SlideShare a Scribd company logo

Arcanum - Client side encryption based file storage service.

Download as PPSX, PDF
Yashin Mehaboobe
Yashin Mehaboobe

Presentation given at Kaspersky Cyberconference MEA round.

Technology
1 of 19
INTRODUCTION #whoami • Yashin Mehaboobe • Independent Security Researcher, Student • Speaker – Nullcon, c0c0n, Toorcon and HITB
CURRENT SITUATION • Systems such as dropbox or box does not allow secure transfer of files • Easy and secure transfer of files need technical knowledge • The layman does not understand concepts such as PGP and asymmetric encryption
WHAT IS ARCANUM? 4 •An asymmetric encryption based file storage service. • Intended to allow the sharing of files between clients securely. •The client handles encryption as well as decryption. •The server merely handles file storage and user management. •This ensures that even if the server is compromised, the user data is not. •The server extends a REST based API to clients.
MODULES 5 Client side Handles encryption,decryption and key generation Server side Handles file storage and user management
CLIENT SIDE - OVERVIEW 6 •Completely handles encryption, decryption as well as user credential storage. •Communicates with the server over HTTP •The private key is stored locally while public key is sent to the server. •Connection is SSL secured •Authentication is HTTP Basic Authentication
CLIENT SIDE - REGISTRATION 7 •During registration a RSA 2048 bit public/private keypair is generated •The public key is sent to the server while the private key is stored locally •The username, password and email is also sent to the server. •APIs used:  /create/ for registration
CLIENT SIDE - SENDING 8 •Sending file:  Get the public key of the user to send to  Generate AES Key  Encrypt file with the generated AES Key  Encrypt AES Key with RSA Public Key  Prepend encrypted AES key with encrypted file  Send file to server •APIs used:  GET /send/username to get the public key  POST /send/username to send the file
CLIENT SIDE - RECEIVING 9 •Receiving file:  Fetch file from server  Decrypt AES key using RSA private key (locally stored)  Decrypt rest of the file using AES key. •APIs used:  GET /receive/all to get list of files  GET /receive/number to fetch a particular file
SERVER SIDE 10 •Uses a bucket file storage system •Database used is sqlite3 •Passwords are stored as MD5 hashes •Exposes a REST API so the clients can be easily created. •Created using flask, sqlalchemy and restful.
ENCRYPTION 11 • Handled by Keyczar • AES-256 for symmetric encryption • RSA 2048 for asymmetric • HMAC for data integrity • SSL for security in transit
LOGIN 12
REGISTRATION 13
SEND TAB 14
RECEIVE TAB 15
TODO 16 • Web interface (partially done) • Change to digest authentication • Encrypt local keys
REQUIREMENTS 17 •Python 2.7 •Server: flask,flask-httpauth,ofs,pairtree •Client: requests, keyczar, pyqt •Minimum requirements: • 512 MB RAM • Dual core processor • Atleast 1 GB storage.
WRAPPING UP 18 • Code is available at: • https://github.com/sp3ctr3/arcanum-server • https://github.com/sp3ctr3/arcanum-client • Completely functional • Multiplatform • Further clients are being developed
THANK YOU 11-13 марта, 2014 Korea University, Seoul, Korea

Recommended

Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLLesa Cote
 
Add a web server
Add a web serverAdd a web server
Add a web serverAgCharu
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Dries Elliott
 
Web server architecture
Web server architectureWeb server architecture
Web server architectureTewodros K
 
Data communication Part 11
Data communication Part 11Data communication Part 11
Data communication Part 11Alex Fernandez
 
Integrating Apache Syncope with Apache CXF
Integrating Apache Syncope with Apache CXFIntegrating Apache Syncope with Apache CXF
Integrating Apache Syncope with Apache CXFcoheigea
 
Linux Hosting Training Course - Intro
Linux Hosting Training Course - Intro Linux Hosting Training Course - Intro
Linux Hosting Training Course - Intro Ramy Allam
 
Webserver
WebserverWebserver
WebserverARYA TM
 

Recommended

Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLLesa Cote
 
Add a web server
Add a web serverAdd a web server
Add a web serverAgCharu
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Dries Elliott
 
Web server architecture
Web server architectureWeb server architecture
Web server architectureTewodros K
 
Data communication Part 11
Data communication Part 11Data communication Part 11
Data communication Part 11Alex Fernandez
 
Integrating Apache Syncope with Apache CXF
Integrating Apache Syncope with Apache CXFIntegrating Apache Syncope with Apache CXF
Integrating Apache Syncope with Apache CXFcoheigea
 
