1 00:00:01,280 --> 00:00:12,559 [Music] 2 00:00:15,040 --> 00:00:16,880 thank you all for coming 3 00:00:16,880 --> 00:00:19,119 it's nice to see people because this is 4 00:00:19,119 --> 00:00:21,520 not a project that has a community yet 5 00:00:21,520 --> 00:00:23,680 and that's why i'm here i'm hoping that 6 00:00:23,680 --> 00:00:24,960 people will be interested and want to 7 00:00:24,960 --> 00:00:26,320 work with me 8 00:00:26,320 --> 00:00:30,480 um as you said my name is bjarni 9 00:00:30,480 --> 00:00:33,120 this project is a spin-off from my work 10 00:00:33,120 --> 00:00:35,040 on mailpile which was supposed to be a 11 00:00:35,040 --> 00:00:36,640 secure email client 12 00:00:36,640 --> 00:00:38,480 i've had some ups and downs there 13 00:00:38,480 --> 00:00:40,320 project's not dead but there's not much 14 00:00:40,320 --> 00:00:42,879 to use at the moment 15 00:00:42,879 --> 00:00:44,719 done a few other things been around for 16 00:00:44,719 --> 00:00:46,160 a while 17 00:00:46,160 --> 00:00:47,600 um 18 00:00:47,600 --> 00:00:49,440 this is a joke but you have to be as old 19 00:00:49,440 --> 00:00:52,160 as me to get it 20 00:00:53,360 --> 00:00:54,480 um 21 00:00:54,480 --> 00:00:55,920 so i want to start with the funny story 22 00:00:55,920 --> 00:00:58,960 about mailpile so mail pyle was an email 23 00:00:58,960 --> 00:01:01,680 client and we wanted to 24 00:01:01,680 --> 00:01:03,840 focus on privacy 25 00:01:03,840 --> 00:01:05,519 from the very start we wanted to write 26 00:01:05,519 --> 00:01:07,600 an application that took really good 27 00:01:07,600 --> 00:01:10,000 care of people's data and information 28 00:01:10,000 --> 00:01:11,840 and the obvious tool for that is 29 00:01:11,840 --> 00:01:13,760 encryption so we wanted to download all 30 00:01:13,760 --> 00:01:16,479 of your email from whatever providers 31 00:01:16,479 --> 00:01:18,159 we're handling it for you 32 00:01:18,159 --> 00:01:20,960 store it locally encrypt the storage 33 00:01:20,960 --> 00:01:23,200 use tor use whatever tools are 34 00:01:23,200 --> 00:01:24,640 applicable to 35 00:01:24,640 --> 00:01:27,600 maintain privacy and 36 00:01:27,600 --> 00:01:28,720 you know 37 00:01:28,720 --> 00:01:31,360 we also took usability very seriously we 38 00:01:31,360 --> 00:01:34,159 had people do tests we walked through 39 00:01:34,159 --> 00:01:36,560 the setup of the app and and you know 40 00:01:36,560 --> 00:01:39,439 when you're doing encryption locally 41 00:01:39,439 --> 00:01:42,079 you always have to have some sort of key 42 00:01:42,079 --> 00:01:43,360 and so one of the first things that 43 00:01:43,360 --> 00:01:44,799 people had to do 44 00:01:44,799 --> 00:01:46,399 in the setup phase so they were 45 00:01:46,399 --> 00:01:48,240 installing this brand new app 46 00:01:48,240 --> 00:01:51,200 and it asked them to choose a passphrase 47 00:01:51,200 --> 00:01:52,399 and because 48 00:01:52,399 --> 00:01:54,320 email is super important and this is 49 00:01:54,320 --> 00:01:56,479 really sensitive data we encourage them 50 00:01:56,479 --> 00:01:58,399 to choose a really really 51 00:01:58,399 --> 00:01:59,680 long 52 00:01:59,680 --> 00:02:02,560 strong passphrase you know four or five 53 00:02:02,560 --> 00:02:04,399 words we even had a little generator 54 00:02:04,399 --> 00:02:05,759 that would suggest passphrases for 55 00:02:05,759 --> 00:02:07,119 people 56 00:02:07,119 --> 00:02:09,280 and people did they chose a passphrase 57 00:02:09,280 --> 00:02:10,720 and they typed it once and they typed it 58 00:02:10,720 --> 00:02:12,879 in again and then they went and used the 59 00:02:12,879 --> 00:02:14,080 app a bit 60 00:02:14,080 --> 00:02:16,480 and they went back to log in and had 61 00:02:16,480 --> 00:02:18,480 forgotten their passphrase 62 00:02:18,480 --> 00:02:20,319 and this happened the majority of the 63 00:02:20,319 --> 00:02:21,360 time 64 00:02:21,360 --> 00:02:23,440 hello everybody welcome 65 00:02:23,440 --> 00:02:25,280 so most people that went through this 66 00:02:25,280 --> 00:02:27,520 particular usability test forgot the 67 00:02:27,520 --> 00:02:29,360 passphrase that they had just chosen 68 00:02:29,360 --> 00:02:31,360 within about a minute or two 69 00:02:31,360 --> 00:02:33,120 it was amazing 70 00:02:33,120 --> 00:02:35,120 um 71 00:02:35,120 --> 00:02:36,319 there's a little happy ending there is 72 00:02:36,319 --> 00:02:37,440 that there was something that came out 73 00:02:37,440 --> 00:02:40,319 of these these tests and 74 00:02:40,319 --> 00:02:42,319 what came out of it was a bug 75 00:02:42,319 --> 00:02:43,280 so 76 00:02:43,280 --> 00:02:44,959 the the application 77 00:02:44,959 --> 00:02:47,120 the setup flow you want you type in your 78 00:02:47,120 --> 00:02:49,360 passphrase and it's like okay now we can 79 00:02:49,360 --> 00:02:52,640 encrypt everything lock it down 80 00:02:52,640 --> 00:02:54,800 and it booted the user out it's like 81 00:02:54,800 --> 00:02:56,560 okay the session is now invalid so now 82 00:02:56,560 --> 00:02:58,080 they have to log in again 83 00:02:58,080 --> 00:02:59,760 and it's like but i just typed in my 84 00:02:59,760 --> 00:03:01,040 passphrase twice you want me to type it 85 00:03:01,040 --> 00:03:02,560 in again 86 00:03:02,560 --> 00:03:04,640 and that worked suddenly people stopped 87 00:03:04,640 --> 00:03:06,560 forgetting their passphrase 88 00:03:06,560 --> 00:03:09,040 so usability testing is great and 89 00:03:09,040 --> 00:03:12,799 software design matters um 90 00:03:13,040 --> 00:03:15,280 i'm already into this you know it's hard 91 00:03:15,280 --> 00:03:18,879 to remember things repetition helps but 92 00:03:18,879 --> 00:03:21,200 it took me a really long time to 93 00:03:21,200 --> 00:03:22,879 reach this final insight that i've got 94 00:03:22,879 --> 00:03:24,799 on the slide and 95 00:03:24,799 --> 00:03:26,640 this is a problem that is common to so 96 00:03:26,640 --> 00:03:29,599 many of the tools that we're using 97 00:03:29,599 --> 00:03:32,480 we're asking our users now speaking we 98 00:03:32,480 --> 00:03:33,760 developers of these tools and the 99 00:03:33,760 --> 00:03:35,920 advocates of these tools 100 00:03:35,920 --> 00:03:37,760 asking our users to make decisions about 101 00:03:37,760 --> 00:03:39,519 security 102 00:03:39,519 --> 00:03:41,280 way before they even know what the app 103 00:03:41,280 --> 00:03:42,319 is for 104 00:03:42,319 --> 00:03:44,000 like they haven't used it they have no 105 00:03:44,000 --> 00:03:45,120 experience 106 00:03:45,120 --> 00:03:47,040 and it has no information and it has no 107 00:03:47,040 --> 00:03:49,040 data there's nothing of value there like 108 00:03:49,040 --> 00:03:50,159 you know these bitcoins they're 109 00:03:50,159 --> 00:03:51,920 worthless doesn't matter it's okay if i 110 00:03:51,920 --> 00:03:53,519 