Shamik Bera | WebAuthn Based Ockam Vault In TypeScript

[shazm12]

Hi , Shamik Bera, a 3rd CSE student from Vellore Institute of Technology, Vellore, and I have worked on several projects some of which I am listing below.

Projects

1. Chatter: Chat with new people

• A fully functional chat web application with a real-time cloud database where users can chat with others in several rooms is created.
• Users can even react to messages, send gifs and documents, and such.
• Developed using React.js, Stream Chat API, Stream DB, Node JS, Express.

2. AI-Based E-Commerce Web App

• An AI-based E-commerce web application that allows users to order items either manually or via a chatbot that can perform actions from adding or removing items from the cart to proceeding to checkout
• Implemented using React.js, Node JS, Express, Mongo DB, Alan Studio.

3. VFight: A Cyber Crime Management System

• A fully functional web application where the customers can report cybercrime cases on the website and get consulted by cyber experts for effective solutions.
• Implemented using EJS, Node JS, Express, MySQL, Mysqli, Bcrypt JS.

I am well familiar with React, Node, Express, Mongo DB, PostgreSQL, Python, Tensorflow, sklearn , Docker, and such. I currently had completed the Hacktoberfest 2021 within total of 5 PRs made by me. Some of the challenging ones are listed below.

Open Source Contributions

• Add Support for Typescript Compilation #2
• adding the Alan interface file #5 (Solved this PR during Open Source Fridays)

What I understood from the project and my implementations and ideas

Now coming to the main part that is the understanding of the project WebAuthn Based Ockam Vault In TypeScript. So I at first I got a basic idea of what the project's about. The project is an end-to-end encrypted, mutually authenticated, and secure communication channel between two clients, written in Rust, and maintains integrity, authenticity, and confidentiality and providing a secure environment. One of the most important advantages of such systems is most of the modern distributed systems which are highly dynamic and large-scaled systems have applications and machines coming in and forth the network. So such a reliable system can be used to ease the tasks for applications design leads and architects by lessening the trust among network nodes and such.

So we can create two rust programs to create a secure channel and only on a secure handshake via an encrypted key exchange will we allow both clients to send messages to each other in the channel.

For Bob

// examples/bob.rs
use ockam::{Context, Entity, Result, TrustEveryonePolicy, Vault};
use ockam::{RemoteForwarder, Routed, TcpTransport, Worker, TCP};

struct Echoer;

// Define an Echoer worker that prints any message it receives and
// echoes it back on its return route.
#[ockam::worker]
impl Worker for Echoer {
    type Context = Context;
    type Message = String;

    async fn handle_message(&mut self, ctx: &mut Context, msg: Routed<String>) -> Result<()> {
        println!("\n[✓] Address: {}, Received: {}", ctx.address(), msg);

        // Echo the message body back on its return_route.
        ctx.send(msg.return_route(), msg.body()).await
    }
}

#[ockam::node]
async fn main(ctx: Context) -> Result<()> {
    // Initialize the TCP Transport.
    TcpTransport::create(&ctx).await?;

    // Create a Vault to safely store secret keys for Bob.
    let vault = Vault::create(&ctx).await?;

    // Create an Entity to represent Bob.
    let mut bob = Entity::create(&ctx, &vault).await?;

    // Create a secure channel listener for Bob that will wait for requests to
    // initiate an Authenticated Key Exchange.
    bob.create_secure_channel_listener("listener", TrustEveryonePolicy)
        .await?;

    // The computer that is running this program is likely within a private network and
    // not accessible over the internet.
    //
    // To allow Alice and others to initiate an end-to-end secure channel with this program
    // we connect with 1.node.ockam.network:4000 as a TCP client and ask the forwarding
    // service on that node to create a forwarder for us.
    //
    // All messages that arrive at that forwarding address will be sent to this program
    // using the TCP connection we created as a client.
    let node_in_hub = (TCP, "1.node.ockam.network:4000");
    let forwarder = RemoteForwarder::create(&ctx, node_in_hub, "listener").await?;
    println!("\n[✓] RemoteForwarder was created on the node at: 1.node.ockam.network:4000");
    println!("Forwarding address for Bob is:");
    println!("{}", forwarder.remote_address());

    // Start a worker, of type Echoer, at address "echoer".
    // This worker will echo back every message it receives, along its return route.
    ctx.start_worker("echoer", Echoer).await?;

    // We won't call ctx.stop() here, this program will run until you stop it with Ctrl-C
    Ok(())
}

For Alice

// examples/alice.rs
use ockam::{route, Context, Entity, Result, TrustEveryonePolicy, Vault};
use ockam::{TcpTransport, TCP};
use std::io;