Linux Hosting Training Course - Intro
Linux Hosting Training Course - Intro Linux Hosting Training Course - Intro
Linux Hosting Training Course - Intro Ramy Allam
 
Webserver
WebserverWebserver
WebserverARYA TM
 
Using Microsoft Azure as cloud file server
Using Microsoft Azure as cloud file serverUsing Microsoft Azure as cloud file server
Using Microsoft Azure as cloud file serverjimliddle
 
Basic architecture
Basic architectureBasic architecture
Basic architecturerasikow
 
Linuxserverconfiguration.net
Linuxserverconfiguration.netLinuxserverconfiguration.net
Linuxserverconfiguration.netthomasroe7
 
Stack sync using openstack
Stack sync using openstackStack sync using openstack
Stack sync using openstackLorick Jain
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryDeploy360 Programme (Internet Society)
 
Web security
Web securityWeb security
Web securityGreater Noida Institute Of Technology
 
Internet services, protocols, applications, packets and frames
Internet services, protocols, applications, packets and framesInternet services, protocols, applications, packets and frames
Internet services, protocols, applications, packets and framesGiuseppe Cramarossa
 
Windows Azure
Windows AzureWindows Azure
Windows AzureNascentDigital
 
Implementing OpenAthens Single Sign-On Authentication
Implementing OpenAthens Single Sign-On AuthenticationImplementing OpenAthens Single Sign-On Authentication
Implementing OpenAthens Single Sign-On AuthenticationMyka Kennedy Stephens
 
How SSL works?
How SSL works? How SSL works?
How SSL works? Ron Sengupta
 
Java - ServletListeners
Java - ServletListenersJava - ServletListeners
Java - ServletListenersNitin Sharma
 
Discovery Layers: An Overview and Case Study
Discovery Layers: An Overview and Case StudyDiscovery Layers: An Overview and Case Study
Discovery Layers: An Overview and Case StudyMyka Kennedy Stephens
 
AIDA/Scribo
AIDA/ScriboAIDA/Scribo
AIDA/ScriboESUG
 
Lo4
Lo4Lo4
Lo4liankei
 
LoCloud Technical Poster
LoCloud Technical PosterLoCloud Technical Poster
LoCloud Technical Posterlocloud
 
Windows server
Windows server Windows server
Windows server Kewan Suliman
 
Azure - Incoming network traffic
Azure - Incoming network trafficAzure - Incoming network traffic
Azure - Incoming network trafficAgnieszka Cent
 
IT Server infra
IT Server infraIT Server infra
IT Server infraSafexIndia
 
Globus Connect Server 5.1 Webinar
Globus Connect Server 5.1 WebinarGlobus Connect Server 5.1 Webinar
Globus Connect Server 5.1 WebinarGlobus
 
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSocketsOWASP Kyiv
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
 
Sagar Kadam, Lead Software Engineer, Open-Silicon
Sagar Kadam, Lead Software Engineer, Open-SiliconSagar Kadam, Lead Software Engineer, Open-Silicon
Sagar Kadam, Lead Software Engineer, Open-Siliconchiportal
 

More Related Content

What's hot

Using Microsoft Azure as cloud file server
Using Microsoft Azure as cloud file serverUsing Microsoft Azure as cloud file server
Using Microsoft Azure as cloud file serverjimliddle
 
Basic architecture
Basic architectureBasic architecture
Basic architecturerasikow
 
Linuxserverconfiguration.net
Linuxserverconfiguration.netLinuxserverconfiguration.net
Linuxserverconfiguration.netthomasroe7
 
Stack sync using openstack
Stack sync using openstackStack sync using openstack
Stack sync using openstackLorick Jain
 
Internet services, protocols, applications, packets and frames
Internet services, protocols, applications, packets and framesInternet services, protocols, applications, packets and frames
Internet services, protocols, applications, packets and framesGiuseppe Cramarossa
 
Implementing OpenAthens Single Sign-On Authentication
Implementing OpenAthens Single Sign-On AuthenticationImplementing OpenAthens Single Sign-On Authentication
Implementing OpenAthens Single Sign-On AuthenticationMyka Kennedy Stephens
 
Java - ServletListeners
Java - ServletListenersJava - ServletListeners
Java - ServletListenersNitin Sharma
 
Discovery Layers: An Overview and Case Study
Discovery Layers: An Overview and Case StudyDiscovery Layers: An Overview and Case Study
Discovery Layers: An Overview and Case StudyMyka Kennedy Stephens
 
AIDA/Scribo
AIDA/ScriboAIDA/Scribo
AIDA/ScriboESUG
 
LoCloud Technical Poster
LoCloud Technical PosterLoCloud Technical Poster
LoCloud Technical Posterlocloud
 
Azure - Incoming network traffic
Azure - Incoming network trafficAzure - Incoming network traffic
Azure - Incoming network trafficAgnieszka Cent
 
IT Server infra
IT Server infraIT Server infra
IT Server infraSafexIndia
 
Globus Connect Server 5.1 Webinar
Globus Connect Server 5.1 WebinarGlobus Connect Server 5.1 Webinar
Globus Connect Server 5.1 WebinarGlobus
 
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSocketsOWASP Kyiv
 

What's hot (20)

Using Microsoft Azure as cloud file server
Using Microsoft Azure as cloud file serverUsing Microsoft Azure as cloud file server
Using Microsoft Azure as cloud file server
 
Basic architecture
Basic architectureBasic architecture
Basic architecture
 
Linuxserverconfiguration.net
Linuxserverconfiguration.netLinuxserverconfiguration.net
Linuxserverconfiguration.net
 
Stack sync using openstack
Stack sync using openstackStack sync using openstack
Stack sync using openstack
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
 
Web security
Web securityWeb security
Web security
 
Internet services, protocols, applications, packets and frames
Internet services, protocols, applications, packets and framesInternet services, protocols, applications, packets and frames
Internet services, protocols, applications, packets and frames
 
Windows Azure
Windows AzureWindows Azure
Windows Azure
 
Implementing OpenAthens Single Sign-On Authentication
Implementing OpenAthens Single Sign-On AuthenticationImplementing OpenAthens Single Sign-On Authentication
Implementing OpenAthens Single Sign-On Authentication
 
How SSL works?
How SSL works? How SSL works?
How SSL works?
 
Java - ServletListeners
Java - ServletListenersJava - ServletListeners
Java - ServletListeners
 
Discovery Layers: An Overview and Case Study
Discovery Layers: An Overview and Case StudyDiscovery Layers: An Overview and Case Study
Discovery Layers: An Overview and Case Study
 
AIDA/Scribo
AIDA/ScriboAIDA/Scribo
AIDA/Scribo
 
Lo4
Lo4Lo4
Lo4
 
LoCloud Technical Poster
LoCloud Technical PosterLoCloud Technical Poster
LoCloud Technical Poster
 
Windows server
Windows server Windows server
Windows server
 
Azure - Incoming network traffic
Azure - Incoming network trafficAzure - Incoming network traffic
Azure - Incoming network traffic
 
IT Server infra
IT Server infraIT Server infra
IT Server infra
 
Globus Connect Server 5.1 Webinar
Globus Connect Server 5.1 WebinarGlobus Connect Server 5.1 Webinar
Globus Connect Server 5.1 Webinar
 
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSockets
 

Viewers also liked

CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
 
Sagar Kadam, Lead Software Engineer, Open-Silicon
Sagar Kadam, Lead Software Engineer, Open-SiliconSagar Kadam, Lead Software Engineer, Open-Silicon
Sagar Kadam, Lead Software Engineer, Open-Siliconchiportal
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DevicePriyanka Aash
 

Viewers also liked (6)

CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
 
Sagar Kadam, Lead Software Engineer, Open-Silicon
Sagar Kadam, Lead Software Engineer, Open-SiliconSagar Kadam, Lead Software Engineer, Open-Silicon
Sagar Kadam, Lead Software Engineer, Open-Silicon
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure Device
 

Similar to Arcanum - Client side encryption based file storage service.

Security with VA Smalltalk
Security with VA SmalltalkSecurity with VA Smalltalk
Security with VA SmalltalkESUG
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸Amazon Web Services
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfNiharikaDubey17
 
Securing private keys
Securing private keysSecuring private keys
Securing private keysAhsan Habib
 
The Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityThe Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityChris Bell
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013javagroup2006
 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesNelson Calero
 
E gov security_tut_session_4_lab
E gov security_tut_session_4_labE gov security_tut_session_4_lab
E gov security_tut_session_4_labMustafa Jarrar
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLZoompf
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFAmazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 

Similar to Arcanum - Client side encryption based file storage service. (20)

Security with VA Smalltalk
Security with VA SmalltalkSecurity with VA Smalltalk
Security with VA Smalltalk
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPN
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinar
 
Android secure coding
Android secure codingAndroid secure coding
Android secure coding
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
 
