End-to-End Encryption of Distributed Applications

End-to-End Encryption in Distributed Applications

@jeffinkoguru – [email protected]

Hi, I'm Jeff



The need for applications to speak in encryptedmessages is no longer an after-thought it is

a requirement



What is End-to-End Encryption?



A method of communicating where only theauthorized users can read the messages



This method is used by apps like WhatsApp & Signal



It prevents man-in-the-middle attacks



If done right, you need physical accessto read the communications



Even if an ISP is asked to supply a customerscommunications, it will only appear as..



The recent WikiLeaks show that even.. The CIA could not break End-to-End Encryption



They had to create malware that “uses” the app onyour phone in order to read the messages.

Or

Keyloggers that capture the message as youenter it into the program before it is encrypted



So how do we implement this?



We want our system to be as secure as possible



We don't want to store our keys somewherethey can be hacked/stolen. They need to be

generated and one-time use only.



Give Me Your Keys!!!



What Keys?



When encrypting our messages, we also don'twant to know the password. They need to be

generated and one-time use only.



We want to use the strongest encryption available



Not SHA-1 ;)

Thanks Google!



We want to sign our message so weknow it was not tampered with during transit.



We don't want someone monitoring our networktraffic to easily recognize the format of our

messages. The structure should be random.



What are some of options we have?



Option 01:

JSON Web Tokens



Output:

Our Code:



The Benefits



Our payload is encrypted into a small packet



We can use different algorithms



The Problems



There are too many constants, even when thepayload and secret are different





This is partly because the header containsinformation about what algorithm

is used and the type of token

So it will remain constant if these are the same



The separator is always a period



The secret is embedded into our code



Is there a better way?



Option 02:

blanket



Output:

Our Code:



The Benefits



Our outputs are more randomized than in JWT





The secret is generated for us and destroyed after use



The Problems



Our separator could be more random

It is currently a random three digit number



The message size is much bigger

vs



The Differences



JWT blanket



In JSON Web Tokens (JWT)

Even with a new secret, parts of the message structure and output are always the same



In blanket

Our secret is random and the output is always different,

even with the same input



Things We Can Improve



We can randomize the size and location of theseparator to further disguise the

structure of our messages



We can use a hardware secret generator

Like YubiKey or Embedded Chips



Over time our own sequence, even though morerandom, could be discovered. So we should

constantly improve our own code and think of ways to break it



Nothing is ever “secure enough”!



For more information you can visit..

github.com/jpadilla/pyjwt

or

github.com/JeffinkoGuru/blanket



Thank You!



Questions?

Presentations & Public Speaking

End-to-End Encryption of Distributed Applications