Internet users should be able to access their data from anywhere without having to trust the web applications and cloud services storing that data. But there's a problem. Zero-knowledge storage systems are often impractical for web apps because they can't perform often-essential functionality on behalf of the user, such as search, since they don't have the password to decrypt that data in order to search it, and you can't search encrypted data. Or can you? This presentation introduces CrypTag, a library that enables Go programmers to easily build applications that store encrypted user data that users can tag and securely, efficiently, remotely search by those tags without revealing anything about the nature of said data to the party storing it. That is, CrypTag is a library for easily creating encrypted, taggable, searchable zero-knowledge systems. This talk covers the tricks behind how CrypTag works, the pros and cons of using CrypTag versus alternatives, includes a live demo of a useful open source CrypTag-based program, and is suitable for anyone who knows what a server is and is excited about leveraging encryption to help everyday users and geeks alike.

1. CRYPTAG
BUILDING ENCRYPTED, TAGGABLE,
SEARCHABLE ZERO-KNOWLEDGE
SYSTEMS
Steven Phillips / @elimisteve
DEF CON's Crypto & Privacy Village
2015.08.08

2. THE PROBLEM/NEED
We need to be able access our data over the internet
without trusting the party storing it
Non-technical users can't or won't self-host (when self-
hosting is even possible)

3. CURRENT
COMPROMISES
Data is stored unencrypted (loss of privacy)
Almost everything we use is like this
Dropbox, Box, Google Drive, etc
Data is stored encrypted, but can't be searched by the
server
Encrypted backup (e.g., Tarsnap)

4. CURRENT
COMPROMISES (2)
Data stays on one device
Then you can't access your own data from your own
devices
None of these compromise "solutions" (1) allow the server
to store your encrypted data, (2) let you remotely query this
data and get back just the data you want (without having to
download all of it, which can be impractical), and (3) reveal
nothing about the nature of the data to the server storing it.

5. BOTTOM LINE
Our data needs to be stored in encrypted storage systems
for privacy, accessible from anywhere for convenience, but
these systems need to be more practical -- and server-side
search would help.
"But the server can't search through your encrypted data
without the encryption key!" Or can it?

6. WHAT IS CRYPTAG?
CrypTag is a Go library for building encrypted, taggable,
searchable zero-knowledge systems
Lets you send a search query to a server that's storing
your encrypted data, and only send you back the
matching pieces of data
E.g., "Of all my data, just give me my photos of Paris"

7. WHAT IS CRYPTAG? (2)
The server searching through this data has no idea what it
is, and it doesn't know what you're searching for. And yet,
it finds it for you.

8. HOW CRYPTAG WORKS
Two concepts: TagPairs, and Rows.
TagPairs associate the human-readable plain text tag (e.g.,
'paris' or 'gmail') with a randomly-generated string that the
server stores in plain text.

9. HOW CRYPTAG WORKS
(2)
Example TagPairs stored on server:
{
"plain_encrypted": "NtZ+WzjTtyWdjOPX6uqr308voeOE",
"random": "9xvv87937"
}
{
"plain_encrypted": "/1BijKByz4JqYzOTtJEoD4TlPy2FwZf0WrXG2gwZOX1ATN3/MA
"random": "fqmt5fkw8"
}

10. HOW CRYPTAG WORKS
(3)
Data is stored in "Rows". Rows store arbitrary data and
associated tags. Example Row stored on server:
{
"data": "OcSufyNLTXwrjWW3ZSkWiVOBaM4OqJwevuFAO5RM",
"tags": ["9xvv87937", "fqmt5fkw8"]
}

11. DEMO: ROW AND
TAGPAIR CREATION,
STEP BY STEP
Using the cryptpass demo app, tell CrypTag to create a new
Row (of arbitrary data) + associated tags
cryptpass create mycr4zy4ssp4ss gmail email cryptagdemo@gmail.com tag4

12. CrypTag then...
1. Fetches all existing TagPairs from the server
2. Decrypts the encrypted human-readable tags (e.g.,
'email')
3. Locally creates new TagPairs for the tags that don't
already exist, generating new random tags associated
4. Locally creates a Row consisting of encrypted data (e.g.,
'mycr4zy4ssp4ss') and the associated randomly-
generated plaintext tags
5. Uploads the TagPairs and Row to the server

