Preview
Video Player
00:00
00:00
Communications
2:38Let's talk more about how to secure communications between two or more users.
So much of our technology usage nowadays
has been communicating with other people.
0:00
There's the traditional email and
SMS, of course.
0:04
But there's also instant messaging like
Hangouts, social chat systems like Discord
0:06
and Slack, and more modern SMS
platforms like Signal and WhatsApp.
0:11
Aside from using TLS and SSL to ensure
a secure connection between the client and
0:15
the server, you should also consider
including end-to-end encryption and
0:19
forward secrecy.
0:23
Let's talk a bit about
how that would work.
0:24
In traditional cryptography discussions,
you'll usually encounter two users,
0:27
Alice and Bob.
0:31
We'll stick with those.
0:32
So Alice and
Bob are both using Treehouse Messenger.
0:33
When they signed up, the service
created for each of them a private and
0:36
public key pair.
0:39
Now when Alice tries to send a message to
Bob, her client sends a handshake to Bob's
0:40
client, a message that says hey, I'd
like to connect to you, here's who I am.
0:44
Bob's client checks the signature on the
handshake against Alice's public key, and
0:49
sends his own handshake back to her,
which she validates.
0:51
Now that they've verified
each other's identity,
0:56
they agree together on
a Shared Secret Key.
0:58
They'll both use that same key to encrypt
the messages they send to each other.
1:00
At this point,
we have a potential issue though.
1:04
If someone gains access
to either Alice's or
1:06
Bob's private keys, they can
impersonate them for future handshake.
1:09
If they gained access to
the shared secret key,
1:13
they could decrypt the messages
each has sent with that key.
1:15
To prevent both of these, and to provide
something known as forward secrecy,
1:18
the messaging system should switch
the shared secret key often.
1:21
Sometimes this is as often
as with every message.
1:25
Our system could take Alice's and Bob's
message encryption a bit further too.
1:28
We can use the other party's public
key to encrypt the message before or
1:32
after it's encrypted with the secret key.
1:35
Decryption would then require both
the shared key and their own private key.
1:37
If you're interested in exploring
this further, Open Whisper system
1:42
have made signal protocol available
as an open source library for
1:45
C, Java, and JavaScript.
1:48
I've included links to them
in the Teachers' Notes.
1:49
Before we move on,
1:53
let's talk a bit more about this
forward secrecy thing I brought up.
1:53
If Alice and Bob always used the same
key to encrypt their communications,
1:56
if a new player, Carol,
gained access to that key,
2:00
she could read all of Alice's and
Bob's past and future communications.
2:03
In a system with forward secrecy though,
Alice and
2:07
Bob agree on a new shared secret key for
every time they talk to each other.
2:09
Now, if Carol gains access
to a shared secret,
2:13
she can only decrypt messages
sent using that key.
2:16
Any messages sent in the future
conversations will be encrypted with a new
2:19
shared secret, so they're safe.
2:21
And messages from previous conversations
are also encrypted with a different
2:24
secret, so they're also safe.
2:27
Encryption and
hashing are all well and good.
2:29
But what about keeping people
out of the system to begin with?
2:31
In the next video, we'll talk about ACLs,
and no, that's not a shoulder injury.
2:34