forget the passphrase 111 00:03:53,519 --> 00:03:55,200 where it's okay if i choose an insecure 112 00:03:55,200 --> 00:03:56,400 one 113 00:03:56,400 --> 00:03:57,200 and 114 00:03:57,200 --> 00:03:58,879 then we don't revisit that so we ask 115 00:03:58,879 --> 00:04:00,560 people to make really important 116 00:04:00,560 --> 00:04:01,680 decisions 117 00:04:01,680 --> 00:04:03,599 when they have absolutely 118 00:04:03,599 --> 00:04:05,840 no ability to do so 119 00:04:05,840 --> 00:04:07,599 so we're setting people up to fail right 120 00:04:07,599 --> 00:04:09,840 there 121 00:04:10,159 --> 00:04:12,159 and this brings me to 122 00:04:12,159 --> 00:04:14,720 how the other guys deal with this stuff 123 00:04:14,720 --> 00:04:16,000 um 124 00:04:16,000 --> 00:04:17,839 there's always a way to undo stuff if 125 00:04:17,839 --> 00:04:19,839 you're in the cloud if you've forgotten 126 00:04:19,839 --> 00:04:22,240 your passphrase or lost your tokens 127 00:04:22,240 --> 00:04:24,000 whatever there's usually a way to reset 128 00:04:24,000 --> 00:04:26,000 and regain access 129 00:04:26,000 --> 00:04:27,199 so 130 00:04:27,199 --> 00:04:28,880 for the general public and for the 131 00:04:28,880 --> 00:04:31,840 average person who is forgetful 132 00:04:31,840 --> 00:04:33,759 the availability and the reliability of 133 00:04:33,759 --> 00:04:36,000 putting your data in the cloud 134 00:04:36,000 --> 00:04:37,600 is so much greater than encrypting it 135 00:04:37,600 --> 00:04:39,520 and storing it locally 136 00:04:39,520 --> 00:04:41,120 because there's just failure modes that 137 00:04:41,120 --> 00:04:42,639 they've fixed and we don't have 138 00:04:42,639 --> 00:04:45,040 solutions for 139 00:04:45,040 --> 00:04:47,360 google microsoft all these big guys you 140 00:04:47,360 --> 00:04:48,960 know even little guys i think wordpress 141 00:04:48,960 --> 00:04:51,280 has a really nice password reset flow 142 00:04:51,280 --> 00:04:54,160 built into it every single web app does 143 00:04:54,160 --> 00:04:55,759 but when you enter the world of 144 00:04:55,759 --> 00:04:57,520 encryption we're taking important 145 00:04:57,520 --> 00:05:00,000 information and we're encrypting it 146 00:05:00,000 --> 00:05:02,160 we don't have that if you forget your 147 00:05:02,160 --> 00:05:04,800 passphrase to your pgp key you create a 148 00:05:04,800 --> 00:05:06,240 new key 149 00:05:06,240 --> 00:05:07,840 and you probably don't know how to 150 00:05:07,840 --> 00:05:09,440 publish that new key in a way that other 151 00:05:09,440 --> 00:05:11,280 people will find it it's 152 00:05:11,280 --> 00:05:13,759 a bit of a nightmare 153 00:05:13,759 --> 00:05:15,919 same for hard drive encryption 154 00:05:15,919 --> 00:05:17,759 the bitcoin wallet stories everyone's 155 00:05:17,759 --> 00:05:19,600 heard those a million times 156 00:05:19,600 --> 00:05:21,120 some of us like to laugh some of us are 157 00:05:21,120 --> 00:05:24,080 really sad 158 00:05:24,080 --> 00:05:25,039 but i think there's this really 159 00:05:25,039 --> 00:05:28,320 interesting duality here when we compare 160 00:05:28,320 --> 00:05:30,639 cloud-based storage solutions having 161 00:05:30,639 --> 00:05:32,960 other people hold our data 162 00:05:32,960 --> 00:05:34,800 with doing it ourselves using strong 163 00:05:34,800 --> 00:05:36,080 crypto 164 00:05:36,080 --> 00:05:37,199 in that 165 00:05:37,199 --> 00:05:40,720 the pros and the cons are the same thing 166 00:05:40,720 --> 00:05:41,840 like 167 00:05:41,840 --> 00:05:44,000 it's we consider it from a privacy point 168 00:05:44,000 --> 00:05:46,000 of view we consider it a huge problem 169 00:05:46,000 --> 00:05:47,680 that these big corporations have our 170 00:05:47,680 --> 00:05:49,440 information 171 00:05:49,440 --> 00:05:50,880 until we need access to it again and 172 00:05:50,880 --> 00:05:52,240 then suddenly that's a huge feature 173 00:05:52,240 --> 00:05:53,520 there's a benefit that there's this 174 00:05:53,520 --> 00:05:55,039 really nice person who can give us 175 00:05:55,039 --> 00:05:57,280 access to our data again when we forgot 176 00:05:57,280 --> 00:05:59,759 our stuff 177 00:05:59,759 --> 00:06:01,120 and then it goes we go over to the 178 00:06:01,120 --> 00:06:03,120 crypto side and we consider it to be a 179 00:06:03,120 --> 00:06:05,600 feature and a benefit that without the 180 00:06:05,600 --> 00:06:08,240 keys nobody has access 181 00:06:08,240 --> 00:06:10,160 math protects our data 182 00:06:10,160 --> 00:06:11,919 the structure of the universe protects 183 00:06:11,919 --> 00:06:14,400 our data it's wonderful 184 00:06:14,400 --> 00:06:16,880 until we lose the key and then math 185 00:06:16,880 --> 00:06:18,960 protects our data structure the universe 186 00:06:18,960 --> 00:06:22,479 says no and our data is gone 187 00:06:22,479 --> 00:06:24,479 so 188 00:06:24,479 --> 00:06:26,400 i'm not saying this 189 00:06:26,400 --> 00:06:30,000 i'm not asking crypto to be less secure 190 00:06:30,000 --> 00:06:31,919 but 191 00:06:31,919 --> 00:06:34,479 i would like some form of password reset 192 00:06:34,479 --> 00:06:36,639 that normal users that do not have 193 00:06:36,639 --> 00:06:38,479 extreme threat models 194 00:06:38,479 --> 00:06:40,800 can use and trust and rely on and then 195 00:06:40,800 --> 00:06:44,400 we can deploy crypto in more places 196 00:06:44,880 --> 00:06:46,240 so i started working on this and 197 00:06:46,240 --> 00:06:48,800 thinking you know how do we solve this 198 00:06:48,800 --> 00:06:50,560 and these are sort of the building 199 00:06:50,560 --> 00:06:53,440 blocks that i was working with um 200 00:06:53,440 --> 00:06:54,880 the first one 201 00:06:54,880 --> 00:06:56,560 show me your secret sharing how many 202 00:06:56,560 --> 00:06:58,000 people in here 203 00:06:58,000 --> 00:07:00,400 have heard of that algorithm 204 00:07:00,400 --> 00:07:03,759 well about half of you it's pretty good 205 00:07:03,759 --> 00:07:05,199 it's really interesting algorithm it 206 00:07:05,199 --> 00:07:06,240 lets you 207 00:07:06,240 --> 00:07:08,160 take basically a number 208 00:07:08,160 --> 00:07:10,160 and you can ask it to generate 209 00:07:10,160 --> 00:07:12,319 five other numbers 210 00:07:12,319 --> 00:07:15,360 and if you have three of them you can 211 00:07:15,360 --> 00:07:17,440 assemble the first one so keys are just 212 00:07:17,440 --> 00:07:19,280 numbers keys are big numbers 213 00:07:19,280 --> 00:07:21,039 and these parameters are tunable you can 214 00:07:21,039 --> 00:07:22,479 say i want 215 00:07:22,479 --> 00:07:25,199 all five to be found 216 00:07:25,199 --> 00:07:27,280 or i want just one so you can have one 217 00:07:27,280 --> 00:07:29,599 of five or you can have four or five or 218 00:07:29,599 --> 00:07:31,599 you have one of ten 219 00:07:31,599 --> 00:07:33,520 