SlideShare a Scribd company logo

Arcanum - Client side encryption based file storage service.

Download as PPSX, PDF
Yashin Mehaboobe
Yashin Mehaboobe

Presentation given at Kaspersky Cyberconference MEA round.

Technology
1 of 19
INTRODUCTION #whoami • Yashin Mehaboobe • Independent Security Researcher, Student • Speaker – Nullcon, c0c0n, Toorcon and HITB
CURRENT SITUATION • Systems such as dropbox or box does not allow secure transfer of files • Easy and secure transfer of files need technical knowledge • The layman does not understand concepts such as PGP and asymmetric encryption
WHAT IS ARCANUM? 4 •An asymmetric encryption based file storage service. • Intended to allow the sharing of files between clients securely. •The client handles encryption as well as decryption. •The server merely handles file storage and user management. •This ensures that even if the server is compromised, the user data is not. •The server extends a REST based API to clients.
MODULES 5 Client side Handles encryption,decryption and key generation Server side Handles file storage and user management
CLIENT SIDE - OVERVIEW 6 •Completely handles encryption, decryption as well as user credential storage. •Communicates with the server over HTTP •The private key is stored locally while public key is sent to the server. •Connection is SSL secured •Authentication is HTTP Basic Authentication
CLIENT SIDE - REGISTRATION 7 •During registration a RSA 2048 bit public/private keypair is generated •The public key is sent to the server while the private key is stored locally •The username, password and email is also sent to the server. •APIs used:  /create/ for registration
CLIENT SIDE - SENDING 8 •Sending file:  Get the public key of the user to send to  Generate AES Key  Encrypt file with the generated AES Key  Encrypt AES Key with RSA Public Key  Prepend encrypted AES key with encrypted file  Send file to server •APIs used:  GET /send/username to get the public key  POST /send/username to send the file
CLIENT SIDE - RECEIVING 9 •Receiving file:  Fetch file from server  Decrypt AES key using RSA private key (locally stored)  Decrypt rest of the file using AES key. •APIs used:  GET /receive/all to get list of files  GET /receive/number to fetch a particular file
SERVER SIDE 10 •Uses a bucket file storage system •Database used is sqlite3 •Passwords are stored as MD5 hashes •Exposes a REST API so the clients can be easily created. •Created using flask, sqlalchemy and restful.
ENCRYPTION 11 • Handled by Keyczar • AES-256 for symmetric encryption • RSA 2048 for asymmetric • HMAC for data integrity • SSL for security in transit
LOGIN 12
REGISTRATION 13
SEND TAB 14
RECEIVE TAB 15
TODO 16 • Web interface (partially done) • Change to digest authentication • Encrypt local keys
REQUIREMENTS 17 •Python 2.7 •Server: flask,flask-httpauth,ofs,pairtree •Client: requests, keyczar, pyqt •Minimum requirements: • 512 MB RAM • Dual core processor • Atleast 1 GB storage.
WRAPPING UP 18 • Code is available at: • https://github.com/sp3ctr3/arcanum-server • https://github.com/sp3ctr3/arcanum-client • Completely functional • Multiplatform • Further clients are being developed
THANK YOU 11-13 марта, 2014 Korea University, Seoul, Korea

Recommended

Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLLesa Cote
 
Add a web server
Add a web serverAdd a web server
Add a web serverAgCharu
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Dries Elliott
 
Web server architecture
Web server architectureWeb server architecture
Web server architectureTewodros K
 
Data communication Part 11
Data communication Part 11Data communication Part 11
Data communication Part 11Alex Fernandez
 
Integrating Apache Syncope with Apache CXF
Integrating Apache Syncope with Apache CXFIntegrating Apache Syncope with Apache CXF
Integrating Apache Syncope with Apache CXFcoheigea
 
Linux Hosting Training Course - Intro
Linux Hosting Training Course - Intro Linux Hosting Training Course - Intro
Linux Hosting Training Course - Intro Ramy Allam
 
Webserver
WebserverWebserver
WebserverARYA TM
 

Recommended

Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLLesa Cote
 
Add a web server
Add a web serverAdd a web server
Add a web serverAgCharu
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Dries Elliott
 
Web server architecture
Web server architectureWeb server architecture
Web server architectureTewodros K
 
Data communication Part 11
Data communication Part 11Data communication Part 11
Data communication Part 11Alex Fernandez
 
Integrating Apache Syncope with Apache CXF
Integrating Apache Syncope with Apache CXFIntegrating Apache Syncope with Apache CXF
Integrating Apache Syncope with Apache CXFcoheigea
 
