Is a Secured (Web) App Possible?
Zero Knowledge Architecture
@m4d_zhttps://talks.m4dz.net/zka/en/As a…
MESSAGING APP USER
I want to…
SHARE NUDES WITH MY BUD
So that…
MY SERVICE HOSTER CAN ACCESS MY PICS TOO
Fact
it’s easier to build
a complex backend stack
rather than a secured client
Our Stacks Are Huge
Data Is Sensitive
Question is
Who Owns Your Nudes?
Do not exposes your
whole data to everyone
Only identified users and apps
are allowed to access data
Allow access for a limited
amount of time
ZKA is a development pattern which provides a way to give access to users data for third-party apps, with the guarantee that untrusted services can’t access those plain data without any permission.
Lexicon
Patterns
Setup
Registering a Service
The Mystery Cave
Zero Knowledge Proof
┌─────────────┐ ┌────────────┐ ┌────────────┐
│ Service │ │ Server │ │ Client │
└──────┬──────┘ └──────┬─────┘ └─────┬──────┘
│ Request new Client Token │ │
├───────────────────────────────►│ │
│ │ │
│ Return Client Token │ Register Token │
│◄───────────────────────────────┼─────────────────────────────►│
┌──────────┤ │ ├───────────┐
Sign Client Token │ │ │ │
└─────────►│ │ │ │
│ Send Signed Token │ │ │
├────────────────────────────────┼─────────────────────────────►│ │
│ │ ├───────────┤
│ │ │ Check Token and Sign
│ │ │◄──────────┘
│ │ Valid: Authorize Service │
│◄───────────────────────────────┼──────────────────────────────┤
│ │ │
│ │ Invalid: Reject Access │
│ │◄─────────────────────────────┤
Security Concerns
Encrypt
Decrypt
Security Concerns
Document Tree Structure
Security Concerns
Frameworks
PoC & Protocols
Back-end: Standard File
Mobile / Desktop
What about
Progressive Web Apps?
CORS
Sandbox Network Communication
CSP
Protect Application Integrity
SRI
Migitate Tampering
Referrer-Policy
Protect from malicious tracking
Keys Storage
libsodium
: keys managementHow to protect the
Encryption Layer?
WebAssembly
Minimize the Mayhem
Limit the attack bias
Thanks @vixentael for the recap
1
Migrating
from an existing codebase
2
Applying ZKA
to the Big Data
3
Loss of Keys
4
Storing Metadata
on the Server
5
Server
Security Failure
6
Exporting Keys
7
Recovery
Recovery
Initialization
Client
Recovery Server
Recovery
Restore
Payload Server
Recovery Server
(new) Client
So,
Who Protects Your Nudes?
We need reviews
Open source, public reviews, public authorities, independent reports…
ZKA
Paranoïd Web Dino · Tech Evangelist
https://talks.m4dz.net/zka/en/ Available under licence CC BY-SA 4.0
m4dz, CC BY-SA 4.0
Courtesy of Unsplash and Pexels contributors
Powered by Reveal.js
Source code available at
https://git.madslab.net/talks