so you can just pick and choose how you 220 00:07:33,520 --> 00:07:34,880 want to use this algorithm so it's very 221 00:07:34,880 --> 00:07:36,720 flexible 222 00:07:36,720 --> 00:07:38,080 the other thing i wanted to build on is 223 00:07:38,080 --> 00:07:39,840 i want to build on the cloud accounts 224 00:07:39,840 --> 00:07:41,680 that people already have they have these 225 00:07:41,680 --> 00:07:43,520 things where there is an established 226 00:07:43,520 --> 00:07:44,879 flow for 227 00:07:44,879 --> 00:07:47,840 identifying and authenticating users 228 00:07:47,840 --> 00:07:50,800 i just want to piggyback on top of that 229 00:07:50,800 --> 00:07:53,759 and servers and storage are really cheap 230 00:07:53,759 --> 00:07:55,520 so we have a lot of things that we can 231 00:07:55,520 --> 00:07:58,879 build on and use 232 00:07:58,879 --> 00:08:01,280 the design goals that i had 233 00:08:01,280 --> 00:08:03,039 i want to solve this problem i want us 234 00:08:03,039 --> 00:08:04,639 to be able to recover 235 00:08:04,639 --> 00:08:06,879 a lost encryption key and although the 236 00:08:06,879 --> 00:08:09,440 title of the talk is passwords 237 00:08:09,440 --> 00:08:11,520 those boil down to the same thing 238 00:08:11,520 --> 00:08:13,599 because usually a password is converted 239 00:08:13,599 --> 00:08:14,800 into a key 240 00:08:14,800 --> 00:08:16,400 using a hashing function or something 241 00:08:16,400 --> 00:08:18,479 like that 242 00:08:18,479 --> 00:08:20,319 there is ultimately a key that protects 243 00:08:20,319 --> 00:08:22,000 access to your stuff and there can be 244 00:08:22,000 --> 00:08:23,360 chains of them there can be a key that 245 00:08:23,360 --> 00:08:24,560 encrypts another key that encrypts 246 00:08:24,560 --> 00:08:27,280 another key and we can step in at some 247 00:08:27,280 --> 00:08:28,800 point and say okay 248 00:08:28,800 --> 00:08:30,560 this key we're going to make this key 249 00:08:30,560 --> 00:08:33,280 recoverable 250 00:08:33,360 --> 00:08:35,839 and the use cases for this it's not just 251 00:08:35,839 --> 00:08:37,679 about forgetting things you know maybe 252 00:08:37,679 --> 00:08:39,919 you lost something maybe you're using a 253 00:08:39,919 --> 00:08:42,159 key card or a hardware token or 254 00:08:42,159 --> 00:08:43,839 something and you've lost it 255 00:08:43,839 --> 00:08:45,360 or it got broken 256 00:08:45,360 --> 00:08:48,160 someone ran over it 257 00:08:48,160 --> 00:08:50,320 or there's the use case where you're 258 00:08:50,320 --> 00:08:52,240 dead 259 00:08:52,240 --> 00:08:54,880 and you would like to have a way for 260 00:08:54,880 --> 00:08:57,519 your family or your friends to gain 261 00:08:57,519 --> 00:09:00,160 access to your digital 262 00:09:00,160 --> 00:09:02,240 legacy really 263 00:09:02,240 --> 00:09:03,680 so there are interesting use cases 264 00:09:03,680 --> 00:09:05,600 important use cases 265 00:09:05,600 --> 00:09:07,839 it needs to be secure enough i mean if 266 00:09:07,839 --> 00:09:09,680 we're going to remove all of the 267 00:09:09,680 --> 00:09:10,880 encryption 268 00:09:10,880 --> 00:09:13,120 then why bother there it needs to be 269 00:09:13,120 --> 00:09:15,200 something where people can tune it 270 00:09:15,200 --> 00:09:17,680 for their needs and their threats 271 00:09:17,680 --> 00:09:19,200 so that's one of the goals 272 00:09:19,200 --> 00:09:21,040 has to be user friendly so people can 273 00:09:21,040 --> 00:09:24,160 use it and not fail 274 00:09:24,320 --> 00:09:25,920 and it has to be developer friendly 275 00:09:25,920 --> 00:09:28,399 because i can invent this system 276 00:09:28,399 --> 00:09:30,240 and be really proud of it but if nobody 277 00:09:30,240 --> 00:09:31,839 builds it into their software then this 278 00:09:31,839 --> 00:09:34,080 is all a wasted effort so 279 00:09:34,080 --> 00:09:36,240 i want to reach out to any developers if 280 00:09:36,240 --> 00:09:37,760 there are developers in the room come 281 00:09:37,760 --> 00:09:40,319 talk to me 282 00:09:41,040 --> 00:09:42,640 and finally because there is a server 283 00:09:42,640 --> 00:09:44,800 component and i would like it to be not 284 00:09:44,800 --> 00:09:46,560 just me running the server i would like 285 00:09:46,560 --> 00:09:48,399 a community of servers i would like you 286 00:09:48,399 --> 00:09:49,920 to be able to take fragments of your key 287 00:09:49,920 --> 00:09:51,279 and put them here and there and there 288 00:09:51,279 --> 00:09:53,680 and trust different people 289 00:09:53,680 --> 00:09:56,080 we need a community of systems and so 290 00:09:56,080 --> 00:09:57,839 the software needs to be accessible for 291 00:09:57,839 --> 00:09:59,120 them and something that they're willing 292 00:09:59,120 --> 00:10:01,920 to run and manage 293 00:10:01,920 --> 00:10:02,720 so 294 00:10:02,720 --> 00:10:05,040 those are the goals here's a really 295 00:10:05,040 --> 00:10:08,079 dense one slide summary of how pascro 296 00:10:08,079 --> 00:10:10,479 works 297 00:10:14,079 --> 00:10:15,519 this is the this is the core of the 298 00:10:15,519 --> 00:10:17,040 thing 299 00:10:17,040 --> 00:10:19,600 so as i said earlier usually you have a 300 00:10:19,600 --> 00:10:22,640 key that unlocks your information 301 00:10:22,640 --> 00:10:24,160 what i want to do is i want to take that 302 00:10:24,160 --> 00:10:25,920 key and i want to encrypt it with 303 00:10:25,920 --> 00:10:27,920 another key so i generate a throwaway 304 00:10:27,920 --> 00:10:30,399 key that is only used to encrypt this 305 00:10:30,399 --> 00:10:32,480 really important secret 306 00:10:32,480 --> 00:10:34,079 and that is then stored in the same 307 00:10:34,079 --> 00:10:35,920 place as your encrypted data so those 308 00:10:35,920 --> 00:10:38,079 things live together i don't take that 309 00:10:38,079 --> 00:10:39,279 and put it anywhere else it's just 310 00:10:39,279 --> 00:10:40,720 sitting there in the same place so 311 00:10:40,720 --> 00:10:44,320 shared fate if that device functions 312 00:10:44,320 --> 00:10:46,640 you've lost both things doesn't matter 313 00:10:46,640 --> 00:10:48,320 they they're they 314 00:10:48,320 --> 00:10:49,680 protect the same thing they're the same 315 00:10:49,680 --> 00:10:51,920 thing 316 00:10:52,160 --> 00:10:53,920 this recovery key which we use to 317 00:10:53,920 --> 00:10:56,480 encrypt that little bit of information 318 00:10:56,480 --> 00:10:57,760 we 319 00:10:57,760 --> 00:11:00,160 split that using shamir so we split that 320 00:11:00,160 --> 00:11:02,320 into these what i'm calling fragments 321 00:11:02,320 --> 00:11:05,200 shamir calls them shares 322 00:11:05,200 --> 00:11:06,959 we split into fragments and then we give 323 00:11:06,959 --> 00:11:08,880 those fragments to the people running 324 00:11:08,880 --> 00:11:10,399 the servers 325 00:11:10,399 --> 00:11:13,120 but we do this carefully 326 00:11:13,120 --> 00:11:14,959 the servers then make a promise so this 327 00:11:14,959 --> 00:11:16,800 is a community and the server promises i 328 00:11:16,800 --> 00:11:19,440 will not give you back this fragment 329 00:11:19,440 --> 00:11:22,160 unless you prove who you are 330 00:11:22,160 --> 00:11:23,440 using 331 00:11:23,440 --> 00:11:25,519 an identity of your choice so you can 332 00:11:25,519 --> 00:11:27,040 tell me i'm the server operator and you 333 00:11:27,040 --> 00:11:28,399 say hey 334 00:11:28,399 --> 00:11:30,399 only give me my fragment back if i can 335 00:11:30,399 --> 00:11:32,079 verify that i have 336 00:11:32,079 --> 00:11:34,079 the right telephone number or the right 337 00:11:34,079 --> 00:11:35,600 email address 338 00:11:35,600 --> 00:11:37,839 or a github account or something like 339 00:11:37,839 --> 00:11:40,000 that 340 00:11:40,240 --> 00:11:42,240 so what we have that's the core of the 341 00:11:42,240 --> 00:11:44,399 idea i'm going to go back into it again 342 00:11:44,399 --> 00:11:45,839 i'm going to give you a little demo show 343 00:11:45,839 --> 00:11:49,200 you how the software behaves 344 00:11:49,200 --> 00:11:51,040 today we have 345 00:11:51,040 --> 00:11:52,480 most of the building blocks so basically 346 00:11:52,480 --> 00:11:54,240 i have a first iteration of all of these 347 00:11:54,240 --> 00:11:55,360 things 348 00:11:55,360 --> 00:11:58,240 they're some documentation i've tried 349 00:11:58,240 --> 00:12:00,079 really hard but 350 00:12:00,079 --> 00:12:02,320 documentation is hard so if anyone wants 351 00:12:02,320 --> 00:12:04,079 to read it and complain 352 00:12:04,079 --> 00:12:06,800 that's very welcome 353 00:12:06,800 --> 00:12:09,360 if it confuses you then i failed i need 354 00:12:09,360 --> 00:12:10,800 to fix it 355 00:12:10,800 --> 00:12:12,560 there's a client library for people that 356 00:12:12,560 --> 00:12:14,880 are working in python 357 00:12:14,880 --> 00:12:16,480 if this takes off there should be 358 00:12:16,480 --> 00:12:18,079 libraries for other languages as well 359 00:12:18,079 --> 00:12:21,040 but python is where i've started 360 00:12:21,040 --> 00:12:22,720 there is a very simple server 361 00:12:22,720 --> 00:12:24,639 implementation 362 00:12:24,639 --> 00:12:26,720 doesn't perform very well it doesn't do 363 00:12:26,720 --> 00:12:29,519 anything fancy but it doesn't work 364 00:12:29,519 --> 00:12:30,959 and then there's a command line tool 365 00:12:30,959 --> 00:12:32,480 because as i said 366 00:12:32,480 --> 00:12:34,320 this isn't built into anyone's software 367 00:12:34,320 --> 00:12:35,200 yet 368 00:12:35,200 --> 00:12:36,800 so there is a command line tool so you 369 00:12:36,800 --> 00:12:38,720 can experiment with it and play with it 370 00:12:38,720 --> 00:12:41,040 you can set up manual recovery 371 00:12:41,040 --> 00:12:43,040 yourself and imagine that we're in a 372 00:12:43,040 --> 00:12:45,040 magical future where this is built into 373 00:12:45,040 --> 00:12:46,880 our software 374 00:12:46,880 --> 00:12:49,200 there's a website passport.org 375 00:12:49,200 --> 00:12:51,279 it has a little intro 376 00:12:51,279 --> 00:12:53,120 and has an overview of which servers are 377 00:12:53,120 --> 00:12:55,760 live that will help with this recovery 378 00:12:55,760 --> 00:12:57,839 process and at the moment there are two 379 00:12:57,839 --> 00:13:00,000 both of which are run by me one of them 380 00:13:00,000 --> 00:13:03,200 is for testing and the other one is for 381 00:13:03,200 --> 00:13:05,600 more serious 382 00:13:05,600 --> 00:13:09,120 or actual data if you trust it 383 00:13:09,200 --> 00:13:10,320 that's 384 00:13:10,320 --> 00:13:13,519 the url and the amazing logo that 385 00:13:13,519 --> 00:13:16,880 crayon generated for me 386 00:13:17,120 --> 00:13:18,240 so 387 00:13:18,240 --> 00:13:20,079 if you were to go and install this i 388 00:13:20,079 --> 00:13:21,760 decided to do a slideshow instead of 389 00:13:21,760 --> 00:13:24,480 walking through on my laptop um 390 00:13:24,480 --> 00:13:25,279 but 391 00:13:25,279 --> 00:13:26,399 the first thing i'm doing there can 392 00:13:26,399 --> 00:13:29,120 anyone can everyone see this 393 00:13:29,120 --> 00:13:30,160 yeah 394 00:13:30,160 --> 00:13:31,120 so 395 00:13:31,120 --> 00:13:32,560 first thing is you can install it from 396 00:13:32,560 --> 00:13:34,320 from pi pi so you just pip install 397 00:13:34,320 --> 00:13:36,160 pascro 398 00:13:36,160 --> 00:13:37,680 and then you run the first command would 399 00:13:37,680 --> 00:13:39,920 you just be pascro init and what that 400 00:13:39,920 --> 00:13:41,920 does it just sets up 401 00:13:41,920 --> 00:13:45,040 a directory for storing information and 402 00:13:45,040 --> 00:13:48,639 what i'm calling a default policy 403 00:13:48,639 --> 00:13:49,680 and you can look at what's in that 404 00:13:49,680 --> 00:13:51,760 default policy so that's that last line 405 00:13:51,760 --> 00:13:53,600 there i'm opening it with vi because i'm 406 00:13:53,600 --> 00:13:56,079 a hacker 407 00:13:57,279 --> 00:13:59,040 you can see some interesting things here 408 00:13:59,040 --> 00:14:00,079 like 409 00:14:00,079 --> 00:14:02,399 i've edited the defaults 410 00:14:02,399 --> 00:14:04,160 to add some bits 411 00:14:04,160 --> 00:14:06,079 i'm specifying the ratio that's hard to 412 00:14:06,079 --> 00:14:07,839 read it says three quarters three out of 413 00:14:07,839 --> 00:14:09,040 four 414 00:14:09,040 --> 00:14:10,320 so 415 00:14:10,320 --> 00:14:13,199 if i give pastural four identities 416 00:14:13,199 --> 00:14:14,959 it will require three of them for 417 00:14:14,959 --> 00:14:16,560 recovery to succeed 418 00:14:16,560 --> 00:14:18,320 by tuning the parameters to the shamir 419 00:14:18,320 --> 00:14:21,360 algorithm as i mentioned earlier 420 00:14:21,360 --> 00:14:23,199 and there are some timeouts i can say i 421 00:14:23,199 --> 00:14:24,240 want this 422 00:14:24,240 --> 00:14:27,920 data to expire in a year or in 10 years 423 00:14:27,920 --> 00:14:29,680 or in five days or you know these are 424 00:14:29,680 --> 00:14:31,760 things that can be tuned 425 00:14:31,760 --> 00:14:34,880 and then there's a timeout 426 00:14:34,880 --> 00:14:38,000 has anyone here not recovered a password 427 00:14:38,000 --> 00:14:41,040 from something like gmail 428 00:14:41,040 --> 00:14:42,000 everyone's done it so you're all 429 00:14:42,000 --> 00:14:43,279 familiar with the fact that these little 430 00:14:43,279 --> 00:14:45,279 codes that they send you are time 431 00:14:45,279 --> 00:14:46,240 limited 432 00:14:46,240 --> 00:14:48,240 that's that time out so we have the same 433 00:14:48,240 --> 00:14:50,800 concept 434 00:14:51,920 --> 00:14:54,399 i created a very valuable secret created 