Linux Hosting Training Course - Intro
Linux Hosting Training Course - Intro Linux Hosting Training Course - Intro
Linux Hosting Training Course - Intro Ramy Allam
 
Webserver
WebserverWebserver
WebserverARYA TM
 
Using Microsoft Azure as cloud file server
Using Microsoft Azure as cloud file serverUsing Microsoft Azure as cloud file server
Using Microsoft Azure as cloud file serverjimliddle
 
Basic architecture
Basic architectureBasic architecture
Basic architecturerasikow
 
Linuxserverconfiguration.net
Linuxserverconfiguration.netLinuxserverconfiguration.net
Linuxserverconfiguration.netthomasroe7
 
Stack sync using openstack
Stack sync using openstackStack sync using openstack
Stack sync using openstackLorick Jain
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryDeploy360 Programme (Internet Society)
 
Web security
Web securityWeb security
Web securityGreater Noida Institute Of Technology
 
Internet services, protocols, applications, packets and frames
Internet services, protocols, applications, packets and framesInternet services, protocols, applications, packets and frames
Internet services, protocols, applications, packets and framesGiuseppe Cramarossa
 
Windows Azure
Windows AzureWindows Azure
Windows AzureNascentDigital
 
Implementing OpenAthens Single Sign-On Authentication
Implementing OpenAthens Single Sign-On AuthenticationImplementing OpenAthens Single Sign-On Authentication
Implementing OpenAthens Single Sign-On AuthenticationMyka Kennedy Stephens
 
How SSL works?
How SSL works? How SSL works?
How SSL works? Ron Sengupta
 
Java - ServletListeners
Java - ServletListenersJava - ServletListeners
Java - ServletListenersNitin Sharma
 
Discovery Layers: An Overview and Case Study
Discovery Layers: An Overview and Case StudyDiscovery Layers: An Overview and Case Study
Discovery Layers: An Overview and Case StudyMyka Kennedy Stephens
 
AIDA/Scribo
AIDA/ScriboAIDA/Scribo
AIDA/ScriboESUG
 
Lo4
Lo4Lo4
Lo4liankei
 
LoCloud Technical Poster
LoCloud Technical PosterLoCloud Technical Poster
LoCloud Technical Posterlocloud
 
Windows server
Windows server Windows server
Windows server Kewan Suliman
 
Azure - Incoming network traffic
Azure - Incoming network trafficAzure - Incoming network traffic
Azure - Incoming network trafficAgnieszka Cent
 
IT Server infra
IT Server infraIT Server infra
IT Server infraSafexIndia
 
Globus Connect Server 5.1 Webinar
Globus Connect Server 5.1 WebinarGlobus Connect Server 5.1 Webinar
Globus Connect Server 5.1 WebinarGlobus
 
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSocketsOWASP Kyiv
 
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
 
Sagar Kadam, Lead Software Engineer, Open-Silicon
Sagar Kadam, Lead Software Engineer, Open-SiliconSagar Kadam, Lead Software Engineer, Open-Silicon
Sagar Kadam, Lead Software Engineer, Open-Siliconchiportal
 

More Related Content

What's hot

Using Microsoft Azure as cloud file server
Using Microsoft Azure as cloud file serverUsing Microsoft Azure as cloud file server
Using Microsoft Azure as cloud file serverjimliddle
 
Basic architecture
Basic architectureBasic architecture
Basic architecturerasikow
 
Linuxserverconfiguration.net
Linuxserverconfiguration.netLinuxserverconfiguration.net
Linuxserverconfiguration.netthomasroe7
 
Stack sync using openstack
Stack sync using openstackStack sync using openstack
Stack sync using openstackLorick Jain
 
Internet services, protocols, applications, packets and frames
Internet services, protocols, applications, packets and framesInternet services, protocols, applications, packets and frames
Internet services, protocols, applications, packets and framesGiuseppe Cramarossa
 
Implementing OpenAthens Single Sign-On Authentication
Implementing OpenAthens Single Sign-On AuthenticationImplementing OpenAthens Single Sign-On Authentication
Implementing OpenAthens Single Sign-On AuthenticationMyka Kennedy Stephens
 
Java - ServletListeners
Java - ServletListenersJava - ServletListeners
Java - ServletListenersNitin Sharma
 
Discovery Layers: An Overview and Case Study
Discovery Layers: An Overview and Case StudyDiscovery Layers: An Overview and Case Study
Discovery Layers: An Overview and Case StudyMyka Kennedy Stephens
 