#[ockam::node]
async fn main(mut ctx: Context) -> Result<()> {
    // Initialize the TCP Transport.
    TcpTransport::create(&ctx).await?;

    // Create a Vault to safely store secret keys for Alice.
    let vault = Vault::create(&ctx).await?;

    // Create an Entity to represent Alice.
    let mut alice = Entity::create(&ctx, &vault).await?;

    // This program expects that Bob has set up a forwarding address,
    // for his secure channel listener, on the Ockam node at 1.node.ockam.network:4000.
    //
    // From standard input, read this forwarding address for Bob's secure channel listener.
    println!("\nEnter the forwarding address for Bob: ");
    let mut address = String::new();
    io::stdin().read_line(&mut address).expect("Error reading from stdin.");
    let forwarding_address = address.trim();

    // Combine the tcp address of the node and the forwarding_address to get a route
    // to Bob's secure channel listener.
    let route_to_bob_listener = route![(TCP, "1.node.ockam.network:4000"), forwarding_address];

    // As Alice, connect to Bob's secure channel listener, and perform an
    // Authenticated Key Exchange to establish an encrypted secure channel with Bob.
    let channel = alice
        .create_secure_channel(route_to_bob_listener, TrustEveryonePolicy)
        .await?;

    println!("\n[✓] End-to-end encrypted secure channel was established.\n");

    loop {
        // Read a message from standard input.
        println!("Type a message for Bob's echoer:");
        let mut message = String::new();
        io::stdin().read_line(&mut message).expect("Error reading from stdin.");
        let message = message.trim();

        // Send the provided message, through the channel, to Bob's echoer.
        ctx.send(route![channel.clone(), "echoer"], message.to_string()).await?;

        // Wait to receive an echo and print it.
        let reply = ctx.receive::<String>().await?;
        println!("Alice received an echo: {}\n", reply); // should print "Hello Ockam!"
    }

    // This program will keep running until you stop it with Ctrl-C
}

run both the programs using the following command -
cargo run --example bob
cargo run --example bob

This is now an end-to-end encrypted application and now the two client nodes can send messages to each other in a secure channel.

Building an end-to-end encryption channel from scratch

Now coming to building an end-to-end encrypted and secure channel, first I understood all the key components required to build the channel.

1. Node - The Ockam node is an execution environment that is asynchronous in nature and is used to concurrently execute the workers created.

2. Worker - The workers are stateful actors that run un the Ockham node and can start other workers when needed according to logic and can handle and receive messages from different nodes also.

3. Routing - the "echoer" nodes that we can create following the docs can only send and receive messages from the default app worker. The routing would allow us to create hops away from our "app" worker to various other nodes created and not only allow us to create single hops but multiple hops to multiple nodes in the network.

4. Transport - The Ockam Transport is an additional plugin to Routing allowing us to move Ockam messages in specific protocols like TCP, UDP, WebSockets, Bluetooth, and such. This is important as we can use different protocols depending on the type of data we send through the network. For example, if we have a messaging service then we use TCP protocol, if we are using streaming and even some more complex team chat service application we can use UDP or Websockets and so on.

Now when it comes to creating a secure channel we can first create a responder node which will start a TCP listener and an echoer worker in this way.

use hello_ockam::Echoer;
use ockam::{Context, Entity, Result, TcpTransport, TrustEveryonePolicy, Vault};

#[ockam::node]
async fn main(ctx: Context) -> Result<()> {
    ctx.start_worker("echoer", Echoer).await?;

    // Initialize the TCP Transport.
    let tcp = TcpTransport::create(&ctx).await?;

  
    tcp.listen("127.0.0.1:4000").await?;


    let vault = Vault::create(&ctx).await?;


    let mut bob = Entity::create(&ctx, &vault).await?;

    // Create a secure channel listener for Bob that will wait for requests to
    // initiate an Authenticated Key Exchange.
    bob.create_secure_channel_listener("bob_listener", TrustEveryonePolicy)
        .await?;

    // Don't call ctx.stop() here so this node runs forever.
    Ok(())
}

Talking about which encryption algo to use

Now coming to the part to use a highly trustable and strong encryption algorithm, AES-256 is considered to be one of the strongest algorithms recommended by the U.S government stating that it would be unbreakable for a few coming years. But looking for alternatives, cryptology researchers are also coming up with bio-dynamic algorithms that simulate real-life dynamics of cyber-attacks to eliminate further attacks.
For digital signatures, the relatively new elliptic curve digital signature algorithm (ECDSA) is highly efficient than RSA and hence I think I will go with EDCSA.