435 00:14:54,399 --> 00:14:57,120 a file called secret.txt 436 00:14:57,120 --> 00:14:59,440 and then i say passpro protect 437 00:14:59,440 --> 00:15:01,199 secret.txt 438 00:15:01,199 --> 00:15:03,279 and here i've given it my phone number 439 00:15:03,279 --> 00:15:04,959 and my email address 440 00:15:04,959 --> 00:15:06,720 and those are both correct so please 441 00:15:06,720 --> 00:15:08,240 don't spam me 442 00:15:08,240 --> 00:15:09,040 and 443 00:15:09,040 --> 00:15:10,480 don't call me out of business hours 444 00:15:10,480 --> 00:15:13,839 unless it's really exciting 445 00:15:14,639 --> 00:15:16,959 we can ask the tool for a list and say 446 00:15:16,959 --> 00:15:18,800 pascro list and then it will show you 447 00:15:18,800 --> 00:15:21,120 which shares have been or which things 448 00:15:21,120 --> 00:15:23,279 have been put in escrow 449 00:15:23,279 --> 00:15:24,079 and 450 00:15:24,079 --> 00:15:25,360 we're going to look inside one of these 451 00:15:25,360 --> 00:15:26,959 files 452 00:15:26,959 --> 00:15:29,040 it's just a json file 453 00:15:29,040 --> 00:15:31,600 a bunch of parameters 454 00:15:31,600 --> 00:15:35,759 there's a thing there line 4 is a secret 455 00:15:35,759 --> 00:15:38,880 and that's a base64 encoded blob 456 00:15:38,880 --> 00:15:41,120 and pasco doesn't care what's in there 457 00:15:41,120 --> 00:15:43,279 but that is 458 00:15:43,279 --> 00:15:44,800 that's the secret information that we 459 00:15:44,800 --> 00:15:47,758 gave it to begin with 460 00:15:47,839 --> 00:15:50,000 it says there that there's only 461 00:15:50,000 --> 00:15:51,680 it has a 462 00:15:51,680 --> 00:15:53,279 minimum of two shares because i only 463 00:15:53,279 --> 00:15:55,360 gave it two identities 464 00:15:55,360 --> 00:15:56,959 so it can't really do three out of four 465 00:15:56,959 --> 00:15:59,360 so it approximates it does its best and 466 00:15:59,360 --> 00:16:00,880 stores other things it needs to know to 467 00:16:00,880 --> 00:16:03,120 recover things 468 00:16:03,120 --> 00:16:04,959 this is what recovery looks like 469 00:16:04,959 --> 00:16:06,560 passport recover and they tell 470 00:16:06,560 --> 00:16:09,120 secrets.txt it remembers that's what it 471 00:16:09,120 --> 00:16:11,040 was protecting before 472 00:16:11,040 --> 00:16:14,000 it contacts the two servers and it asks 473 00:16:14,000 --> 00:16:16,160 them to verify 474 00:16:16,160 --> 00:16:18,000 and then it tells me i should expect to 475 00:16:18,000 --> 00:16:21,040 receive an sms or a phone call and i 476 00:16:21,040 --> 00:16:22,560 should expect to receive an email and it 477 00:16:22,560 --> 00:16:24,160 gives hints about where those will be 478 00:16:24,160 --> 00:16:25,600 sent to 479 00:16:25,600 --> 00:16:27,519 and this is done server sides the server 480 00:16:27,519 --> 00:16:29,759 side doesn't send the full identity back 481 00:16:29,759 --> 00:16:33,040 wow i've talked way too slow 482 00:16:34,320 --> 00:16:35,040 so 483 00:16:35,040 --> 00:16:37,360 if someone else initiates recovery they 484 00:16:37,360 --> 00:16:38,880 don't know exactly which accounts to 485 00:16:38,880 --> 00:16:40,560 look at and again this is familiar from 486 00:16:40,560 --> 00:16:42,240 recovery for other things 487 00:16:42,240 --> 00:16:44,240 once i receive the codes i run passcode 488 00:16:44,240 --> 00:16:46,800 recover again i give it the codes 489 00:16:46,800 --> 00:16:49,199 and it 490 00:16:49,199 --> 00:16:51,600 well it sent me an sms this works it 491 00:16:51,600 --> 00:16:54,000 does goes through twilio an american 492 00:16:54,000 --> 00:16:56,480 company i'm sure we all trust 493 00:16:56,480 --> 00:16:57,600 um 494 00:16:57,600 --> 00:17:00,240 sent me an email 495 00:17:00,240 --> 00:17:02,240 that went there's mailpilot it totally 496 00:17:02,240 --> 00:17:04,559 exists 497 00:17:04,559 --> 00:17:05,679 i recover 498 00:17:05,679 --> 00:17:08,160 and it's hard to see because there's a 499 00:17:08,160 --> 00:17:10,319 bunch of other output but it shows the 500 00:17:10,319 --> 00:17:11,919 input the contents of the file that i 501 00:17:11,919 --> 00:17:14,720 gave it to begin with this is my secret 502 00:17:14,720 --> 00:17:15,919 and then i can tell it to forget all 503 00:17:15,919 --> 00:17:17,599 about it so then it goes and deletes the 504 00:17:17,599 --> 00:17:19,359 local information and asks the servers 505 00:17:19,359 --> 00:17:21,839 to delete the stuff they have on file as 506 00:17:21,839 --> 00:17:22,799 well 507 00:17:22,799 --> 00:17:24,880 so that's the tool this is all the tool 508 00:17:24,880 --> 00:17:27,280 does you've seen the whole thing 509 00:17:27,280 --> 00:17:30,880 and you can install it and play with it 510 00:17:30,880 --> 00:17:33,200 so back to the design goals again secure 511 00:17:33,200 --> 00:17:35,919 enough um 512 00:17:35,919 --> 00:17:37,840 the way i'm doing that is obviously we 513 00:17:37,840 --> 00:17:39,440 encrypt any communication that we do 514 00:17:39,440 --> 00:17:40,640 when we talk to the server that's 515 00:17:40,640 --> 00:17:42,080 encrypted 516 00:17:42,080 --> 00:17:44,000 the password servers they don't have 517 00:17:44,000 --> 00:17:45,039 your data 518 00:17:45,039 --> 00:17:46,960 all they have is 519 00:17:46,960 --> 00:17:48,960 an encrypted blob 520 00:17:48,960 --> 00:17:51,200 which they cannot read to begin with and 521 00:17:51,200 --> 00:17:53,039 inside that encrypted blob is your 522 00:17:53,039 --> 00:17:56,000 identity and a fragment of the recovery 523 00:17:56,000 --> 00:17:58,480 key not the whole thing 524 00:17:58,480 --> 00:18:00,000 the reason these things are encrypted is 525 00:18:00,000 --> 00:18:02,720 you know to protect your privacy so when 526 00:18:02,720 --> 00:18:04,320 you initiate recovery when you say to 527 00:18:04,320 --> 00:18:06,799 passpro i want to recover my stuff 528 00:18:06,799 --> 00:18:08,559 password goes back to that recovery pack 529 00:18:08,559 --> 00:18:10,559 which is stored locally 530 00:18:10,559 --> 00:18:12,320 finds the key that was generated to 531 00:18:12,320 --> 00:18:13,919 encrypt the thing the server has and 532 00:18:13,919 --> 00:18:15,440 says here server now you're allowed to 533 00:18:15,440 --> 00:18:17,520 decrypt your instructions 534 00:18:17,520 --> 00:18:19,440 and so then it opens up the you know 535 00:18:19,440 --> 00:18:21,600 recovery envelope thing 536 00:18:21,600 --> 00:18:23,120 finds the identity 537 00:18:23,120 --> 00:18:25,679 and sends you a code or asks you to 538 00:18:25,679 --> 00:18:27,679 visit a website and log in through some 539 00:18:27,679 --> 00:18:30,160 other things 540 00:18:30,160 --> 00:18:31,360 and this 541 00:18:31,360 --> 00:18:33,360 means in these little codes that we're 542 00:18:33,360 --> 00:18:34,640 sending around 543 00:18:34,640 --> 00:18:36,160 this