AIDA/Scribo
AIDA/ScriboAIDA/Scribo
AIDA/ScriboESUG
 
LoCloud Technical Poster
LoCloud Technical PosterLoCloud Technical Poster
LoCloud Technical Posterlocloud
 
Azure - Incoming network traffic
Azure - Incoming network trafficAzure - Incoming network traffic
Azure - Incoming network trafficAgnieszka Cent
 
IT Server infra
IT Server infraIT Server infra
IT Server infraSafexIndia
 
Globus Connect Server 5.1 Webinar
Globus Connect Server 5.1 WebinarGlobus Connect Server 5.1 Webinar
Globus Connect Server 5.1 WebinarGlobus
 
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSocketsOWASP Kyiv
 

What's hot (20)

Using Microsoft Azure as cloud file server
Using Microsoft Azure as cloud file serverUsing Microsoft Azure as cloud file server
Using Microsoft Azure as cloud file server
 
Basic architecture
Basic architectureBasic architecture
Basic architecture
 
Linuxserverconfiguration.net
Linuxserverconfiguration.netLinuxserverconfiguration.net
Linuxserverconfiguration.net
 
Stack sync using openstack
Stack sync using openstackStack sync using openstack
Stack sync using openstack
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
 
Web security
Web securityWeb security
Web security
 
Internet services, protocols, applications, packets and frames
Internet services, protocols, applications, packets and framesInternet services, protocols, applications, packets and frames
Internet services, protocols, applications, packets and frames
 
Windows Azure
Windows AzureWindows Azure
Windows Azure
 
Implementing OpenAthens Single Sign-On Authentication
Implementing OpenAthens Single Sign-On AuthenticationImplementing OpenAthens Single Sign-On Authentication
Implementing OpenAthens Single Sign-On Authentication
 
How SSL works?
How SSL works? How SSL works?
How SSL works?
 
Java - ServletListeners
Java - ServletListenersJava - ServletListeners
Java - ServletListeners
 
Discovery Layers: An Overview and Case Study
Discovery Layers: An Overview and Case StudyDiscovery Layers: An Overview and Case Study
Discovery Layers: An Overview and Case Study
 
AIDA/Scribo
AIDA/ScriboAIDA/Scribo
AIDA/Scribo
 
Lo4
Lo4Lo4
Lo4
 
LoCloud Technical Poster
LoCloud Technical PosterLoCloud Technical Poster
LoCloud Technical Poster
 
Windows server
Windows server Windows server
Windows server
 
Azure - Incoming network traffic
Azure - Incoming network trafficAzure - Incoming network traffic
Azure - Incoming network traffic
 
IT Server infra
IT Server infraIT Server infra
IT Server infra
 
Globus Connect Server 5.1 Webinar
Globus Connect Server 5.1 WebinarGlobus Connect Server 5.1 Webinar
Globus Connect Server 5.1 Webinar
 
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSockets
 

Viewers also liked

CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE
 
Sagar Kadam, Lead Software Engineer, Open-Silicon
Sagar Kadam, Lead Software Engineer, Open-SiliconSagar Kadam, Lead Software Engineer, Open-Silicon
Sagar Kadam, Lead Software Engineer, Open-Siliconchiportal
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DevicePriyanka Aash
 

Viewers also liked (6)

CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...
 
Sagar Kadam, Lead Software Engineer, Open-Silicon
Sagar Kadam, Lead Software Engineer, Open-SiliconSagar Kadam, Lead Software Engineer, Open-Silicon
Sagar Kadam, Lead Software Engineer, Open-Silicon
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure Device
 

Similar to Arcanum - Client side encryption based file storage service.

Security with VA Smalltalk
Security with VA SmalltalkSecurity with VA Smalltalk
Security with VA SmalltalkESUG
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸Amazon Web Services
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfNiharikaDubey17
 
Securing private keys
Securing private keysSecuring private keys
Securing private keysAhsan Habib
 
The Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityThe Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityChris Bell
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013javagroup2006
 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesNelson Calero
 
E gov security_tut_session_4_lab
E gov security_tut_session_4_labE gov security_tut_session_4_lab
E gov security_tut_session_4_labMustafa Jarrar
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLZoompf
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFAmazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 

Similar to Arcanum - Client side encryption based file storage service. (20)

Security with VA Smalltalk
Security with VA SmalltalkSecurity with VA Smalltalk
Security with VA Smalltalk
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPN
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinar
 
Android secure coding
Android secure codingAndroid secure coding
Android secure coding
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
 
