 just go ahead I see no slight yet I see no slight yet I guess I'll wait for that right there will be slides sorry that looks blue yes are you happy I am at least a lot happier I was five seconds ago yes amazing Berlin is there all right welcome everyone thanks for well staying in most cases I hope you're enjoying the 33rd Congress as much as I do so me I'm your sport leads I live in Berlin but I'm Dutch I've been doing open source stuff since the early 2000s mostly contributing in the KD community mostly around marketing and promo then I became community manager for open SUSE and a couple of years after that I was hired by my friend Frank Carlitschek the founder of oncloud to become community manager at own clouds and then later I joined Frank and the other engineers to go to next cloud and you know continue from there so today I'm gonna talk about well I'll quickly introduce next cloud so you all know what that is about and then I'm gonna talk about our end-to-end encryption which is the main subject of this talk I'll try and detail why we designed it the way we did before I go over the design itself and in the end well I'll go through some edge cases and I'd like to hear some input and feedback and questions however if you have questions in between you can also try to wave at me I think I can see everyone and I'll be happy to answer in between as well so starting with next clouds next I was essentially started to help users protect their privacy so to keep their data to themselves and well to themselves would be self-hosted so next cloud is a private self-hosted cloud and with the buzzword cloud I mean file sync and share but also document editing audio video calls communication collaboration essentially so the whole thing that you get from Dropbox or Google Drive next cloud is meant to replace it that's our dream in life essentially so initially the project was started in 2010 own cloud and in one and a half year ago we split off from own clouds and continued under a name next cloud so it's fully open source easy to use that's I think really important if you want to replace Google Drive and Dropbox and all these things you need to be easy to use good integration in your infrastructure also for companies so as an enterprise if you want to provide file sync and share and collaborative editing to your employees next cloud offers you integration in LDAP and with Semmel and you know nice developer APIs mobile interfaces as well etc there was a list of features I was just yapping off sorry I'm a little confused with the two options here so let's talk about end-to-end encryption this has been something we've been talking about for a long time because if you have a web interface where you can share files and edit files and you know send a public link to you know your grandma with your holiday pictures or send you know open a video call session with a colleague from work the web interface is obviously really important in all of that and end-to-end encryption means that you protect data from the server that is at least the way we describe or developed end-to-end encryption so the goal of our end-to-end encryption is to protect your data even if you can't trust the server for one reason or another obviously next cloud is self-hosted so you should trust the server in most cases you can but for example if you pick the provider you might trust the provider maybe in the city where you live for example to keep your data secure but there is a subset of your data let's say I don't know copies of your passport your driver's license another data that you know you want to really be sure that it stays only yours now of course then you can just not put it in next cloud but maybe you still want to sync it between your laptop and your desktop and your mobile phone this is essentially the use case for the end to end encryption so even if you know your server gets fully compromised data that is put in a folder that is end-to-end encrypted should not be accessible by the people who controls the server or if you're a company and you know you have financial data that you need to release to your investors once a year you want to make sure that no system admin thinks gosh I'm going to earn a little bit extra you know by betting on the stock market using this data put it into an encrypted folder and only the financial team can get at it that's the use case and that is what we designed this to protect from yeah and the second element that is really central to the end-to-end encryption is ease of use it should be simple because the biggest issue with security is always the user right it's always the user that's the weakest link so if it is not easy to use people are going to make mistakes and if they make mistakes the security isn't worth much as an example if you let users pick their own password for the end-to-end encryption they will probably pick the same password that they use for next slide in the first place that password is obviously already on the next slide server otherwise how can you log in and that goes your additional security how are they pick the name of the spouse or something else so as one example we designed it so that users don't pick their own password we give them one and there are many other areas where you make choices like these so aside from these you know two basic things protect from the server and be easy to use the other properties that we wanted in our end-to-end encryption were these yeah sharing should be easy but completely secure it needed to provide confidentiality integrity and authenticity that is authenticity that if somebody shares a file with you that you know it from that person so somebody else can't impersonate them second of all it needs to protect the integrity so the server who has access to all the files even though they're encrypted should not be able to fiddle with the encrypted files and change them that way yeah that should just be blocked or not work of course the server could delete some of the files and in that case the user should be warned but a server should never be able to modify any of the data that you get and last but not least confidentiality I mean the obvious thing the server should never be able to read the data or anyone else in between the recipient and the sender now we wanted to do all this using standard libraries rule number one in crypto is don't build your own crypto so we wanted to use well tested and audited libraries for all of this so we've used libraries that needed to be available on the platforms we support so that's iOS, Android, Windows, Mac and Linux as well as PHP because that's what our