13. FEATURES
NaCl-based crypto
("Networking and Cryptography Library", not Native
Client)
Libraries in many languages (JS, Python, etc)
Pluggable backends
Next: Amazon S3 bucket
Webserver + filesystem
Webserver + database
SSH (coming soon)

14. MORE ON PLUGGABLE
BACKENDS
(Used by client programs)
type Backend interface {
Encrypt(plain []byte, nonce *[24]byte) ([]byte, error)
Decrypt(cipher []byte, nonce *[24]byte) ([]byte, error)
AllTagPairs() (types.TagPairs, error)
TagPairsFromRandomTags(randtags []string) (types.TagPairs, error)
SaveTagPair(*types.TagPair) (*types.TagPair, error)
RowsFromPlainTags(plaintags []string) (types.Rows, error)
SaveRow(*types.Row) (*types.Row, error)
}

15. COMPARING
ALTERNATIVES
TARSNAP
Simple encrypted backups
Can query files by
filename
No search

16. COMPARING
ALTERNATIVES (2)
CRYPTON (FROM SPIDEROAK)
More complex
"Session objects are required to interact with
Transaction-based classes, like Containers and
Messages."
Node, Postgres, Redis
WebSockets
Transactions

17. But more full-
featured
Auth built in
Messaging :-)
No search

18. COMPARING
ALTERNATIVES (3)
TAHOE-LAFS
Good sharing model
Different key for each file
Awesome replication model
Built-in file versioning
I can't wait for RAIC and Magic
Folders!

19. Unfortunately, to get your data, you need the URL +
contained password of every file/directory
Idea: how about storing these URLs using CrypTag? :-)
No search

20. MY FANTASY (WELL,
ONE OF THEM)
CrypTag app + Cheap, untrusted storage => Tag-
searchable, zero-knowledge _______
Dropbox
Store all your data in S3? your own server?
Mailpile emails?
"...you can use Mailpile with an existing GMail
account, improving your privacy by configuring
Mailpile to download the mail and then delete it
from Google's servers."

21. Notes?
Bookmarks? (my original use case)
Contacts?
Anything but rapidly-updating data? or GIANT data you
don't want to query?

22. UPCOMING ADDITIONS
TO CRYPTAG
Timestamps
"Give me the latest 10 files with the tags 'paris' and
'type:photo'"
Allows for efficient updating of locally-cached TagPair
Enables easy versioning!
"Give me the most recent Row with tag
'filename:mydocument.doc'"

23. Sharing(?)
Different key for each piece of encrypted data (Row)?
Problem: which key is used to encrypt the TagPairs?
Encrypt TagPairs with your own key?
You can search your own server, others can't?
Then you can still link people to individual pieces of
data without giving up your main key, just the key for
that data
Need to think more about this
Row deletion might be handy...

24. MOBILE SUPPORT
Go 1.5 supports Android and iOS!
Go 1.5rc1 hit 2 days ago
Call CrypTag-wielding Go program/library from your
mobile app
Ubuntu Touch apps can be written in Go (or JS, or C++)

25. MY GOALS WITH
CRYPTAG
Convince project developers to use CrypTag
...or at least the idea of CrypTag (mostly
TagPairs)
Build useful apps with CrypTag
Send me requests/ideas: @elimisteve
Create CrypTag libraries for Python, JavaScript

26. MY GOALS WITH
CRYPTAG (2)
Write more CrypTag storage backends
Webserver + file system storage backend almost
done
Next: Amazon S3 bucket
Google Drive? Azure Cloud Storage?
Web server + actual database?

27. Write data migration/re-keying tool
Other devices just need crypto key and server info (auth
credentials and URL)
Explicit threat model
Proper security audit of all < 1000 SLOC

28. TECHNICAL THANK
YOUS
Jonathan Rudenberg
Crypto recommendation: AES -> NaCl's
secretbox
Joe Andrieu, Garrett Holmstrom, Sam Dolan
Data migration, re-keying, sharing

29. PERSONAL THANK
YOUS
Jacob
Appelbaum
AJ Bahnken
Gabrielle Molina

30. CRYPTAG
github.com/elimisteve/cryptag
Send me feedback/ideas: @elimisteve
THANK YOU to the Crypto & Privacy Village organizers!