Tweet
Tweet

Slide 1

Slide 1 text

Building End-to-End Encrypted Apps

Slide 2

Slide 2 text

What?

Slide 3

Slide 3 text

Why?

Slide 4

Slide 4 text

Lini lini.app github.com/serenity-kit/lini

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

"my todo"

Slide 8

Slide 8 text

"my todo"

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

key = "c0be"

Slide 11

Slide 11 text

key = "c0be" "a6ea178" = encrypt("my todo", key)

Slide 12

Slide 12 text

key = "c0be" "a6ea178" = encrypt("my todo", key) "a6ea178" "a6ea178" "a6ea178"

Slide 13

Slide 13 text

key = "c0be" "a6ea178" = encrypt("my todo", key) key = "c0be" "my todo" = decrypt("a6ea178", key) "a6ea178" "a6ea178"

Slide 14

Slide 14 text

What do we encrypt?

Slide 15

Slide 15 text

encrypt({ todoListKey: "8-Aw_2UhSVrgKGp77jsnT", content: JSON.stringify({ "1": { text: "Wash the dishes", checked: false }, "2": { text: "Order sweets", checked: true }, }), }); Encrypt & send the entire list

Slide 16

Slide 16 text

encrypt({ todoListKey: "8-Aw_2UhSVrgKGp77jsnT", content: JSON.stringify({ "1": { text: "Wash the dishes", checked: false }, "2": { text: "Order sweets", checked: true }, }), }); Encrypt & send the entire list content: JSON.stringify({ "1": { text: "Wash the dishes", checked: false }, "2": { text: "Order sweets", checked: true }, }),

Slide 17

Slide 17 text

Con fl icts

Slide 18

Slide 18 text

Add todo 1 Con fl icts

Slide 19

Slide 19 text

Add todo 1 Change todo 1 Con fl icts Add todo 1 Change todo 1

Slide 20

Slide 20 text

Add todo 1 Change todo 1 Change todo 1 Con fl icts Add todo 1 Change todo 1

Slide 21

Slide 21 text

CRDT Con fl ict-free Replicated Data Type

Slide 22

Slide 22 text

= CRDT Add todo 1 Add todo 1 Change todo 1 Change todo 1 Change todo 1 Change todo 1

Slide 23

Slide 23 text

c3 = encrypt( , key) Change todo 1 c1 = encrypt( , key) c2 = encrypt( , key) Add todo 1 Change todo 1

Slide 24

Slide 24 text

c3 = encrypt( , key) c1 = encrypt( , key) c2 = encrypt( , key) c1 c1 c2 c2 c3 c3 Add todo 1 Change todo 1 Change todo 1

Slide 25

Slide 25 text

End-to-end Encryption + CRDTs

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

import * as Yjs from "yjs"; // initializing CRDT document const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo);

Slide 28

Slide 28 text

import * as Yjs from "yjs"; // initializing CRDT document const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); import * as Yjs from "yjs";

Slide 29

Slide 29 text

import * as Yjs from "yjs"; // initializing CRDT document const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); // initializing CRDT document const doc = new Yjs.Doc();

Slide 30

Slide 30 text

import * as Yjs from "yjs"; // initializing CRDT document const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); const todoList = doc.getMap("todos");

Slide 31

Slide 31 text

import * as Yjs from "yjs"; // initializing CRDT document const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); // adding a todo const todo = new Yjs.Map();

Slide 32

Slide 32 text

import * as Yjs from "yjs"; // initializing CRDT document const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false);

Slide 33

Slide 33 text

import * as Yjs from "yjs"; // initializing CRDT document const doc = new Yjs.Doc(); const todoList = doc.getMap("todos"); // adding a todo const todo = new Yjs.Map(); todo.set("text", new Yjs.Text("wash the dishes")); todo.set("checked", false); todoList.set(generateId(), todo); todoList.set(generateId(), todo);

Slide 34

Slide 34 text

doc.on("updateV2", (update) => { // send(update) }); Yjs.applyUpdateV2(doc, update); const docAsUpdate = Yjs.encodeStateAsUpdateV2(doc) doc.on("updateV2", (update) => { // send(update) });