server is built in and we don't really plan on providing a web interface for this because well you know if you don't trust the server you can't trust code that comes from the server either so it doesn't make much sense to the decrypt on the server but maybe there will be a use case for that at some point we don't know yet we want to keep our options open and I'm talking about the design here so it needs to be supported if possible we wanted to have a recovery option because well a base thought behind this is we assume the users make mistakes the system administrator on the other hand in our design we assume the system administrator knows what he or she is doing might not always be the case but that's at least how we designed it so it makes sense to have an optional recovery option obviously you should warn users when it's enabled and if you enable the recovery option it shouldn't be possible to get access to the data that you uploaded before the recovery was enabled otherwise you just made a backdoor so that's another thing we wanted to have it though because if you have a company and you know an employee leaves you still want to be able to get at their data and that's one of the use cases where you need a recovery option well obviously it need to be multi-device so you need to be able to get your files from your desktop to your laptop and to your mobile phone without the server getting access to it and we wanted to have versioning built in so that if we develop a new version of the protocol you know that it doesn't break the old one so that if we have changes improvements we can actually do that like new encryption algorithms things like that the downside of all of it is we accept some feature loss so the most obvious thing that you lose is all the stuff that's done by the server so versioning of files and next cloud is done by the server you lose it trash done by the server you lose it online editing of files well no surprise you lose it previews in the web interface again you lose this another thing is the way we designed it is we want to share on a folder level so not on an individual file level you can only share a folder with other people you can have multiple folders but you can't share a single file in a folder you share at the top level and the last thing that we accepted as a feature loss is sharing to groups so right now it's not possible to share to groups if there's only two individual users obviously multiple but it's individual right so i'm now going to go into the details of what we have designed and again if you have questions or want me to clarify it because you know i might go too quick or too slow please you know tell me so i'm going to go start with the creating an identity right so to set it up initially you create a key or a key pair a private public key pair generate it sign it encrypt it etc so i'm going to start with that so first part essentially the initialization what you do is the client you turn on enter an encryption and it creates a public private key pair on the device then it requests a certificate from the server for the private and public key and it uploads the public key to the server this if other people share with you they share to this public key checking the certificate with it that's how we kind of protect your identity for other people give me a second so the private key is then stored on the device on your laptop or mobile phone let's say you're using your laptop for this that is then where this key is stored yeah so next we want this private key to be on your mobile phone as well obviously we can't just upload it to the server because we don't trust the server so what we do instead is we encrypt the private key with a 12-word mnemonic essentially a passphrase we pick those 12 words randomly out of a dictionary of 5000 words that are at least five characters long so you get a pretty damn long password that should keep it secure when it's encrypted with that we upload it to the server and we show these 12 words to the user and we tell the user please write this down somewhere now you might remember that i said we assume the user you know isn't terribly competent so we also assume that they don't write it down and we store it in the keychain so the 12 words are on the device as well in case a user doesn't write it down which a lot of them won't next step so what we've done now is we have on the server your private key which is encrypted with a 12-word mnemonic which you only have on the device and on a piece of paper if you wrote it down and we have the public key and both of them are protected with the certificate as in you can verify the certificate for them yeah so your mobile phone which you now also initialize will download the public and private key from the server it will check the certificates trust on first use is what we use here and then it will ask you for the mnemonic to decrypt the private key so well either you take it from what you wrote down or you look on your laptop and you say please show me the mnemonic and then you enter the mnemonic on your mobile phone it decrypts the private key stores it in the keychain also stores the mnemonic in the keychain so that if you lose your laptop and you need to reinitialize it you can use your mobile phone and done we now have our public and private key on both devices and the server never saw anything so now we're essentially up and running I'm sorry I should have switched earlier so now we're essentially up and running we can encrypt and decrypt files so let's talk about how we do that so we're going to create an end to an encrypted folder we're going to put some files in it we're going to get them you know from another device until well that's how you use it at least between devices so step one so we create a folder and you right click on it or you use on your mobile phone you click and you make it end to end encrypted at this point your device will create a metadata file to protect the contents in the metadata file it creates a metadata file key yeah now this key is encrypted to all the public keys that need to have access to the folder now so later on if you share the folder what will happen is that the metadata key will get re-encrypted to all those people so they have access all the contents of the metadata file are encrypted with this key we upload the whole stuff to the server and next step so now we want the other file what we do is we generate 128 bit key use it to encrypt the file and then put the file name and the key in the metadata file remember encrypted by the metadata key we generate a random identifier for the file which is now