peergos.org ■ Ian Preston ■ @ianopolous Is your data secure?

peergos.org ■ Ian Preston ■ @ianopolous

peergos.org ■ Ian Preston ■ @ianopolous  I want to store my files online, but without Dropbox being able to read them.  I want to selectively share my photos, but without Facebook seeing them.  I want to store my files online, but not in a company that could go bankrupt.

peergos.org ■ Ian Preston ■ @ianopolous What do I want? Security  Safelogin  Strong crypto, ideallypost- quantum  Hide filemetadata  Free of SSLCas  Free ofDNS

peergos.org ■ Ian Preston ■ @ianopolous What do I want? Security  Safelogin  Strong crypto, ideallypost- quantum  Hide filemetadata  Free of SSLCas  Free ofDNS Control ● Selfhostable ● Selectively sharefiles ● Hidecontacts ● Pseudonymous

peergos.org ■ Ian Preston ■ @ianopolous What do I want? Security  Safelogin  Strong crypto, ideallypost- quantum  Hide filemetadata  Free of SSLCas  Free ofDNS Convenience Control ● Selfhostable ● Selectively sharefiles ● Hidecontacts ● Pseudonymous ● Webinterface ● Log in from anydevice ● Filesyncing ● Publishfiles ● Resilient ● As convenient as Dropbox,Facebook

peergos.org ■ Ian Preston ■ @ianopolous Control

peergos.org ■ Ian Preston ■ @ianopolous Overall architecture IPFS Hash → data IPNS Public key → Hash PKI Server PKI root hash Peergos Server Follow requests Peergos Client

peergos.org ■ Ian Preston ■ @ianopolous Basic structure ● Global file system ● /username/yourfiles ● Tree of symmetric keys (TweetNaCl) with cryptographic links between (Cryptree) ● Location + Key = cryptographic access token or capability (CAP) ● Explicitly don't use convergent encryption!

peergos.org ■ Ian Preston ■ @ianopolous Base key Directory File Metadata key Parent key Metadata key Sub-directory Parent key Metadata key work File contents Parent key Base key Data key Cryptree ianopolous thesis.tex 72 KiB Modified: 15:23 14/3/2016 text/plain

peergos.org ■ Ian Preston ■ @ianopolous Chunk raw file Raw file 5 MiB 5 MiB 5 MiB

peergos.org ■ Ian Preston ■ @ianopolous Chunk raw file Encrypt chunk Raw file 5 MiB 5 MiB 5 MiB 5 MiB

peergos.org ■ Ian Preston ■ @ianopolous Chunk raw file Encrypt chunk Split Raw file 5 MiB 5 MiB 5 MiB 5 MiB 40 * 128 KiB

peergos.org ■ Ian Preston ■ @ianopolous Chunk raw file Encrypt chunk Split Upload Raw file 5 MiB 5 MiB 5 MiB 5 MiB 40 * 128 KiB IPFS Encrypted metadata + fragment hashes

peergos.org ■ Ian Preston ■ @ianopolous File system CHAMP Cryptree node File fragment CHAMP node File fragment File fragment CHAMP node CHAMP node

peergos.org ■ Ian Preston ■ @ianopolous How does sharing work? ● Users have a public boxing key ● To send a follow request: create a directory /myname/sharing/friendname ● Send a read CAP to this directory encrypted to friend's public key ● Shared files are currently vulnerable to a quantum computer ● Will move to post-quantum sharing as soon as a clear candidate arrives

peergos.org ■ Ian Preston ■ @ianopolous Convenience

peergos.org ■ Ian Preston ■ @ianopolous Decentralized login? Scrypt hash Password Username Signing keypair ~1 second Only ever stored in RAM, never written to disk or transmitted Root key Boxing keypair

peergos.org ■ Ian Preston ■ @ianopolous Public links? Read (or write) CAP encoded in a URL: demo.peergos.net/#Public_writing_Key/Subspace_label/Decryption_Key Material after # is not sent to the server → file still isn't exposed to the network Can share an individual file or a folder.

peergos.org ■ Ian Preston ■ @ianopolous Security

peergos.org ■ Ian Preston ■ @ianopolous Can a login be cracked? ● Brute force is practically impossible with a good password ● Random 14 character alpha-numeric password has ~ 2^84 ~ 10^25 possibilities ● A GPU can calculate ~ 1M scrypt hashes/s (measured by litecoin users) ● One GPU cracking a single user’s login would take 10^19 seconds or ~ 300 billion years ● 300 million GPUs would take 1000 years ● GPU purchase cost = 300 billion USD

peergos.org ■ Ian Preston ■ @ianopolous What about quantum computer based attacks?

peergos.org ■ Ian Preston ■ @ianopolous  All encryption is symmetric encryption using TweetNaCl, or hashing through scrypt  Both have no known quantum attacks

peergos.org ■ Ian Preston ■ @ianopolous “But Javascript crypto is insecure!”

peergos.org ■ Ian Preston ■ @ianopolous Threat model A (casual user): ● Trusts our public server ● Trust the SSL certificate hierarchy Depends on your threat model...

peergos.org ■ Ian Preston ■ @ianopolous Threat model B (paranoid user): ● Doesn't trust our public server ● Doesn't trust the SSL chain Run Peergos on own machine AIR GAP Faraday Cage Binary, compiled with 3 different compilers, from signed source

peergos.org ■ Ian Preston ■ @ianopolous Build security ● Reproducible builds, both server and front end ● Do not use npm! Only 8 JS dependencies, all vendored ● Have our own deterministic replacement for webpack, and minifiers ● Self host all assets ● Most of the client code is written in a type-safe language (Java) and cross-compiled to JS

peergos.org ■ Ian Preston ■ @ianopolous Demo

peergos.org ■ Ian Preston ■ @ianopolous Current status: Pre alpha ● Web-interface – done ● Use actual IPNS – to do ● Tor integration – to do ● Fuse client – done ● Security audit – to do ● Granting write access – not in UI yet ● Private keystore of friends (TOFU) – done

peergos.org ■ Ian Preston ■ @ianopolous Join community! ● Sign up to hear when our alpha is ready (soon): https://peergos.org ● Read our book: https://peergos.github.io/book ● Try our demo at https://demo.peergos.net ● Contribute https://github.com/peergos/peergos ● Currently we are a team of 4 contributors

peergos.org ■ Ian Preston ■ @ianopolous Questions?