_date": "01/04/1992" }, "credit_rating": 8.7, "transactions": [{ "operation": "credit", "bank": "CatBank1", "amount": "2000", "currency": "eur", "date": "02/10/2017" }, { "operation": "credit", "bank": "CatBank2", "amount": "500", "currency": "eur", "date": "14/02/2015" } ] } @vixentael
  14. { "personal_data": { "name": "Cat", "surname": "Black", "age": 25, "home_address":

    "large box in living room", "birth_date": "01/04/1992" }, "credit_rating": 8.7, "transactions": [{ "operation": "credit", "bank": "CatBank1", "amount": "2000", "currency": "eur", "date": "02/10/2017" }, { "operation": "credit", "bank": "CatBank2", "amount": "500", "currency": "eur", "date": "14/02/2015" } ] } personal data @vixentael
  15. protected data { "personal_data": { "name": "Cat", "surname": "Black", "age":

    25, "home_address": "large box in living room", "birth_date": "01/04/1992" }, "credit_rating": 8.7, "transactions": [{ "operation": "credit", "bank": "CatBank1", "amount": "2000", "currency": "eur", "date": "02/10/2017" }, { "operation": "credit", "bank": "CatBank2", "amount": "500", "currency": "eur", "date": "14/02/2015" } ] } @vixentael
  16. { "personal_data": { "name": "Cat", "surname": "Black", "age": 25, "home_address":

    "large box in living room", "birth_date": "01/04/1992" }, "credit_rating": 8.7, "transactions": [{ "operation": "credit", "bank": "CatBank1", "amount": "2000", "currency": "eur", "date": "02/10/2017" }, { "operation": "credit", "bank": "CatBank2", "amount": "500", "currency": "eur", "date": "14/02/2015" } ] } really-really protected data @vixentael
  17. leakage from – your data is available everywhere Risks encrypt

    data with one shared ? leak one key – leak everything @vixentael
  18. { "personal_data": { "name": "Cat", "surname": "Black", "age": 25, "home_address":

    "large box in living room", "birth_date": "01/04/1992" }, "credit_rating": 8.7, "transactions": [{ "operation": "credit", "bank": "CatBank1", "amount": "2000", "currency": "eur", "date": "02/10/2017" }, { "operation": "credit", "bank": "CatBank2", "amount": "500", "currency": "eur", "date": "14/02/2015" } ] } RW RO RO, customer verification RW @vixentael
  19. stores encrypted updates only credit score owns, controls access RW

    only their transactions access revoked @vixentael
  20. - Key wrapping - Manage privileges - Control requests -

    Mitigate remaining attacks How to build it? @vixentael
  21. leakage → it’s encrypted privileges → it’s encrypted replay →

    ZKP (it’s encrypted ;) other? → Mitigating the risks: @vixentael
  22. leakage → it’s encrypted privileges → it’s encrypted replay →

    ZKP (it’s encrypted ;) other? → tiny attack surface Mitigating the risks: @vixentael
  23. 1. We know a lot about data protection and peer-to-peer

    communication. 2. Collaborating on data exposes more advanced risks. One key is not enough. 3. ZKA helps against advanced risks. 4. Sooner or later, everything will be collaborative. 5. Learn ZKA in advance! @vixentael
  24. Links 1 https://clipperz.is/blog/2007/08/24/anatomy_zero_knowledge_web_application/ Anatomy of a Zero-Knowledge Web Application, 2007

    https://www.cossacklabs.com/zero-knowledge-protocols-without-magic.html Zero Knowledge Protocols Without Magic https://brainsware.at/blog/9-zero-knowledge-saas Why We Develop Zero Knowledge Software
  25. Links 2 https://spideroak.com/articles/why-we-will-no-longer-use-the-phrase-zero- knowledge-to-describe-our-software/ Why We Will No Longer Use

    the Phrase Zero Knowledge to Describe Our Software https://medium.com/@cossacklabs/eli5-end-to-end-encryption-ae46821db74f Explain Like I’m 5: End-to-end Encryption https://keybase.io/blog/encrypted-git-for-everyone Keybase launches encrypted git
  26. @vixentael Mobile Tech Lead Feel free to reach me with

    any mobile security questions. I do check my inbox :)