Code Monkey home page Code Monkey logo

postguard's Introduction

PostGuard

โš ๏ธ Warning: This implementation has not been audited. Use at your own risk!

PostGuard is an Identity-Based Encryption (IBE) service that can be used to encrypt messages. In Identity-Based Encryption, anyone can encrypt messages for one another. Instead of a public key, the sender only requires the master public key and an identity of the recipient. In order to decrypt, the receiver proves against a Private Key Generator (PKG) - a trusted third party - that he is indeed the correct recipient. Upon succesfully doing so, the receiver obtains a key that can be used to decrypt the message.

About this repository

The repository consists of a workspace with four members:

crate/package description
pg-core The core library. The core library's functionality includes:
  • Managing metadata containing required data for key decapsulation, including (compact binary) serialization.
  • Serialization of all artifacts that are sent over the network/stored to disk (e.g., public keys, user secret keys, ciphertexts, etc.).
  • A streaming encryption interface (under the stream feature) with an efficient wasm back-end (leveraging the WebCrypto API), see web and stream feature.
pg-pkg An HTTP API server written in actix-web that runs an instance of a Private Key Generator (PKG).
pg-wasm A library that generates Web Assembly bindings (using wasm-pack) that allows interfacing with the core library in web applications.
pg-cli A command-line (client) utility that encrypts and decrypts files.

Authentication providers

PostGuard uses Yivi, a privacy-friendly identity platform, to authenticate these identities. These identities are stored on the users phone in the Yivi app in the form of uniquely identifying attributes. These attributes can freely and selectively be disclosed by the user to any party, but only with explicit consent of the user. Eventhough PostGuard uses Yivi, other authentication modules could easily be intregrated.

Session flow

A typical PostGuard session can be depicted as follows. The red actions require user interaction. All other actions are automatic.

PostGuard

  1. The PKG generates a public/private master key pair.
  2. Alice's client retrieves the public master key from the PKG.
  3. Alice uses the public master key and Bob's identity to encrypt a message.
  4. Alice's client sends the ciphertext to Bob via a possibly untrusted channel/cloud storage.
  5. Bob's client asks for a key to decrypt the ciphertext.
  6. The PKG starts an authentication session at the Yivi server.
  7. Bob is asked to reveal his identity, using a QR code.
  8. Bob reveals his identity.
  9. The Yivi server sends the authentication results to the PKG.
  10. The PKG issues a key for Bob's identity.
  11. Bob's client decrypts the ciphertext using his just obtained key.

Funding

Development of PostGuard was initially funded by the Next Generation Internet initiative (NGI0) and NLnet. The project is currently funded by a 4-year project from NWO under the name "Encryption 4 All".

postguard's People

Contributors

bwesterb avatar dependabot[bot] avatar iso5786 avatar ivard avatar leonbotros avatar rowang077 avatar wassasin avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar

Forkers

kuboon doralter andrewnimmo

postguard's Issues

Domain seperation

Currently, there's no domain seperation in place to prevent switching the boundary between the attribute type and the attribute value. This can potentially lead to someone obtaining a decryption key for an identity without matching the exact same combination of type/value (e.g., pbdf.sidn-pbdf.email.emails and [email protected]).

Conjunctions

Right now an identity consists of one attribute (type and value). Identities containing conjunctions could be introduced, with some care. Specifically, all syntactically equal identities should map to the same identity buffer.
For example the identity
{type: 'a', value: 'c'} AND {type: 'b', value: 'd'}
is identical to
{type: 'b', value: 'd'} AND {type: 'a', value: 'c'}

To solve this we could sort the conjunction members on type (first key) and value (second key).
To make sure big conjunctions form no issues we could hash to get the desirable identity buffer length.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.