encrypted we upload the file to the server we then upload the encrypted metadata to the server and we're done now the server now has an encrypted file with a random file name and it has a metadata file which is encrypted but contains the name of the file and the key that was used to encrypt the file so then the next step is your mobile phone will download the folder download the metadata use your use its private key to decrypt the metadata key use the metadata key to decrypt the data and the metadata file which will then include the file name and the uu id of the file it will then download the file decrypt the file using the file key from the file and you have your data now on two devices without the server having had a chance to get to see what you were doing so that's step two we now can get files from one device to the next next step sharing with other people and unsharing this is also the last step so to share with somebody you download their public key from the server you verify their identity using the certificate and again trust on first use you store the certificate and their public key locally on the device so if it changes somebody tries to impersonate them you will refuse that and you will not you know share files with somebody who isn't the person that you initially shared with then well simple you re-encrypt the file metadata key to the new person you want to share with to their public key and then you essentially upload the metadata again and you tell next slide via the OCS API I want to share with this person and then the other person can download the file and use their private key to decrypt it or the whole folder actually not just the file and to unshare you remove the file metadata key you create a new one you encrypt that new file metadata key against the public keys of the older people who need to have access minus the person you want to unshare with and you upload the new metadata file again and then you use the OCS API to essentially remove the sharing that you had this means that that person still has access to the old files but that's kind of obvious I mean if I show you a piece of paper then I can take the paper away but I can't tell you to forget what you saw so it's the same mechanism here and this is essentially it this is the way we have designed our end-to-end encryption the server facilitates it stores private and public keys it takes care of the sharing it helps the devices work with each other but it never ever gets access to plain text content so as I said a few times now we kind of expect users to be a little incompetent so of course at some point they will you know lose the key in the sense that they don't you don't know the mnemonic anymore yeah the 12 words now if you don't know the 12 words any of your devices can show you the 12 words because they all stored it in the local key store yeah so your laptop your desktop your tablet your mobile phone they all can show you the 12 words that you need to initialize a new file download your private key unencrypted and you can share again with other people but if your safe exploded your laptop fell in the toilet your mobile phone fell out of the window your tablet was ruined by your cousin and well what happens to your desktop I guess your house burned down there is a point where you don't have this mnemonic anymore so don't do that because we don't have a backup for that add that stood it otherwise we can't secure your data however if your server administrator has enabled the recovery key you can at least get your data back you can't get your private key back your identity is essentially burned but you can get your data back so the way the recovery key works is a when a system administrator enables this on the server all the users will get a warning that the recovery key has been enabled so that they know that there's kind of a backdoor now to their data and a new private public key pair is generated on the server with a certificate and all users will from then on encrypt their data to the public key of the server so that the private key of the server can decrypt their data this private key is stored on the server but obviously not unencrypted because otherwise what are you protecting against so it is encrypted with guess what the 12 word mnemonic this is shown to the system administrator once he or she needs to write it down and ideally put it in a safe literally and physically I mean and after that is wiped because it's not stored on the server because that would be you know keeping your keys lying on top of the safe so what this means is if somebody hacks an excellent server with an enabled recovery key they still have no access to anybody's data they would still need the 12 word mnemonic which should be safely in a safe managed by the system administrator but if one of the employees leaves the company or if one of the users loses all their devices and you know has their safe burned down they will be able to go to the system administrator and say please give me my files back an assistant administrator can enter the 12 word mnemonic an excellent server can decrypt the data give this back and then again wipe the mnemonic from the server memory and storage so you have kind of an ultimate backup now in our design we also have a third option which is to create a new identity for the user using a hardware security module this part isn't really implemented yet but we've tried to design it in a way that this is an alternative and for big companies they will perhaps use that to create new identities for users but it's yeah so you might wonder where can i download it so right now the server side is done right it can well it it stores the public and private keys it can facilitate the sharing it can you know deal with encrypted files and recognize them and not try to generate thumbnails out of it and these things this is done the android app can you know create a secure identity send it to the server sync it from another device upload and download files this works same with the ios client the desktop client right now can create a secure identity sync it with the server create a folder make it into an encrypted and upload files it can't download yet that's the last thing that needs to be finished as soon as that is done and we've tested it all a bit more we will release it when we'll see and of course all the code is online it's all fully open source so please go look at it also at the design the way i just described it to you go through the code check if we made any mistakes because that's actually bloody important right this is why we do it open source we have smart people