Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secure and portable rolling pubsub encryption via Time-Based One-Time Password (TOTP) #5

Open
Arlodotexe opened this issue Jul 10, 2023 · 1 comment
Assignees
Labels
enhancement New feature or request

Comments

@Arlodotexe
Copy link
Owner

Arlodotexe commented Jul 10, 2023

Objective

Implement a secure method for transferring any data over the internet using Time-Based One-Time Password (TOTP) for encryption. The goal is to make it easier to securely transfer ephemeral data to specific peers via the public ipfs peer swarm without compromising security, and without needing to manually transfer key files.

Background

Currently, the size of certain data, like private libp2p keys, makes it difficult to encode them into a manageable QR code. Transferring the data via the public internet is not secure, and we want to avoid users needing to physically move data around with a flash drive.

Proposed Solution

Use the existing TOTP infrastructure to create rolling pubsub encryption. The room name would be the seed encrypted with itself, and the password would be the current TOTP code. The user only needs to transfer the seed to migrate to a new device, assuming the two devices can communicate via Kubo/libp2p. The seed is short enough to display in a QR code or to write down by hand.

To address potential issues with this approach, we propose the following solutions:

Timing

Attempt decryption with the previous and current TOTP codes to handle the timing issue. This would comfortably cover when the code changes during transit and may still be encrypted with the previous code.

Security

Double encrypt the private seed and use it as the pubsub room name to make it difficult for an attacker to guess the correct room. Use the seed as the salt and/or append it to the TOTP code to add an additional layer of security. It's crucial to ensure that the seed is securely stored and handled.

Tasks

  1. Design the user interface and user experience for the TOTP approach.
  2. Implement the TOTP approach in OwlCore.Kubo.
  3. Test the implementation to ensure it works as expected and is secure.
  4. Document the new feature and educate users on how to use it and the security implications.

Acceptance Criteria

  1. Users can securely transfer any data over the internet using the TOTP approach.
  2. The new feature is easy to use and does not require users to physically move data around.
  3. The implementation is secure and does not compromise the transferred data.
@Arlodotexe Arlodotexe added the enhancement New feature or request label Jul 10, 2023
@Arlodotexe Arlodotexe self-assigned this Jul 10, 2023
@Arlodotexe Arlodotexe changed the title Secure and portable pubsub encryption via Time-Based One-Time Password (TOTP) Secure and portable rolling pubsub encryption via Time-Based One-Time Password (TOTP) Jul 10, 2023
@Arlodotexe
Copy link
Owner Author

Worth noting that this is only valuable for long-lived pubsub connections, not one-time temporary connections that establish a second communication channel (like mutually observed ipns addresses as seen in Nomad).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant