Phase I: Project Architecture and Design
The presentation of this project, is available here
We will be implementing the MEAN stack to implement our project. The Client will be done in Ionic 2 which uses AngularJS to create hybrid web/mobile apps for Android, iOS, and web. The Backend/Server will be using Node.js and Express to perform logic for all of our routes, and use PassportJS for user authentication. We will use MongoDB as our database for storing user credentials and messages. We will be using OpenPGP for key encryption and openssl. Lastly, we will be using Let’s Encrypt for certified certificates.
Users will open the client and create an account so they may be authenticated in the future. Before the user credentials are saved in the server, the client will generate the decryption key, that can not be lost, as it will not be stored in the server. After the decryption key is generated, the encryption key will be created. The user credentials, and encryption key is then sent to the server to create a new user, and a session token is returned to the client. The user will then add another user as a “friend”. The user will request the other user to add as a friend, which will allow the user to have access to their encryption key. Once the other user accepts, the encryption key will be available for the user. This encryption key will be stored on the device, and validated against the server in the event of a server hijacking. If desired, the two users can confirm they have the right encryption key, as it will be displayed as a human-readable string on the user’s devices. Then, the user may send a message to the other user. Once a user types his message, and presses "send" the original message will begin to be encrypted. The client will then GET the encryption keys for all the sender and each receiver, verify that the GET request’s certificate came from our server, and create encrypted copies for the sender and each receiver. The encrypted copies are then sent with a POST request to the server to be stored for when they are requested by the user. Once the user requests messages from a conversation, the client will GET all associated messages from the conversation associated to the user, and will use the decryption key that is stored on the client that was entered by the user on login to decrypt the messages.
We have 3 types of adversaries: Online Outsiders, Online Insiders, and Offline Outsiders
-
Online Outsiders - Online Outsiders will attempt to perform attacks such as “Man In The Middle” attacks, However, since we will be using Let’s Encrypt for SSL, there should be no way for the outsider to compromise the asset, without first breaking SSL.
-
Online Insiders - Online Insiders will also attempt to do “Man In The Middle” attacks. However, since we are using OpenSSL with OpenPGP, we shall be verifying the certificate of the responses that we get are from our trusted server, therefore any request outside of the server shall not be accepted. Also, since users will have the ability to confirm with one another which encryption keys they are requesting from the server, this will also help to prevent “Man In The Middle” attacks. Insiders could attempt to download the database to retrieve all the messages. However, since the decryption key is never sent to the server, decrypting any message from a copy of the database will be nearly impossible, and take extremely long brute force times for individual messages.
-
Offline Outsiders - Offline Outsiders, such as Mehrdad Aliasgari, can attempt to steal the User’s phone or attempt an evil maid attack. This is the only type of adversary we are not account for and the user of the application shall be fully responsible for such offline adversaries.
What exactly your chat app does, any extra features such as group chatting capability?
Our chat application allows users to create an account, add friends, and send messages to one another. We will be supporting group messaging between accounts. The platforms and frameworks can be found in Project Implementation, and a high overview of our api can be found in Project Flow / Use Case
Assets:
- Facebook User Login Security Check List:
- Never include your App Secret in client-side or decompilable code.
- Sign all server-to-server Graph API calls with your App Secret
- Use unique short-term tokens on clients
- Don’t trust that access tokens in use by your app were actually generated by your app.
- Use the state parameter when using the login dialog.
- Use facebook’s official SDKs where possible
- Reduce our app’s attack surface area by locking down our Facebook app settings.
- User’s information such as message, ID, and email.
Stakeholders:
- Users of the end-to-end encrypted messenger application
As stated in the Adversarial Model, our possible vulnerability would be offline outsiders. In the sense that, if someone were able to steal a user’s device, they would have access to the decryption key stored on the device. However, this is assuming this person understands how the device cache works, and how to access the devices internal files.
var userSchema = {
id: "int",
encryptionKey: "string",
userName: "string",
passwordSalt: "string",
friends: ["int"]
}
var messageSchema = {
id: "int",
encryptedMessage: "string",
senderId: "int",
receiverId: ["int"]
}Aaron has used Let’s Encrypt on the past on his personal projects, as well as developed web apps using the MEAN stack, such as linkDrops. Kumin, as well, is quite versed with the MEAN stack.
How are we going to provide message integrity:
To provide message integrity we need to first obtain a certificate from a CA and secure our server using Transport Layer Security, also known as SSL. This allows us to check if a given request was made from our server and deny all request that was not made from our own server. We will also be using HMAC256
How are we going to provide message confidentiality:
To provide message confidentiality, we will be using OpenPGP. OpenPGP provides many modules for hashing, encrypting, and decrypting messages and objects.
How are we going to provide user authentication:
We are going to provide user authentication by using PassportJS and Facebook-Passport for OAuth 2.0. This will allow us to make sure the user is who he/she says he/she is.
How are we going to generate the private and public keys:
The private key will be generated by the client and will be saved in the client. The public key will be generated from the private key by using OpenPGP's key generating modules, which will encrypt the private key and generate a new public key. Then the public key will be sent and stored to the server.