look at it yeah and comment on our you know rfc our whole design if you see holes if you have any questions you can also ask them now obviously i guess you should get a microphone but you can get mine here okay i was wondering that was was the recovery key that the administrator has the the the password from it's a 12 word phrase what if the administrator just remembers it when it's in the safe then the administrator can use it wouldn't it be better to do something that then is very hard to remember for human like maybe print out a barcode and on a piece of paper put it in a safe or something like that yeah so the basic thought behind this was as i said before we kind of assume a competent system administrator and in that i guess we kind of assume we trust him or her as well i mean i think in a lot of bigger companies especially you would let the head of it do this or something like that and not all the whole sys admin team would not know the 12 words but just one person i mean at some point there has to be a point of trust so it will be possible i mean we could make it a 60 words i mean good luck remembering that i mean i know there are people but something like that will be possible i suppose yeah i was just thinking that actually with the barcode scenario that like the whole team could come print it out put it in a safe everybody has seen that it's in the safe and everybody knows that nobody knows it's a barcode yeah i hope they and cannot remember about code but they're just looking would absolutely be possible in the design i mean it's not married or limited to a 12 word passcode this what we picked but yeah um actually i think on the mobile side i'm not sure we have it yet but the idea on the mobile side would definitely be that you can instead of showing the mnemonic you would show a barcode that you can then scan with your phone to art so that you don't have to type the 12 words this is definitely something we thought about i just i don't think it's implemented yet but it's possible so then it should be possible on the surface side too right yeah hello um yeah another question thanks for the talk very inspiring i use next cloud personally so thank you one this might sound like criticism so but you started a talk with don't invent new crypto yet the scheme that you described seems to be very like invented new crypto could you well with crypto i mean we don't invent our own crypto algorithms or anything like that obviously the scheme itself i mean it's inspired by a bunch of things including our own surface side encryption which we developed quite some years ago um but yeah to do this in a secure way you have to come up with a scheme right because the requirements are always different so maybe this will make it easier to answer why didn't you use something like open pgp or cms that is a standard for encrypting files stored files it wouldn't satisfy the requirements as i laid them out in my first slides okay so let's follow up on that i think it's possible but another question what if the 12 word is leaked or if you happen to paste it in some irc channel or something what do you do then your private key is compromised that's like sharing you know the password for your pgp key at that point you're lost and so you would need a hardware security module or a new certificate authority kind of solution to be able to generate a new identity um yeah i think that's that will be the only solution for that so yeah don't but of course you only need it when you are the new device right this is a very rare like you are the new laptop or a new mobile phone i don't know once a year twice a year so aside from the moment when you set this up on your laptop your desktop in your phone you don't pretty much ever need to think about passwords or write anything down because it's all done via the public private keys there's no need to enter passwords on anything other than adding a device which is the least common thing that you do i think with crypto like this but i but i guess i mean i said common scenario will be that one of your devices is compromised and that key will be leaked yes that is a risk and at that point the mnemonic is in the in the storage of the device essentially this for us is out of scope i mean the idea is to not trust the server if you can't trust your devices either it's kind of you know hard for us so you should have a locally encrypted storage on your device and keychains are usually encrypted so yeah again for us it's out of scope but there are of course ways to protect your devices from harmful effects of being stolen quick question the the passphrase for the recovery is it once per installation or is it one for every user now it's one per installation so every user will then encrypt to the public private key pair or well to the public key of the server so the server has a you know has a recovery key yeah yeah it's essentially technically it's not a user right the server user yeah yes hello i have another question um what happens when you as a user when your certificate expires oh i'm guessing we we will give a infinite uh like no expiry certificate yeah because the user identities are as i said trust on first use and you can never change them all right so it's kind of inherent to the concept and the only way to change them as i said is using the using a hardware security module or certificate authority and of course if you have a certificate authority that you trust then obviously you could put a time to live time to end on certificates if you want so if it would expire would i have to re-encrypt everything well your public and private key pair were encrypted with it so i guess yes yeah you would get a new identity no well certainly not all your files because this whole thing is designed that you never need to re-encrypt your files as you might the metadata might not yeah exactly it's just a metadata file so when you share a folder you don't need to re-encrypt and then re-upload all the files the only thing you need to re-encrypt and re-upload is the key to the metadata file all right so when you share a folder of 600 gigabytes of data your upload is five kilobytes all right that's the nice thing about the way it's designed and if you would have encrypted the files with pgp or something like that that uses a public key and you want to make it available to other people what do you do you have to re-upload all of them again and that's of course not nice to put it mildly okay so i was late so sorry if you'd already told this but i was wondering about the eight word that the user has to write down why you pick it directly from a dictionary