Secure Peer-to-Peer Browser Communication

Transcript

1. SECURE PEER-TO-PEER BROWSER COMMUNICATION Eli Mattson @elicodes

2. “SECURE P2P” What does that mean anyways?

3. SECURITY Anonymity Integrity Confidentiality

4. SECURITY Anonymity Integrity Confidentiality

5. SECURITY Anonymity Integrity Confidentiality ? ? ? ? ? ?

6. SECURITY Anonymity Integrity Confidentiality

7. PEER TO PEER NETWORKING VS

8. PEER TO PEER NETWORKING VS Real Time Higher Bandwidth Client

   Powered

9. simple-peer https://github.com/feross/simple-peer

10. let peer2 = new SimplePeer() peer2.on('stream', function (stream) { //

    got remote video stream, now let's show it in a video tag let video = document.querySelector('video') video.src = window.URL.createObjectURL(stream) video.play() }) }

11. A WALKTHROUGH

12. A WALKTHROUGH signaling signaling

13. A WALKTHROUGH signaling media signaling

14. A WALKTHROUGH signaling media signaling data

15. BUT SECURE?

16. signaling media signaling data

17. signaling media signaling data MAN IN THE MIDDLE

18. signaling signaling MAN IN THE MIDDLE

19. kbpgp.js

20. PGP Pretty Good Privacy

21. PGP

22. PGP Forward Secrecy

23. PGP RSA or ECC

24. KBPGP.JS and https://github.com/keybase/kbpgp

25. KBPGP.JS • Key Generation • Encryption • Decryption • Verification

26. KBPGP.JS var kbpgp = require('kbpgp'); kbpgp.KeyManager.generate_rsa({ userid : "Bo Jackson

    <[email protected]>" }, function(err, charlie) { charlie.sign({}, function(err) { console.log("done!"); }); }); Key Generation

27. KBPGP.JS var params = { msg: "Chuck chucky, bo-bucky!", encrypt_for:

    chuck }; kbpgp.box(params, function(err, result_string, result_buffer) { console.log(err, result_armored_string, result_raw_buffer); }); Encryption

28. KBPGP.JS var ring = new kbpgp.keyring.KeyRing; var pgp_msg = "----

    BEGIN PGP MESSAGE ----- ...."; var asp = /* as in Encryption ... */ ; kbpgp.unbox({ keyfetch: ring, armored: pgp_msg, asp }, function(err, literals) { console.log("decrypted message"); console.log(literals[0].toString()); }); Decryption

29. THINGS TO PAY ATTENTION TO

30. • public key registry • verified through social media •

    command line tool • open API (.io)

31. STORING KEYS Keybase.io Pair •Not stored in app •keybase.io •local

    •Long lifetime •Nonce Session Pair Stored in app Short lifetime Linked to keybase.io pair

32. AUTHENTICATION TOKEN { id: "john doe", pub_key: "abc123DEF5678", exp: 1445234383122,

    nbf: 1445232272011, secret: "---- BEGIN PGP MESSAGE ----- ....", nonce: "f2AbcIjlkFJls123kdjf" } keybase sign -m "<auth-token message>"

33. http request

34. http request generate keys

35. http request generate keys generate / upload token

36. AUTHENTICATION TOKEN { id: "john doe", pub_key: "abc123DEF5678", exp: 1445234383122,

    nbf: 1445232272011, secret: "---- BEGIN PGP MESSAGE ----- ....", nonce: "f2AbcIjlkFJls123kdjf" } keybase sign -m "<auth-token message>" keybase.io id

37. AUTHENTICATION TOKEN { id: "john doe", pub_key: "abc123DEF5678", exp: 1445234383122,

    nbf: 1445232272011, secret: "---- BEGIN PGP MESSAGE ----- ....", nonce: "f2AbcIjlkFJls123kdjf" } keybase sign -m "<auth-token message>" app generated public key

38. AUTHENTICATION TOKEN { id: "john doe", pub_key: "abc123DEF5678", exp: 1445234383122,

    nbf: 1445232272011, secret: "---- BEGIN PGP MESSAGE ----- ....", nonce: "f2AbcIjlkFJls123kdjf" } keybase sign -m "<auth-token message>" from our app?

39. generate / upload token

40. generate / upload token media data