rod icon indicating copy to clipboard operation
rod copied to clipboard
verified publisher icon mmalmi

Plan for implementing encryption?

Open trosel opened this issue 4 years ago • 6 comments

I’m wondering if there is a plan in place for implementing encryption (and using it for Iris messaging).

I know Rust has a couple really mature encryption crates. Have they been assessed or chosen for this yet?

trosel avatar Apr 08 '22 00:04 trosel

Encryption and decryption of Iris messages is done on the client side, so gun.js should be sufficient until there's a rust client. But the server needs cryptography to check signatures of user space data.

mmalmi avatar Apr 12 '22 11:04 mmalmi

I wanted to use Iris for a username and messaging solution, but the architecture is not as clear now with gun-rs and gunjs.

Do you think it would be better to wait until SEA is ported to gun-rs and then just use that one solution?

trosel avatar Apr 12 '22 17:04 trosel

I believe gun.js is sufficient. But you might need to borrow (and maybe fix) a lot of code from iris-messenger, as I haven't had the capacity to move it into iris-lib 😬

mmalmi avatar Apr 13 '22 07:04 mmalmi

Just added signature verification for user space writes.

mmalmi avatar May 24 '22 11:05 mmalmi

I'm looking to make a rust app without any javascript - so the user identity and secret sharing would be very helpful.

With sig verification, this would be simpler to implement by a new contributor, as now there's some relevant code in there already.

Looking at the API from GUN there's a lot to replicate. I will skip over the alias/user/password/salt management, that can be done application-side, and the aliases should be ~ and the public keys anyway, right?

  • SEA.pair()
  • secret()
    • use ring::agreement::
    • maybe follow that comment about RFC 7748 to use key derivation function on the public key and shared material
  • sign(), verify(), - use ring sign, verify - follow signature verification examples
  • encrypt()/decrypt()
    • symmetric encrypt/decrypt can be done app-side using secret() for sharing private content
  • gun.user().create() and gun.user().auth(keypair)
    • auth.js and create.js, these things are works of art
    • I see both use work() - is this what the verifications implemented before will check for?
  • gun.user().certify()
    • this looks like it crafts a JSON object with some cryptic keys, signs it, and returns it
    • is this also something the existing rust relays will check for and verify?

gabriel-v avatar Aug 10 '23 18:08 gabriel-v