and not let the the user put it because of course if you take it from a dictionary the dictionary is the is the the dictionary that someone can use for brute force the account well we picked a dictionary with 3000 words good luck brute forcing it i mean sure if you let the user pick passwords though i mean we all know what they do right name of dog name of cat name of wife name of husband name of the kids and there we have 12 words that is very easy to brute force so we explicitly do not let the user pick their own passwords because users are again our model assumes the user is done the system administrator knows what he's doing but the system is compromised that is kind of the base tree tenants of how we designed it i mean there's no right or wrong way here right it's just what do you what were your assumptions when you designed it and these are our assumptions um maybe i missed it but how do you verify the integrity of the files in your scheme uh so the files are encrypted with a key i have to look up the exact type of key i'm not deep into that technical side of things the 128 bit as gcm no padding and obviously if the file has been changed in any way well this won't work you can't decrypt it um i think i understand it's a property of this algorithm that if you make any changes then you know you'll get garbage or a warning or at least a way to detect that again i would have to check that with a techie how this works exactly and the other part is of course you know who shared it with you otherwise your public uh you check this on the certificate so the certificates make sure the check the authenticity and the integrity has to be protected by the algorithm and some of this is already like a couple of months old so it might be that we've picked another algorithm that does a better job at this but there are no other details uh i guess that you can disable users can you also revoke keys or certificates i don't think so um obviously as server you can simply stop handing them out when a client asks for them that you do the trick in practice um because obviously you know if you share with somebody you first have to download their public key from the server to be able to share with them and if that doesn't exist then you can't share um on the other hand once you have shared the other person will store your information in their keychain and as long as a server gives them data they will be able to decrypt it until you re-encrypt the metadata key of course um yeah in practice you would remove the person from the server and then they can't sync with the server and yeah it's game over at that point i mean we try to rely on the existing sharing and and user handling mechanisms in next cloud as much as possible because you know they work they scale they're reliable they've proven themselves so yeah how do you deal with changing files do you just take it as a new one like if i edit the file in my life yeah so if you edit the file the file is essentially um encrypted with new key so a new key is generated for the file that is then used to encrypt the file and upload it again but does it use the same metadata no at that point you also need to regenerate the metadata file put the new key in there etc and so um if i share something it's i only share this version um no as long as people have access to the metadata they will simply download new versions of the file decrypt the metadata i use that to decrypt the file and they get new versions of the file as well and there's change detection built into next cloud server so they will get if they use a sync client they will simply get the latest version okay so use use use the same metadata keys until you decide that you know one person in the list doesn't have access anymore at that point you change the metadata key so you cycle through metadata keys but only when it's necessary if you change the access rights all right very good grill him as long as he's on the stage grill him oh shit how much time do i have left just a question about the mnemonic you used a 3000 word dictionary i believe so but don't shoot me i might be wrong because it reminded me a lot at the bitcoin or in cryptocurrency used shim which uses i think a 4000 word dictionary so i was wondering don't you use the same and why don't you use the same i don't know i i know i have to look up the detail of exactly what dictionary it is but it's a pretty standard 3000 word english dictionary the design doesn't depend on it in any way i mean you could also take a 6000 words you can do it in greek if you want uh just more people can write 12 english words than 12 greek words okay i just wanted to point out the advantages of this because it's a proven shim and it's identically available in different languages and it also includes and that's a question uh a checksum like the the last half of the last word is a checksum over the whole thing do you have these two like can you tell the user if it's nomonic is right or wrong i don't know exactly um i can get you the answer if you like because i think we picked a you know like we didn't make our own dictionary i know we picked it from somewhere and i'm going to guess there was some thought put in that but i don't know the thoughts behind that thanks um can i give you the microphone hello um do you have any next cloud stickers seriously though um i'm not a great coder and i just want to ask what other ways can people get involved or contribute to the project so if you have any other or if you could maybe give an idea of the project and how people can contribute well uh there are obviously a lot of ways to contribute um aside from coding and reviewing stuff like this and asking difficult questions about it um well that's the usual i guess documentation but also like promo marketing and telling other people about it that's i think every open source project benefits from that um honestly i think just helping other users is really important because a lot of people asking questions on our forums trying to get help it's on help.nextcloud.com and if you run a next cloud server you know a little bit the how and what of it it's really appreciated if you especially if you use the forums sometimes to get answers to your own questions please help answer a couple of questions there if you happen to know them because that really helps i think the community as a whole forward so i hope that suffices as some inspiration anyone else questions i'm excused no more than uh i will have the last question dear josh go ahead what's your password well it's a 12 word mnemonic and i don't remember that's terrible don't okay applause to josh