CNS ppt.pdf
CNS ppt.pdfCNS ppt.pdf
CNS ppt.pdf
 
Securing private keys
Securing private keysSecuring private keys
Securing private keys
 
Key management
Key managementKey management
Key management
 
The Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityThe Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server Security
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013
 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprises
 
Nikto
NiktoNikto
Nikto
 
E gov security_tut_session_4_lab
E gov security_tut_session_4_labE gov security_tut_session_4_lab
E gov security_tut_session_4_lab
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSL
 
Vault
VaultVault
Vault
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 

More from Yashin Mehaboobe

Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
Embedded programming on r pi and arduino
Embedded programming on r pi and arduinoEmbedded programming on r pi and arduino
Embedded programming on r pi and arduinoYashin Mehaboobe
 
Sniffing the airwaves with rtl sdr
Sniffing the airwaves with rtl sdrSniffing the airwaves with rtl sdr
Sniffing the airwaves with rtl sdrYashin Mehaboobe
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 

More from Yashin Mehaboobe (6)

Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
 
Embedded programming on r pi and arduino
Embedded programming on r pi and arduinoEmbedded programming on r pi and arduino
Embedded programming on r pi and arduino
 
Sniffing the airwaves with rtl sdr
Sniffing the airwaves with rtl sdrSniffing the airwaves with rtl sdr
Sniffing the airwaves with rtl sdr
 
Vectors
VectorsVectors
Vectors
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis framework
 
Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking Primer
 

Recently uploaded

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 

Recently uploaded (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

Arcanum - Client side encryption based file storage service.

  • 1.
  • 2. INTRODUCTION #whoami • Yashin Mehaboobe • Independent Security Researcher, Student • Speaker – Nullcon, c0c0n, Toorcon and HITB
  • 3. CURRENT SITUATION • Systems such as dropbox or box does not allow secure transfer of files • Easy and secure transfer of files need technical knowledge • The layman does not understand concepts such as PGP and asymmetric encryption
  • 4. WHAT IS ARCANUM? 4 •An asymmetric encryption based file storage service. • Intended to allow the sharing of files between clients securely. •The client handles encryption as well as decryption. •The server merely handles file storage and user management. •This ensures that even if the server is compromised, the user data is not. •The server extends a REST based API to clients.
  • 5. MODULES 5 Client side Handles encryption,decryption and key generation Server side Handles file storage and user management
  • 6. CLIENT SIDE - OVERVIEW 6 •Completely handles encryption, decryption as well as user credential storage. •Communicates with the server over HTTP •The private key is stored locally while public key is sent to the server. •Connection is SSL secured •Authentication is HTTP Basic Authentication
  • 7. CLIENT SIDE - REGISTRATION 7 •During registration a RSA 2048 bit public/private keypair is generated •The public key is sent to the server while the private key is stored locally •The username, password and email is also sent to the server. •APIs used:  /create/ for registration
  • 8. CLIENT SIDE - SENDING 8 •Sending file:  Get the public key of the user to send to  Generate AES Key  Encrypt file with the generated AES Key  Encrypt AES Key with RSA Public Key  Prepend encrypted AES key with encrypted file  Send file to server •APIs used:  GET /send/username to get the public key  POST /send/username to send the file
  • 9. CLIENT SIDE - RECEIVING 9 •Receiving file:  Fetch file from server  Decrypt AES key using RSA private key (locally stored)  Decrypt rest of the file using AES key. •APIs used:  GET /receive/all to get list of files  GET /receive/number to fetch a particular file
  • 10. SERVER SIDE 10 •Uses a bucket file storage system •Database used is sqlite3 •Passwords are stored as MD5 hashes •Exposes a REST API so the clients can be easily created. •Created using flask, sqlalchemy and restful.
  • 11. ENCRYPTION 11 • Handled by Keyczar • AES-256 for symmetric encryption • RSA 2048 for asymmetric • HMAC for data integrity • SSL for security in transit
  • 16. TODO 16 • Web interface (partially done) • Change to digest authentication • Encrypt local keys
  • 17. REQUIREMENTS 17 •Python 2.7 •Server: flask,flask-httpauth,ofs,pairtree •Client: requests, keyczar, pyqt •Minimum requirements: • 512 MB RAM • Dual core processor • Atleast 1 GB storage.
  • 18. WRAPPING UP 18 • Code is available at: • https://github.com/sp3ctr3/arcanum-server • https://github.com/sp3ctr3/arcanum-client • Completely functional • Multiplatform • Further clients are being developed
  • 19. THANK YOU 11-13 марта, 2014 Korea University, Seoul, Korea