CNS ppt.pdf
CNS ppt.pdfCNS ppt.pdf
CNS ppt.pdf
 
Securing private keys
Securing private keysSecuring private keys
Securing private keys
 
Key management
Key managementKey management
Key management
 
The Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityThe Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server Security
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013
 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprises
 
Nikto
NiktoNikto
Nikto
 
E gov security_tut_session_4_lab
E gov security_tut_session_4_labE gov security_tut_session_4_lab
E gov security_tut_session_4_lab
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSL
 
Vault
VaultVault
Vault
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 

More from Yashin Mehaboobe

Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
Embedded programming on r pi and arduino
Embedded programming on r pi and arduinoEmbedded programming on r pi and arduino
Embedded programming on r pi and arduinoYashin Mehaboobe
 
Sniffing the airwaves with rtl sdr
Sniffing the airwaves with rtl sdrSniffing the airwaves with rtl sdr
Sniffing the airwaves with rtl sdrYashin Mehaboobe
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 

More from Yashin Mehaboobe (6)

Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
 
Embedded programming on r pi and arduino
Embedded programming on r pi and arduinoEmbedded programming on r pi and arduino
Embedded programming on r pi and arduino
 
Sniffing the airwaves with rtl sdr
Sniffing the airwaves with rtl sdrSniffing the airwaves with rtl sdr
Sniffing the airwaves with rtl sdr
 
Vectors
VectorsVectors
Vectors
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis framework
 
Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking Primer
 

Recently uploaded

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Arcanum - Client side encryption based file storage service.

  • 1.
  • 2. INTRODUCTION #whoami • Yashin Mehaboobe • Independent Security Researcher, Student • Speaker – Nullcon, c0c0n, Toorcon and HITB
  • 3. CURRENT SITUATION • Systems such as dropbox or box does not allow secure transfer of files • Easy and secure transfer of files need technical knowledge • The layman does not understand concepts such as PGP and asymmetric encryption
  • 4. WHAT IS ARCANUM? 4 •An asymmetric encryption based file storage service. • Intended to allow the sharing of files between clients securely. •The client handles encryption as well as decryption. •The server merely handles file storage and user management. •This ensures that even if the server is compromised, the user data is not. •The server extends a REST based API to clients.
  • 5. MODULES 5 Client side Handles encryption,decryption and key generation Server side Handles file storage and user management
  • 6. CLIENT SIDE - OVERVIEW 6 •Completely handles encryption, decryption as well as user credential storage. •Communicates with the server over HTTP •The private key is stored locally while public key is sent to the server. •Connection is SSL secured •Authentication is HTTP Basic Authentication
  • 7. CLIENT SIDE - REGISTRATION 7 •During registration a RSA 2048 bit public/private keypair is generated •The public key is sent to the server while the private key is stored locally •The username, password and email is also sent to the server. •APIs used:  /create/ for registration
  • 8. CLIENT SIDE - SENDING 8 •Sending file:  Get the public key of the user to send to  Generate AES Key  Encrypt file with the generated AES Key  Encrypt AES Key with RSA Public Key  Prepend encrypted AES key with encrypted file  Send file to server •APIs used:  GET /send/username to get the public key  POST /send/username to send the file
  • 9. CLIENT SIDE - RECEIVING 9 •Receiving file:  Fetch file from server  Decrypt AES key using RSA private key (locally stored)  Decrypt rest of the file using AES key. •APIs used:  GET /receive/all to get list of files  GET /receive/number to fetch a particular file
  • 10. SERVER SIDE 10 •Uses a bucket file storage system •Database used is sqlite3 •Passwords are stored as MD5 hashes •Exposes a REST API so the clients can be easily created. •Created using flask, sqlalchemy and restful.
  • 11. ENCRYPTION 11 • Handled by Keyczar • AES-256 for symmetric encryption • RSA 2048 for asymmetric • HMAC for data integrity • SSL for security in transit
  • 16. TODO 16 • Web interface (partially done) • Change to digest authentication • Encrypt local keys
  • 17. REQUIREMENTS 17 •Python 2.7 •Server: flask,flask-httpauth,ofs,pairtree •Client: requests, keyczar, pyqt •Minimum requirements: • 512 MB RAM • Dual core processor • Atleast 1 GB storage.
  • 18. WRAPPING UP 18 • Code is available at: • https://github.com/sp3ctr3/arcanum-server • https://github.com/sp3ctr3/arcanum-client • Completely functional • Multiplatform • Further clients are being developed
  • 19. THANK YOU 11-13 марта, 2014 Korea University, Seoul, Korea