For this, I can use the elliptic API to perform fast elliptic curve encryption in typescript.

var EC = require('elliptic').ec;

// Create and initialize EC context
// (better do it once and reuse it)
var ec = new EC('secp256k1');

// Generate keys

const createkeyPair = () => {
  var key = ec.genKeyPair();
  return key;
}

const verifykeyPair(key) => {  
  // Sign the message's hash (input must be an array, or a hex-string)
  var msgHash = [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 ];
  var signature = key.sign(msgHash);

  // Export DER encoded signature in Array
  var derSign = signature.toDER();
  const res = key.verify(msgHash, derSign);
  return res;

export default { createkeyPair, verifykeyPair };


}

  

This way we can just make verify and generate key pair functions and for now, I am facing a bit of an issue executing this.

Now we can create a middle node to create a TCP listener to listen to any connections and messages from other nodes.

use ockam::{Context, Result, TcpTransport};

#[ockam::node]
async fn main(ctx: Context) -> Result<()> {
    // Initialize the TCP Transport.
    let tcp = TcpTransport::create(&ctx).await?;

    // Create a TCP listener and wait for incoming connections.
    tcp.listen("127.0.0.1:3000").await?;

    // Don't call ctx.stop() here so this node runs forever.
    Ok(())
}

now we shall create an initiator node to actually create a secure channel we we will use two transport hops here.

use ockam::{route, Context, Result, TrustEveryonePolicy, Vault};
use ockam::{Entity, TcpTransport, TCP};

#[ockam::node]
async fn main(mut ctx: Context) -> Result<()> {
    // Initialize the TCP Transport.
    TcpTransport::create(&ctx).await?;

    // Create a Vault to safely store secret keys for Alice.
    let vault = Vault::create(&ctx).await?;

    // Create an Entity to represent Alice.
    let mut alice = Entity::create(&ctx, &vault).await?;

    // Connect to a secure channel listener and perform a handshake.
    let r = route![(TCP, "localhost:3000"), (TCP, "localhost:4000"), "bob_listener"];
    let channel = alice.create_secure_channel(r, TrustEveryonePolicy).await?;

    // Send a message to the echoer worker via the channel.
    ctx.send(route![channel, "echoer"], "Hello Ockam!".to_string()).await?;

    // Wait to receive a reply and print it.
    let reply = ctx.receive::<String>().await?;
    println!("App Received: {}", reply); // should print "Hello Ockam!"

    // Stop all workers, stop the node, cleanup and return.
    ctx.stop().await
}

Making a E2E channel in Ts

now similarly in ts we can create like this -

import * as Ockam from "."

export * from "./worker";
export * from "./routing";
export * from "./node";
import * from './encrypt_algo';

export class Hop implements Ockam.Worker {
  handleMessage(context: Ockam.Context, message: Ockam.Message) {
    console.log(context.address, " - received - ", message)
    // remove my address from beginning of onwardRoute
    message.onwardRoute.shift();
    // add my own address to beginning of returnRoute
    message.returnRoute.unshift(context.address);
    context.route(message)
  }
}

export class Print implements Ockam.Worker {
  handleMessage(context: Ockam.Context, message: Ockam.Message) {
    console.log(context.address, " - received - ", message)
  }
}

export class Echoer implements Ockam.Worker {
  handleMessage(context: Ockam.Context, message: Ockam.Message) {
    console.log(context.address, " - received - ", message)
    // make returnRoute of incoming message, onwardRoute of outgoing message
    message.onwardRoute = message.returnRoute;
    // make my address the the returnRoute of the new message
    message.returnRoute = [context.address]
    context.route(message)
  }
}

export function example1() {
  let node = new Ockam.Node()
  node.startWorker("printer", new Printer())
  node.route({ onwardRoute: ["printer"], returnRoute: [], payload: "hello" })
}

export function example2() {
  let node = new Ockam.Node()

  node.startWorker("print", new Print ())
  node.startWorker("h1", new Hop())
  node.startWorker("h2", new Hop())
  node.startWorker("h3", new Hop())

  node.route({ onwardRoute: ["h1", "h2", "h3", "print"], returnRoute: [], payload: "hello" })
}

export function example3() {
  let node = new Ockam.Node()

  node.startWorker("echoer", new Echoer())
  node.startWorker("h1", new Hop())
  node.startWorker("h2", new Hop())
  node.startWorker("h3", new Hop())

  node.startWorker("app", (context: Ockam.Context, message: Ockam.Message) => {
    console.log(context.address, " - received - ", message)
  })

  node.route({ onwardRoute: ["h1", "h2", "h3", "echoer"], returnRoute: ["app"], payload: "hi ockam" })
}

To be frank, this was the very first time that I explored Rust in a brief to understand this project but I had really learned a lot and found the language and the project to be really interesting and unique. I am always ready to learn new technologies and system designs as it always excites me knowing the fact that I will be learning some new and amazing.

Thank you for reading my post! 😄