2

I want to work on a photo-sharing tool, where I can:

  • store photos on untrustworthy disk space (like the cloud)
  • share photo albums with friends and family
  • update photo albums (rarely but happens)
  • share an existing album with additional people

One problem that comes up is:

  • if the photos are encrypted client-side, it usually means only I have the key
  • which means other people could download, but not decrypt the file

Is there a good solution around that problem, where different users could collaborate on collections of files, while files stay encrypted on disk ?

p.s.

  • I'm aware of this question, but I'm looking for cryptographic techniques, rather than ready made tools.
  • I want any server component to be optional, so that this app is p2p-first. Cloud storage would be optional too, serving as a backup target. That means there would probably not be any centrally managed user database.
Nicolas Marshall
  • 135
  • 6

2 Answers2

2

The typical way of sharing the same file securely with multiple recipients is as follows:

  1. First, the sender generates a random symmetric encryption key, and uses the key to encrypt the file using symmetric encryption.

  2. For each recipient, the sender encrypts the symmetric key using the recipient's public key. The sender sends the encrypted symmetric key to the recipient, along with a link to where the recipient can download the encrypted file.

  3. The recipient downloads the encrypted file, and decrypts the symmetric key using his/her private key. Then, the recipient uses the symmetric key to decrypt the file.

Using this method, the file is encrypted only once, as opposed to encrypting the file for each recipient.

mti2935
  • 21,098
  • 2
  • 47
  • 66
  • 1
    This is exactly what I needed. Thanks ! – Nicolas Marshall Jul 28 '21 at 17:33
  • 1
    This method is vulnerable to MiTM attacks. – Mohamed Waleed Jul 28 '21 at 17:35
  • 1
    An attack (done by a malicious server for example) similar to [this](https://youtu.be/vsXMMT2CqqE) will break the whole method. – Mohamed Waleed Jul 28 '21 at 17:38
  • 1
    Yes, like any system built on public key encryption (including Signal), the sender must have a way to authenticate the recipient's public key. This can be done using a PKI model with certificate authorities (as is done on the web with SSL/TLS), or a web of trust model (as is used with GPG/PGP), a trust on first use (TOFU) model (as is used with SSH), or an out-of-band model (as Signal uses). – mti2935 Jul 28 '21 at 17:39
  • @mti2935 All this protects the connection between the user and the server from being intercepted by a middle party. What I mean that the server is considered as a middle party between Alice and Bob (users). I am not sure but I think you mean the chat safety number by saying "out-of-band model that signal uses", yes this model protects the users from being tracked by the server of the tool itself and it is generated after the X3DH handshake. But other authentication methods you mentioned doesn't protect the users from the server – Mohamed Waleed Jul 28 '21 at 17:51
  • Good to know about possible MitM attacks. The intended users are groups of friends/family who already know eachother and already have a way of contacting eachother (e.g. secure messaging). Even if not perfectly secure, I was intending to include the public key in the initial message (i.e. the sharing link) sent over these more or less secure channels (messaging platforms). Is this okay given the use case ? – Nicolas Marshall Jul 28 '21 at 18:03
  • @MohamedWaleed, OK, let's walk though this. You send me your public key, and I verify that its yours through some out of band method. Now, I generate a random symmetric key, and use that key to encrypt the file using AES-GCM. I then upload the encrypted file to an untrusted server, and I encrypt the symmetric key using your public key, and send that to you, along with a link to access the encrypted file from the server. How can the server do anything malicious, without you noticing (e.g. an AES-GCM integrity verification error)? – mti2935 Jul 28 '21 at 18:05
  • @mti2935 1) how will you verify that the public key belongs to the user ? I didn't understand what out-of-band method you mean... 2) when the private key gets compromised the attacker can decrypt all the encrypted sent data as there is no future secrecy ( double ratchet algorithm is not vulnerable to this ) – Mohamed Waleed Jul 28 '21 at 18:20
  • Out of band - e.g. I call you, I verify that it's really you, then you read me a sha256 hash of your public key (all 32 bytes in hex format) and I verify that it's what you sent me. Yes, if the private key is compromised, then this method fails. Signal is an ingenious protocol, and it provides perfect forward secrecy and break-in recovery, neither of which this simple method provides. But, I can't see how this method is vulnerable to a MITM attack by a malicious server, as long as the public key is authenticated and the private key is protected. This is basically how PGP/GPG works. – mti2935 Jul 28 '21 at 18:36
  • @mti2935 sorry, I was wrong. I didn't understand well what out-of-band method you meant or how it is done. By this your method is not vulnerable to MiTM attacks or being even tracked by a malicious server as long as users verify the hashes of their public keys, but as you mentioned this simple method doesn't provide forward secrecy and this is from the reasons I suggested signal protocol. You still need to implement some key rotating mechanism to prevent problems that may happen when the private key is compromised. – Mohamed Waleed Jul 28 '21 at 19:19
  • 1
    @MohamedWaleed I agree, Signal (and it's related protocols) are superior to this. This is basically similar to PGP/GPG, where a user uses the same keypair for years. But, it is vulnerable if the private key is compromised. – mti2935 Jul 28 '21 at 19:27
1

You can check the Signal Protocol

This protocol is mainly used to transfer end-to-end encrypted data.

The protocol mainly consists of:

1) X3DH (Extended Triple Diffie-Hellman) key agreement protocol

X3DH establishes a shared secret key between two parties who mutually authenticate each other based on public keys. X3DH provides forward secrecy and cryptographic deniability.

2) The Double Ratchet Algorithm

the Double Ratchet algorithm, which is used by two parties to exchange encrypted messages based on a shared secret key. The parties derive new keys for every Double Ratchet message so that earlier keys cannot be calculated from later ones. The parties also send Diffie-Hellman public values attached to their messages. The results of Diffie-Hellman calculations are mixed into the derived keys so that later keys cannot be calculated from earlier ones. These properties give some protection to earlier or later encrypted messages in case of a compromise of a party's keys.

By using Signal Protocol, you can transfer safely any kind of traffic between some parties and even you can't see the photos your users are sharing using your tool.
Also Signal Protocol is not vulnerable to MiTM attacks as long as the users are mindful with the chat code (known as Safety number in Signal and security code in whatsapp) that is generated after doing the X3DH handshake (you will know about it from a video in the resources down below).

About managing file encryption keys:

you can use a zero knowledge authentican protocol to authenticate your users, by this you can't know what passwords are the users using. So you can (in the client-side) use the password of the account of the user (if you have an account system) to derive from it an encryption key to encrypt the encryption keys of the encrypted photos to be stored safely in the cloud, so you won't worry about how to manage encryption keys in the client-side.

Note: if the user forgot his password the encryption keys cannot be recovered.

Other useful resources:

  1. This video will help you understand more about end-to-end encryption
  2. This video will help you understand X3DH key agreement protocol
  3. This video will help you understand the Double Ratchet algorithm
  4. This video will help you understand how to share end-to-end encrypted data between more than two parties
  5. This video will help you understand more about zero knowledge authentication
Mohamed Waleed
  • 1,179
  • 1
  • 5
  • 13