Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Laverna vs etherpad

2,133 views

Published on

Brief analysis of Laverna, the javascript crypt it uses, and how well it defends against attack.

Published in: Technology
  • Be the first to comment

Laverna vs etherpad

  1. 1. Laverna A tangential explanation of Laverna
  2. 2. You are Here Laverna Markdown Crypto Pbkdf2 Unnecesssary Visualization PBKDF2 For Blue Synchronization RemoteStorage.io Markdown.md Installation Conclusions Remotestorage.0wn .su
  3. 3. What are these words • Laverna and Etherpad are note taking services • I won’t talk about Etherpad because • Self-hosted alternatives to cloud apps like Evernote • Security and encryption are the focus here
  4. 4. Laverna • Node.js based local web page • HTML + JavaScript = no server required • Information is stored in the client you’re using • Encryptomagic • Remote storage options: • RemoteStorage.io (self-hosted) • Dropbox • Installation: • git clone git@github.com/laverna-static • Done
  5. 5. Markdown
  6. 6. Why? • Easy to convert into: • HTML • LaTeX • PDF • RTF… • Who supports MD? • Github (GFM) • Notepad++ • SublimeText • Everything on the Internet
  7. 7. Live Demo! MarkDown!!!! http://dillinger.io/
  8. 8. Encryption • All encryption happens client side (there is no server) • PBKDF2 • Manually entered salt (random) • Manually entered password • Can adjust iterations (1000 default) • AES 128 or 256 • Generated ciphers are stored in the browser local storage
  9. 9. Crypto/Sync JSON • {"id":"0cc9da4f-a47f-c9fd-e1ba- 55cb0ddb14e7", • "title":"{ • "iv":"uSrC4YzSxgvjueOBn+kb3A==",“ • v":1,“ • iter":"1000",“ • ks":128,“ • ts":64,“ • mode":"ccm","adata":"",“ • cipher":"aes",“ • salt":"ZwuH03ajWY0=",“ • ct":"WvpHRh50YbhdGeWFORR5b1xUui Rb • UID of the app • This is the title of my note • This is the IV for the note • Supports versioning of your note • PDKDF2 iterations • Key size is 128 • Something else size is 64 • Mode is CCM stream cipher • AES • Salt that you set • The cipher text of the title itself
  10. 10. • DK = Derived Key • PRF = HMAC - pseudorandom function like HMAC-SHA256 • c = Salt DK = PBKDF2(PRF, P, Salt, c, dkLen)
  11. 11. DK = PBKDF2(PRF, P, Salt, c, dkLen) Password Salt HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA Derived Key
  12. 12. What this defends against “monkey” Salt HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA Different Derived key
  13. 13. JustBlue Takeaway * This is from the Internet. Based on font, this is probably way off now
  14. 14. Laverna Crypto • PBKDF2 • Server never knows your key • Server never knows your keys • Fuck the cloud • Client side Crypto
  15. 15. Javascript Based Crypto • Not a big deal - it’ll be fine, what could go wrong • Relying on client side crypto with a server authenticator • Relying on client side crypto to protect client side information Well Actually
  16. 16. Back to Laverna
  17. 17. Syncing • Supports Dropbox
  18. 18. Syncing • Support RemoteStorage.io • Self-hosted remote storage similar to dropbox
  19. 19. Laverna Installation • Clone repository: git clone git@github.com:Laverna/laverna.git • Switch to stable version git checkout 0.5.0 • Install dependencies: npm install && bower install • Build minified version: grunt build • Build Dependencies: node.js, bower, grunt.
  20. 20. Operating Environment • Can host on any web server because crypto is on the client • Does not require PHP or programming environment • If remotely hosted, should be done over HTTPS • Github provides easy hosting over https for free • Can also run on your own computer
  21. 21. Wait have I done a demo yet? https://laverna.cc/index.html#notes
  22. 22. Here’s a diagram of something Laverna Etherpad Evernote License GPL GPL No Storage RemoteStorage, Dropbox None Sync with evernote Encryption PBKDF2 (AES) None (SSL with plugin) SSL + magic? Software JavaScript: Node.js, bower, grunt JavaScript Collaboration Not Realtime Yes Supports sharing Subfolders Infinite None Only 1 subfolder allowed Stored Format Json Export supports PDF, Word, and many other formats
  23. 23. Conclusion • Fuck the cloud • Use laverna • Use markdown • Use PBKDF2 • Use RemoteStorage.io (remotestorage.0wn.su?)

×