Slide 35

Slide 35 text

doc.on("updateV2", (update) => { // send(update) }); Yjs.applyUpdateV2(doc, update); const docAsUpdate = Yjs.encodeStateAsUpdateV2(doc) Yjs.applyUpdateV2(doc, update);

Slide 36

Slide 36 text

doc.on("updateV2", (update) => { // send(update) }); Yjs.applyUpdateV2(doc, update); const docAsUpdate = Yjs.encodeStateAsUpdateV2(doc) const docAsUpdate = Yjs.encodeStateAsUpdateV2(doc)

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

Library to sync CRDTs end-to-end encrypted useYjsSync() useAutomergeSync()

Slide 39

Slide 39 text

const yDocRef = useRef(new Yjs.Doc()); const [signatureKeyPair] = useState(() => sodium.crypto_sign_keypair() ); useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, websocketEndpoint: "ws://localhost:3030", getSnapshotKey: () => todoListKey, getNewSnapshotData: () => { return { key: todoListKey, data: Yjs.encodeStateAsUpdateV2(yDocRef.current), publicData: {}, }; }, shouldSendSnapshot: ({ snapshotUpdatesCount }) => snapshotUpdatesCount > 50, signatureKeyPair, isValidClient: () => true, sodium, });

Slide 40

Slide 40 text

useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, key: todoListKey, websocketEndpoint: "ws://localhost:3030", });

Slide 41

Slide 41 text

useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, key: todoListKey, websocketEndpoint: "ws://localhost:3030", }); yDoc: yDocRef.current,

Slide 42

Slide 42 text

useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, key: todoListKey, websocketEndpoint: "ws://localhost:3030", }); documentId: todoListId,

Slide 43

Slide 43 text

useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, key: todoListKey, websocketEndpoint: "ws://localhost:3030", }); key: todoListKey,

Slide 44

Slide 44 text

useYjsSync({ yDoc: yDocRef.current, documentId: todoListId, key: todoListKey, websocketEndpoint: "ws://localhost:3030", }); websocketEndpoint: "ws://localhost:3030",

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

key = "c0be" "a6ea178" = encrypt("my todo", key) key = "c0be" "my todo" = decrypt("a6ea178", key) "a6ea178" "a6ea178"

Slide 47

Slide 47 text

Key Management "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U"

Slide 48

Slide 48 text

CRDT Documents const keys = { "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", };

Slide 49

Slide 49 text

Locker L

Slide 50

Slide 50 text

Locker

Slide 51

Slide 51 text

“1” “2” Locker

Slide 52

Slide 52 text

“1” “2” Locker CRDT Documents

Slide 53

Slide 53 text

const lockerKey = '8-Aw_2UhSVrgKGp77jsnTF03DPBvjvdLSUwp4savq8Q'; const locker = encrypt({ lockerKey, content: JSON.stringify({ "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", }), }); const lockerKey = '8-Aw_2UhSVrgKGp77jsnTF03DPBvjvdLSUwp4savq8Q';

Slide 54

Slide 54 text

const lockerKey = '8-Aw_2UhSVrgKGp77jsnTF03DPBvjvdLSUwp4savq8Q'; const locker = encrypt({ lockerKey, content: JSON.stringify({ "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", }), }); const locker = encrypt({ });

Slide 55

Slide 55 text

const lockerKey = '8-Aw_2UhSVrgKGp77jsnTF03DPBvjvdLSUwp4savq8Q'; const locker = encrypt({ lockerKey, content: JSON.stringify({ "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", }), }); lockerKey,

Slide 56

Slide 56 text

const lockerKey = '8-Aw_2UhSVrgKGp77jsnTF03DPBvjvdLSUwp4savq8Q'; const locker = encrypt({ lockerKey, content: JSON.stringify({ "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", }), }); content: JSON.stringify({ "1": "aL1wBSONXU9eWD6oLdjCQ8H4jbFa762vbP6Iouk5A4U", "2": "mxKjG-qh-eg4y8N6B3cpGmC1uEn2c_YWi0s8T2H_WAo", }),

Slide 57

Slide 57 text

const { addItem, content } = useLocker(); await addItem({ documentId, key }); const key = content[documentId]; const { addItem, content } = useLocker();

Slide 58

Slide 58 text

const { addItem, content } = useLocker(); await addItem({ documentId, key }); const key = content[documentId]; await addItem({ documentId, key });

