HITB LAB: Multi-user Encrypted Communication with No Trust in the Server

PRESENTATION SLIDES (PDF)

How do you build an open source communications framework where you can trust your peers but not the server?

This is the question we have been asking ourselves as we construct the Crypton framework (https://crypton.io). We want to be able to store and share data, but know that the server has zero knowledge of the contents of our communications. What do these client and server APIs look like and how can we ensure that the data we store and share is never read by the server.

Crypton currently has an elegant core set of APIs for account creation, PBKDF2 key wrapping, ECC encryption and signing, HMAC and SRP. How do you expose so much advanced crypto to what will no doubt be technical laypeople? The theory is that all public APIs hide all of the complexity below, making the framework ideal for your standard Node and Backbone hacker.

Crypton is a Node.js / Postgresql server and JS runtime frontend targeted for Cordova (Phone Gap) and Node-Webkit.

Our Lab Session will cover the following:

* A walk through of the initial setup of the server, client
* A quick overview of developer deployment and testing

APIs:

* User Creation: The Crypton “Key Ring”
* Authorization via SRP (and what this means for security)
* Key generation & the UX of key exchange. Crypton has an API for creating “ID Cards” for each user that can be exchanged “out of band” via SMS, email or in person via QR Code
* The messaging APIs & Crypton “Inbox” (simple built-in messaging interface)
* Crypton “Containers” (storage)

As well as ([some of] the below, depending on time):

* History & Current development status
* Using Crypton in more secure JS runtimes: Cordova (PhoneGap, Node-Webkit)
* The developers’ own experiences running Crypton-as-a-Service in production on Amazon’s infrastructure
* The process of scheduling, participating in and reporting code audits publicly (Crypton has been through 2 audits by leading security firms)
* Latest APIs, tips, and tricks
* Pick apart our example apps (Diary, Chat, etc)

Participants are strongly encouraged to read the docs and play with Crypton before attending the Lab Session. If you have any questions, the development team is usually logged into irc.oftc.net #crypton

CONFERENCE
Location: Track 3 / HITB Labs Date: October 15, 2014 Time: 1:30 pm - 3:30 pm David Dahl Cam Pedersen