means that these providers the 544 00:18:36,160 --> 00:18:38,880 email providers twilio 545 00:18:38,880 --> 00:18:41,280 they never see any key material at all 546 00:18:41,280 --> 00:18:42,880 all they're seeing is this temporary 547 00:18:42,880 --> 00:18:44,799 code that lasts 30 minutes or 20 minutes 548 00:18:44,799 --> 00:18:47,120 or whatever the user decides 549 00:18:47,120 --> 00:18:48,240 and 550 00:18:48,240 --> 00:18:49,840 you know we're leaking very little 551 00:18:49,840 --> 00:18:52,399 information 552 00:18:52,640 --> 00:18:54,720 yeah as i said the user is in control of 553 00:18:54,720 --> 00:18:56,640 those things 554 00:18:56,640 --> 00:18:58,080 and 555 00:18:58,080 --> 00:18:59,919 it's kind of important is that 556 00:18:59,919 --> 00:19:02,799 because usually you would have three out 557 00:19:02,799 --> 00:19:05,360 of four or something like that 558 00:19:05,360 --> 00:19:07,600 servers can go offline pasco servers can 559 00:19:07,600 --> 00:19:09,280 be dead and you can still probably 560 00:19:09,280 --> 00:19:10,960 recover 561 00:19:10,960 --> 00:19:12,480 and most of the time you're not 562 00:19:12,480 --> 00:19:14,240 recovering so pascal servers don't have 563 00:19:14,240 --> 00:19:15,840 to have very high uptime they can go 564 00:19:15,840 --> 00:19:17,679 down for maintenance without the admins 565 00:19:17,679 --> 00:19:20,400 being stressed out 566 00:19:20,799 --> 00:19:22,480 and of course all of this is open source 567 00:19:22,480 --> 00:19:24,480 hopefully peer review will contribute to 568 00:19:24,480 --> 00:19:27,360 the security of things 569 00:19:27,760 --> 00:19:29,120 user friendly 570 00:19:29,120 --> 00:19:30,960 the main key that makes this 571 00:19:30,960 --> 00:19:32,720 user-friendly is that this is a really 572 00:19:32,720 --> 00:19:35,200 familiar pattern we already know how to 573 00:19:35,200 --> 00:19:37,280 do this we don't have to teach users new 574 00:19:37,280 --> 00:19:38,480 stuff 575 00:19:38,480 --> 00:19:40,559 we just have to add these options to our 576 00:19:40,559 --> 00:19:42,400 software 577 00:19:42,400 --> 00:19:45,120 uh developer friendly you know docs 578 00:19:45,120 --> 00:19:46,720 stuff i don't know if i'm succeeding at 579 00:19:46,720 --> 00:19:49,600 this yet maybe you can tell me 580 00:19:49,600 --> 00:19:51,679 and sis has been friendly i'm a little 581 00:19:51,679 --> 00:19:53,039 more comfortable there i've been an 582 00:19:53,039 --> 00:19:54,559 admin for a while 583 00:19:54,559 --> 00:19:56,799 so i've made sure the admins themselves 584 00:19:56,799 --> 00:19:58,799 don't feel at risk they don't have data 585 00:19:58,799 --> 00:20:00,480 that has value 586 00:20:00,480 --> 00:20:01,840 they don't know who their users are 587 00:20:01,840 --> 00:20:04,799 their users are anonymous so 588 00:20:04,799 --> 00:20:06,880 they're there's limited gain in hacking 589 00:20:06,880 --> 00:20:08,720 a pascro server there's not much to find 590 00:20:08,720 --> 00:20:10,080 there 591 00:20:10,080 --> 00:20:11,280 um 592 00:20:11,280 --> 00:20:12,960 so this relates to that i already 593 00:20:12,960 --> 00:20:16,159 mentioned the uptime isn't a major thing 594 00:20:16,159 --> 00:20:18,799 and uh you can do things like rate limit 595 00:20:18,799 --> 00:20:20,400 because passcode isn't something which 596 00:20:20,400 --> 00:20:22,000 you're using constantly 597 00:20:22,000 --> 00:20:23,440 so you can have really strict rate 598 00:20:23,440 --> 00:20:25,360 limits i can say you know 599 00:20:25,360 --> 00:20:27,679 five requests per minute 600 00:20:27,679 --> 00:20:30,240 and that will suffice to recover 601 00:20:30,240 --> 00:20:32,320 but it will make it very hard for people 602 00:20:32,320 --> 00:20:35,600 to put any load on the server 603 00:20:35,600 --> 00:20:37,840 so that's most of the talk 604 00:20:37,840 --> 00:20:39,440 thanks for listening 605 00:20:39,440 --> 00:20:42,400 and i'm on time 606 00:20:42,400 --> 00:20:44,480 i'm up here because this has reached the 607 00:20:44,480 --> 00:20:46,320 point where i need help this 608 00:20:46,320 --> 00:20:47,360 has 609 00:20:47,360 --> 00:20:48,799 this whole effort has no meaning if 610 00:20:48,799 --> 00:20:50,240 people don't use it 611 00:20:50,240 --> 00:20:51,600 and 612 00:20:51,600 --> 00:20:53,600 if it's only me then you know i'm just 613 00:20:53,600 --> 00:20:56,320 another guy on stage saying hey trust me 614 00:20:56,320 --> 00:20:58,000 instead of that other guy and that's not 615 00:20:58,000 --> 00:21:00,000 how this stuff's supposed to work so 616 00:21:00,000 --> 00:21:01,679 if you're interested in this please find 617 00:21:01,679 --> 00:21:04,000 me after the talk or find me during camp 618 00:21:04,000 --> 00:21:05,679 i'm here for all of camp 619 00:21:05,679 --> 00:21:08,320 and i'm at the quarantine arms village 620 00:21:08,320 --> 00:21:10,640 when i'm not wandering around looking 621 00:21:10,640 --> 00:21:12,320 for fun 622 00:21:12,320 --> 00:21:14,559 so that's my talk thank you for 623 00:21:14,559 --> 00:21:16,200 listening and 624 00:21:16,200 --> 00:21:19,410 [Music] 625 00:21:24,159 --> 00:21:26,480 thank you can you hear me 626 00:21:26,480 --> 00:21:28,960 yes okay thank you viana for great talk 627 00:21:28,960 --> 00:21:31,440 um there is time for q a if you want to 628 00:21:31,440 --> 00:21:33,440 ask a question please go to the mic i'm 629 00:21:33,440 --> 00:21:36,720 already seeing somebody running 630 00:21:36,799 --> 00:21:39,120 but mike is yours 631 00:21:39,120 --> 00:21:41,360 oh 632 00:21:41,679 --> 00:21:42,960 you hear me now 633 00:21:42,960 --> 00:21:45,440 a little bit okay um i think you've hit 634 00:21:45,440 --> 00:21:47,440 up an important problem it's good idea 635 00:21:47,440 --> 00:21:49,440 to take power away from the cloud 636 00:21:49,440 --> 00:21:50,880 services of course 637 00:21:50,880 --> 00:21:52,559 um we're doing similar things with 638 00:21:52,559 --> 00:21:54,799 authentication so we can speak up a tiny 639 00:21:54,799 --> 00:21:57,120 bit um we're doing similar things with 640 00:21:57,120 --> 00:21:58,720 authentication definitely want to talk 641 00:21:58,720 --> 00:22:01,360 to you afterwards okay um but the big 642 00:22:01,360 --> 00:22:03,039 question with these things is how 643 00:22:03,039 --> 00:22:06,480 flexible is it as in if your sms number 644 00:22:06,480 --> 00:22:08,480 new phone number changes or your email 645 00:22:08,480 --> 00:22:11,360 address change can you without decoding 646 00:22:11,360 --> 00:22:13,919 and re-encoding your uh documents which 647 00:22:13,919 --> 00:22:17,600 may be many can you change over to to a 648 00:22:17,600 --> 00:22:20,400 new retro system okay so the question 649 00:22:20,400 --> 00:22:22,240 just repeating it for the stream 650 00:22:22,240 --> 00:22:24,240 you're