INTRODUCTION
#whoami
• Yashin Mehaboobe
• Independent Security Researcher, Student
• Speaker – Nullcon, c0c0n, Toorcon and HITB
CURRENT SITUATION
• Systems such as dropbox or box does not allow secure transfer of files
• Easy and secure transfer of files need technical knowledge
• The layman does not understand concepts such as PGP and asymmetric encryption
4
WHAT IS ARCANUM?
•An asymmetric encryption based file storage service.
• Intended to allow the sharing of files between clients securely.
•The client handles encryption as well as decryption.
•The server merely handles file storage and user management.
•This ensures that even if the server is compromised, the user data is not.
•The server extends a REST based API to clients.
5
MODULES
Client side Handles encryption,decryption and key generation
Server side Handles file storage and user management
6
CLIENT SIDE - OVERVIEW
•Completely handles encryption, decryption as well as user credential storage.
•Communicates with the server over HTTP
•The private key is stored locally while public key is sent to the server.
•Connection is SSL secured
•Authentication is HTTP Basic Authentication
7
CLIENT SIDE - REGISTRATION
•During registration a RSA 2048 bit public/private keypair is generated
•The public key is sent to the server while the private key is stored locally
•The username, password and email is also sent to the server.
•APIs used: /create/ for registration
8
CLIENT SIDE - SENDING
•Sending file: Get the public key of the user to send to Generate AES Key Encrypt file with the generated AES Key Encrypt AES Key with RSA Public Key Prepend encrypted AES key with encrypted file Send file to server
•APIs used: GET /send/username to get the public key POST /send/username to send the file
9
CLIENT SIDE - RECEIVING
•Receiving file: Fetch file from server Decrypt AES key using RSA private key (locally stored) Decrypt rest of the file using AES key.
•APIs used: GET /receive/all to get list of files GET /receive/number to fetch a particular file
10
SERVER SIDE
•Uses a bucket file storage system
•Database used is sqlite3
•Passwords are stored as MD5 hashes
•Exposes a REST API so the clients can be easily created.
•Created using flask, sqlalchemy and restful.
11
ENCRYPTION
• Handled by Keyczar
• AES-256 for symmetric encryption
• RSA 2048 for asymmetric
• HMAC for data integrity
• SSL for security in transit
12
LOGIN
13
REGISTRATION
14
SEND TAB
15
RECEIVE TAB
16
TODO
• Web interface (partially done)
• Change to digest authentication
• Encrypt local keys
17
REQUIREMENTS
•Python 2.7
•Server: flask,flask-httpauth,ofs,pairtree
•Client: requests, keyczar, pyqt
•Minimum requirements:• 512 MB RAM• Dual core processor• Atleast 1 GB storage.
18
WRAPPING UP
• Code is available at:• https://github.com/sp3ctr3/arcanum-server• https://github.com/sp3ctr3/arcanum-client
• Completely functional• Multiplatform• Further clients are being developed
THANK YOU
11-13 марта, 2014Korea University, Seoul, Korea