Slide 59

Slide 59 text

const { addItem, content } = useLocker(); await addItem({ documentId, key }); const key = content[documentId]; const key = content[documentId];

Slide 60

Slide 60 text

No content

Slide 61

Slide 61 text

“1” “2” Locker CRDT Documents

Slide 62

Slide 62 text

Username / Password

Slide 63

Slide 63 text

No content

Slide 64

Slide 64 text

No content

Slide 65

Slide 65 text

username & password Login sessionKey sessionKey

Slide 66

Slide 66 text

username & password Registration exportKey

Slide 67

Slide 67 text

username & password Login exportKey

Slide 68

Slide 68 text

Opaque Locker

Slide 69

Slide 69 text

const { register, isPending } = useRegister(); const result = await register({ userIdentifier: username, password, }); result?.exportKey const { register, isPending } = useRegister();

Slide 70

Slide 70 text

const { register, isPending } = useRegister(); const result = await register({ userIdentifier: username, password, }); result?.exportKey const result = await register({ userIdentifier: username, password, });

Slide 71

Slide 71 text

const { register, isPending } = useRegister(); const result = await register({ userIdentifier: username, password, }); result?.exportKey result?.exportKey

Slide 72

Slide 72 text

const { clientRegistrationState, registrationRequest } = opaque.startRegistration({ password }); const { registrationResponse } = await registerStartMutation.mutateAsync({ userIdentifier, registrationRequest, }); const { registrationRecord, exportKey } = opaque.finishRegistration({ clientRegistrationState, registrationResponse, password, }); await registerFinishMutation.mutateAsync({ userIdentifier, registrationRecord, }); const { clientRegistrationState, registrationRequest } = opaque.startRegistration({ password });

Slide 73

Slide 73 text

const { clientRegistrationState, registrationRequest } = opaque.startRegistration({ password }); const { registrationResponse } = await registerStartMutation.mutateAsync({ userIdentifier, registrationRequest, }); const { registrationRecord, exportKey } = opaque.finishRegistration({ clientRegistrationState, registrationResponse, password, }); await registerFinishMutation.mutateAsync({ userIdentifier, registrationRecord, }); const { registrationResponse } = await registerStartMutation.mutateAsync({ userIdentifier, registrationRequest, });

Slide 74

Slide 74 text

const { clientRegistrationState, registrationRequest } = opaque.startRegistration({ password }); const { registrationResponse } = await registerStartMutation.mutateAsync({ userIdentifier, registrationRequest, }); const { registrationRecord, exportKey } = opaque.finishRegistration({ clientRegistrationState, registrationResponse, password, }); await registerFinishMutation.mutateAsync({ userIdentifier, registrationRecord, }); const { registrationRecord, exportKey } = opaque.finishRegistration({ clientRegistrationState, registrationResponse, password, });

Slide 75

Slide 75 text

const { clientRegistrationState, registrationRequest } = opaque.startRegistration({ password }); const { registrationResponse } = await registerStartMutation.mutateAsync({ userIdentifier, registrationRequest, }); const { registrationRecord, exportKey } = opaque.finishRegistration({ clientRegistrationState, registrationResponse, password, }); await registerFinishMutation.mutateAsync({ userIdentifier, registrationRecord, }); await registerFinishMutation.mutateAsync({ userIdentifier, registrationRecord, });

Slide 76

Slide 76 text

No content

Slide 77

Slide 77 text

const { login, isPending } = useLogin(); const result = await login({ userIdentifier: username, password, }); result?.exportKey const { login, isPending } = useLogin();

Slide 78

Slide 78 text

const { login, isPending } = useLogin(); const result = await login({ userIdentifier: username, password, }); result?.exportKey const result = await login({ userIdentifier: username, password, });

Slide 79

Slide 79 text

const { login, isPending } = useLogin(); const result = await login({ userIdentifier: username, password, }); result?.exportKey result?.exportKey

Slide 80

Slide 80 text

const { clientLoginState, startLoginRequest } = opaque.startLogin({ password, }); const { loginResponse } = await loginStartMutation.mutateAsync({ userIdentifier, startLoginRequest, }); const loginResult = opaque.finishLogin({ clientLoginState, loginResponse, password, }); if (!loginResult) { return null; } const { finishLoginRequest, exportKey } = loginResult; const { success } = await loginFinishMutation.mutateAsync({ finishLoginRequest, userIdentifier, }); const { clientLoginState, startLoginRequest } = opaque.startLogin({ password, });