and i hope i get it right you're 651 00:22:24,240 --> 00:22:26,640 asking whether people can easily change 652 00:22:26,640 --> 00:22:29,039 which identities they're using um in the 653 00:22:29,039 --> 00:22:30,640 middle of things so if they lose access 654 00:22:30,640 --> 00:22:32,880 to an email address how easy it is it to 655 00:22:32,880 --> 00:22:34,480 switch to another one 656 00:22:34,480 --> 00:22:35,600 and 657 00:22:35,600 --> 00:22:37,520 the thing is 658 00:22:37,520 --> 00:22:39,440 yes and no like if you're working with 659 00:22:39,440 --> 00:22:41,039 the information on a regular basis if 660 00:22:41,039 --> 00:22:42,880 this is built into an app like an email 661 00:22:42,880 --> 00:22:44,960 client that you're using that email 662 00:22:44,960 --> 00:22:46,799 client can just do that automatically it 663 00:22:46,799 --> 00:22:49,039 just re-registers you don't even have to 664 00:22:49,039 --> 00:22:50,880 know it might do that automatically for 665 00:22:50,880 --> 00:22:51,760 you 666 00:22:51,760 --> 00:22:53,919 if you set up escrow for something like 667 00:22:53,919 --> 00:22:56,240 an offline hard drive 668 00:22:56,240 --> 00:22:58,240 you're going to have to know that you 669 00:22:58,240 --> 00:23:00,159 need to go and do that again 670 00:23:00,159 --> 00:23:01,760 and the way you do it is you just put 671 00:23:01,760 --> 00:23:03,200 stuff in escrow again you throw away the 672 00:23:03,200 --> 00:23:04,320 old keys 673 00:23:04,320 --> 00:23:06,240 ask the servers to forget if you still 674 00:23:06,240 --> 00:23:08,559 have access to the recovery pack and you 675 00:23:08,559 --> 00:23:10,080 just set it up again and it's very cheap 676 00:23:10,080 --> 00:23:12,320 these are tiny requests tiny amounts of 677 00:23:12,320 --> 00:23:15,520 data so doing it again isn't a burden 678 00:23:15,520 --> 00:23:16,559 okay 679 00:23:16,559 --> 00:23:18,960 next question and please talk straight 680 00:23:18,960 --> 00:23:22,200 into the microphone 681 00:23:23,760 --> 00:23:26,240 one moment is the microphone 682 00:23:26,240 --> 00:23:28,640 maybe now hi i was just wondering if you 683 00:23:28,640 --> 00:23:31,679 could elaborate and maybe state more 684 00:23:31,679 --> 00:23:33,200 explicitly your threat model in 685 00:23:33,200 --> 00:23:35,600 particular around when servers are 686 00:23:35,600 --> 00:23:38,080 compromised and if your three or four 687 00:23:38,080 --> 00:23:40,000 verification thing is a little unclear 688 00:23:40,000 --> 00:23:41,279 to me whether this was three or four 689 00:23:41,279 --> 00:23:43,039 like emails and phone numbers or three 690 00:23:43,039 --> 00:23:44,720 or four servers that are collaborating 691 00:23:44,720 --> 00:23:46,400 and if you could just elaborate how that 692 00:23:46,400 --> 00:23:48,799 is and intended to work 693 00:23:48,799 --> 00:23:51,679 okay so to repeat back you'd like me to 694 00:23:51,679 --> 00:23:53,120 elaborate a little bit on the threat 695 00:23:53,120 --> 00:23:55,440 model of 696 00:23:55,440 --> 00:23:57,279 how many servers are involved how many 697 00:23:57,279 --> 00:23:59,200 identities are involved whether those 698 00:23:59,200 --> 00:24:00,400 are linked 699 00:24:00,400 --> 00:24:02,000 that kind of thing 700 00:24:02,000 --> 00:24:03,360 and 701 00:24:03,360 --> 00:24:05,440 i'm not actually prescribing anything 702 00:24:05,440 --> 00:24:06,640 about that 703 00:24:06,640 --> 00:24:08,880 the system is quite flexible and it ends 704 00:24:08,880 --> 00:24:10,880 up being up to the application 705 00:24:10,880 --> 00:24:11,919 so 706 00:24:11,919 --> 00:24:12,799 the 707 00:24:12,799 --> 00:24:14,640 developer of the application that ends 708 00:24:14,640 --> 00:24:17,440 up using the passcode library 709 00:24:17,440 --> 00:24:19,039 i assume that they know way better than 710 00:24:19,039 --> 00:24:20,880 i do what kind of data they're 711 00:24:20,880 --> 00:24:23,600 protecting and how valuable it is 712 00:24:23,600 --> 00:24:25,840 and some of this is out of my control 713 00:24:25,840 --> 00:24:28,640 because until we have more servers it's 714 00:24:28,640 --> 00:24:30,559 all going through the same one 715 00:24:30,559 --> 00:24:32,720 but if we had a hundred servers on 716 00:24:32,720 --> 00:24:34,400 different continents and different legal 717 00:24:34,400 --> 00:24:35,760 jurisdictions 718 00:24:35,760 --> 00:24:37,679 a tool could make intelligent choices 719 00:24:37,679 --> 00:24:39,440 and say okay i would like 720 00:24:39,440 --> 00:24:41,200 i wouldn't i would like law enforcement 721 00:24:41,200 --> 00:24:43,039 to not be able to subpoena all of the 722 00:24:43,039 --> 00:24:44,480 pascro servers 723 00:24:44,480 --> 00:24:47,200 easily so you could spread things around 724 00:24:47,200 --> 00:24:48,799 the system is completely agnostic to 725 00:24:48,799 --> 00:24:49,679 that 726 00:24:49,679 --> 00:24:50,799 so it really depends on how much 727 00:24:50,799 --> 00:24:53,279 momentum we get what kind of guarantees 728 00:24:53,279 --> 00:24:55,440 we can give people how much security we 729 00:24:55,440 --> 00:24:57,279 can provide 730 00:24:57,279 --> 00:25:01,159 does that answer it 731 00:25:08,320 --> 00:25:10,080 and you can always ask again after us 732 00:25:10,080 --> 00:25:12,880 yes next question i have a 733 00:25:12,880 --> 00:25:16,000 one remark and one question 734 00:25:16,000 --> 00:25:18,799 let me start with the question 735 00:25:18,799 --> 00:25:21,360 if i lose the recovery pack 736 00:25:21,360 --> 00:25:24,000 i can't get my data back correct 737 00:25:24,000 --> 00:25:25,520 yes that's correct if you lose the 738 00:25:25,520 --> 00:25:27,919 recovery pack your data is gone all 739 00:25:27,919 --> 00:25:30,640 right well you can't recover your data 740 00:25:30,640 --> 00:25:32,320 hopefully you still have access to it to 741 00:25:32,320 --> 00:25:34,480 other means yeah so but if i use this 742 00:25:34,480 --> 00:25:35,919 for example to 743 00:25:35,919 --> 00:25:37,919 do a backup of my hard drive encryption 744 00:25:37,919 --> 00:25:39,440 secret and 745 00:25:39,440 --> 00:25:41,200 the recovery pack is on my fully 746 00:25:41,200 --> 00:25:42,960 encrypted hard drive but it's kind of 747 00:25:42,960 --> 00:25:45,679 useless yeah of course you need the 748 00:25:45,679 --> 00:25:48,320 recovery pack needs to be stored 749 00:25:48,320 --> 00:25:50,000 clear text 750 00:25:50,000 --> 00:25:52,240 and ideally on the same physical medium 751 00:25:52,240 --> 00:25:54,000 as the encrypted data 752 00:25:54,000 --> 00:25:55,600 so that they have shared fate so that 753 00:25:55,600 --> 00:25:57,039 you know if if that male drive is 754 00:25:57,039 --> 00:25:59,200 malfunctioned it doesn't matter whether 755 00:25:59,200 --> 00:26:01,120 you can decrypt it or not 756 00:26:01,120 --> 