Slide 81

Slide 81 text

const { clientLoginState, startLoginRequest } = opaque.startLogin({ password, }); const { loginResponse } = await loginStartMutation.mutateAsync({ userIdentifier, startLoginRequest, }); const loginResult = opaque.finishLogin({ clientLoginState, loginResponse, password, }); if (!loginResult) { return null; } const { finishLoginRequest, exportKey } = loginResult; const { success } = await loginFinishMutation.mutateAsync({ finishLoginRequest, userIdentifier, }); const { loginResponse } = await loginStartMutation.mutateAsync({ userIdentifier, startLoginRequest, });

Slide 82

Slide 82 text

const { clientLoginState, startLoginRequest } = opaque.startLogin({ password, }); const { loginResponse } = await loginStartMutation.mutateAsync({ userIdentifier, startLoginRequest, }); const loginResult = opaque.finishLogin({ clientLoginState, loginResponse, password, }); if (!loginResult) { return null; } const { finishLoginRequest, exportKey } = loginResult; const { success } = await loginFinishMutation.mutateAsync({ finishLoginRequest, userIdentifier, }); const loginResult = opaque.finishLogin({ clientLoginState, loginResponse, password, }); if (!loginResult) { return null; } const { finishLoginRequest, exportKey } = loginResult;

Slide 83

Slide 83 text

const { clientLoginState, startLoginRequest } = opaque.startLogin({ password, }); const { loginResponse } = await loginStartMutation.mutateAsync({ userIdentifier, startLoginRequest, }); const loginResult = opaque.finishLogin({ clientLoginState, loginResponse, password, }); if (!loginResult) { return null; } const { finishLoginRequest, exportKey } = loginResult; const { success } = await loginFinishMutation.mutateAsync({ finishLoginRequest, userIdentifier, }); const { success } = await loginFinishMutation.mutateAsync({ finishLoginRequest, userIdentifier, });

Slide 84

Slide 84 text

No content

Slide 85

Slide 85 text

Opaque

Slide 86

Slide 86 text

Opaque Locker

Slide 87

Slide 87 text

Opaque “1” “2” Locker

Slide 88

Slide 88 text

Opaque “1” “2” Locker CRDT Documents

Slide 89

Slide 89 text

Opaque “1” “2” Locker CRDT Documents

Slide 90

Slide 90 text

CRDT Documents Opaque “2” Locker

Slide 91

Slide 91 text

Invitations

Slide 92

Slide 92 text

example.com/invitation/123

Slide 93

Slide 93 text

example.com/invitation/123#key=c0be

Slide 94

Slide 94 text

const key = getHashParameter("key"); const data = await acceptDocumentInvitationMutation.mutateAsync({ token }); if (data?.documentId) { await addItem({ documentId: data.documentId, key, }); router.navigate({ pathname: `/list/${data.documentId}` }); } const key = getHashParameter("key");

Slide 95

Slide 95 text

const key = getHashParameter("key"); const data = await acceptDocumentInvitationMutation.mutateAsync({ token }); if (data?.documentId) { await addItem({ documentId: data.documentId, key, }); router.navigate({ pathname: `/list/${data.documentId}` }); } const data = await acceptDocumentInvitationMutation.mutateAsync({ token });

Slide 96

Slide 96 text

const key = getHashParameter("key"); const data = await acceptDocumentInvitationMutation.mutateAsync({ token }); if (data?.documentId) { await addItem({ documentId: data.documentId, key, }); router.navigate({ pathname: `/list/${data.documentId}` }); } await addItem({ documentId: data.documentId, key, });

Slide 97

Slide 97 text

story for another time …

Slide 98

Slide 98 text

story for another time … … read my blog in the coming months

Slide 99

Slide 99 text

Simple Authentication Invitation Links

Slide 100

Slide 100 text

Advanced Account recovery Key rotation Permissions Simple Authentication Invitation Links

Slide 101

Slide 101 text

Thank you 👋 nikgraf.com lini.app secsync.com opaque-auth.com