00:26:02,400 but if you put those things in two 757 00:26:02,400 --> 00:26:03,840 different places if you put the recovery 758 00:26:03,840 --> 00:26:05,600 pack over here and you put the data over 759 00:26:05,600 --> 00:26:07,039 here 760 00:26:07,039 --> 00:26:08,720 these things can start 761 00:26:08,720 --> 00:26:10,720 behaving in ways that don't match and 762 00:26:10,720 --> 00:26:13,840 and that's a lot harder to reason about 763 00:26:13,840 --> 00:26:15,360 my remark was 764 00:26:15,360 --> 00:26:18,320 you were using some your secret sharing 765 00:26:18,320 --> 00:26:21,039 which for me almost never makes sense 766 00:26:21,039 --> 00:26:23,200 the whole idea of shamir secret sharing 767 00:26:23,200 --> 00:26:26,320 is to scale k out of n recovery to avoid 768 00:26:26,320 --> 00:26:29,360 the k over n complexity 769 00:26:29,360 --> 00:26:32,000 now how many authentication methods are 770 00:26:32,000 --> 00:26:34,080 you going to have 100 771 00:26:34,080 --> 00:26:36,559 do a 50 over 100 772 00:26:36,559 --> 00:26:38,080 where do you get the scalability problem 773 00:26:38,080 --> 00:26:40,080 that requires using of show me your 774 00:26:40,080 --> 00:26:42,240 secret sharing you know if i have five 775 00:26:42,240 --> 00:26:44,000 different authentication methods and i 776 00:26:44,000 --> 00:26:46,080 say four out of five 777 00:26:46,080 --> 00:26:47,840 you know i can 778 00:26:47,840 --> 00:26:49,679 i don't need xiaomi a secret sharing to 779 00:26:49,679 --> 00:26:51,679 do that and if you do show me your 780 00:26:51,679 --> 00:26:53,600 secret sharing you limit me to k out of 781 00:26:53,600 --> 00:26:54,480 n 782 00:26:54,480 --> 00:26:56,080 and i can't use other kinds of 783 00:26:56,080 --> 00:26:57,600 combinations 784 00:26:57,600 --> 00:26:59,760 like saying you know two methods for him 785 00:26:59,760 --> 00:27:01,919 and two methods for him or three methods 786 00:27:01,919 --> 00:27:03,840 for this guy i think we're getting into 787 00:27:03,840 --> 00:27:06,080 the weeds a tiny bit 788 00:27:06,080 --> 00:27:08,320 the thing is it does what i need and 789 00:27:08,320 --> 00:27:10,000 it's very likely the algorithm can do 790 00:27:10,000 --> 00:27:11,919 other things as well 791 00:27:11,919 --> 00:27:13,760 and when i started doing this i did not 792 00:27:13,760 --> 00:27:15,919 use xiaomi secret sharing 793 00:27:15,919 --> 00:27:18,159 i had my own little ad hoc thing where i 794 00:27:18,159 --> 00:27:20,159 was doing xors of things against each 795 00:27:20,159 --> 00:27:21,279 other and 796 00:27:21,279 --> 00:27:23,360 it just became unwieldy 797 00:27:23,360 --> 00:27:25,360 shamir does exactly what i want i can 798 00:27:25,360 --> 00:27:26,159 say 799 00:27:26,159 --> 00:27:28,720 i have four email addresses 800 00:27:28,720 --> 00:27:30,799 any three of them suffice 801 00:27:30,799 --> 00:27:33,200 and i can ask shamir to generate the 802 00:27:33,200 --> 00:27:35,840 fragments that i need 803 00:27:35,840 --> 00:27:37,200 and you know whether that is secure or 804 00:27:37,200 --> 00:27:38,799 not that depends entirely on how many 805 00:27:38,799 --> 00:27:40,320 identities the user is willing to go 806 00:27:40,320 --> 00:27:41,200 through 807 00:27:41,200 --> 00:27:43,440 and that becomes a usability issue and 808 00:27:43,440 --> 00:27:46,000 it becomes a matter of threat modeling 809 00:27:46,000 --> 00:27:47,600 for some users it doesn't make sense to 810 00:27:47,600 --> 00:27:50,158 do this at all 811 00:27:50,240 --> 00:27:51,200 okay 812 00:27:51,200 --> 00:27:53,919 i see somebody else um i would say this 813 00:27:53,919 --> 00:27:55,919 is the last one 814 00:27:55,919 --> 00:27:57,200 so um 815 00:27:57,200 --> 00:27:59,840 well two comments uh so one phillip 816 00:27:59,840 --> 00:28:02,399 bragaway has a nice and some nice paper 817 00:28:02,399 --> 00:28:04,640 phil brago is a very famous uh symmetric 818 00:28:04,640 --> 00:28:07,360 cryptographer he's a very uh he has some 819 00:28:07,360 --> 00:28:09,679 very nice papers uh are 820 00:28:09,679 --> 00:28:11,039 and i can't remember the names of the 821 00:28:11,039 --> 00:28:12,880 thing or anything at the moment maybe i 822 00:28:12,880 --> 00:28:14,399 can help you find it later if you need 823 00:28:14,399 --> 00:28:15,440 on 824 00:28:15,440 --> 00:28:16,480 doing 825 00:28:16,480 --> 00:28:19,039 he what he wanted is he wanted a 826 00:28:19,039 --> 00:28:20,320 packet form 827 00:28:20,320 --> 00:28:22,080 basically a format for 828 00:28:22,080 --> 00:28:24,559 sharing data with journalists which was 829 00:28:24,559 --> 00:28:26,240 also doing this kind of like 830 00:28:26,240 --> 00:28:28,000 splitting the thing out and whatever 831 00:28:28,000 --> 00:28:30,399 anyway um so it's using shamir secret 832 00:28:30,399 --> 00:28:33,039 sharing and it's it it achieves he 833 00:28:33,039 --> 00:28:34,799 basically sort of outlined about in a 834 00:28:34,799 --> 00:28:36,799 very rigorous way a bunch of the goals 835 00:28:36,799 --> 00:28:39,039 and non-goals and whatever so it 836 00:28:39,039 --> 00:28:41,039 probably people working in this should 837 00:28:41,039 --> 00:28:43,039 at least look at what he did and try and 838 00:28:43,039 --> 00:28:44,960 understand it um 839 00:28:44,960 --> 00:28:47,279 the but i haven't done that so i can't 840 00:28:47,279 --> 00:28:50,720 give you uh uh concrete comments um 841 00:28:50,720 --> 00:28:52,320 the other one is that there's a very 842 00:28:52,320 --> 00:28:54,960 when you are using shamir there's a very 843 00:28:54,960 --> 00:28:56,720 nice thing that you can do which is you 844 00:28:56,720 --> 00:28:59,200 can construct new shares 845 00:28:59,200 --> 00:29:02,320 um to give out to new service you know 846 00:29:02,320 --> 00:29:04,080 services that are like holding the thing 847 00:29:04,080 --> 00:29:06,159 the recovery services or whatever so you 848 00:29:06,159 --> 00:29:08,240 can do that all asynchronous 849 00:29:08,240 --> 00:29:10,080 thank you i'd be interested if you could 850 00:29:10,080 --> 00:29:11,679 find me later and tell me all of that 851 00:29:11,679 --> 00:29:13,279 again 852 00:29:13,279 --> 00:29:14,880 so i'm sorry for that we have to cut it 853 00:29:14,880 --> 00:29:16,880 short at some point i think this was a 854 00:29:16,880 --> 00:29:18,480 great session so 855 00:29:18,480 --> 00:29:21,300 can i have a warm applause for a speaker 856 00:29:21,300 --> 00:29:22,960 [Music] 857 00:29:22,960 --> 00:29:24,240 thank you 858 00:29:24,240 --> 00:29:26,559 and he will be available for talking 859 00:29:26,559 --> 00:29:29,600 afterwards so please 860 00:29:30,159 --> 00:29:32,080 i just lost out please go and find him 861 00:29:32,080 --> 00:29:34,080 and talk to him about any more topics 862 00:29:34,080 --> 00:29:35,440 you want to discuss 863 00:29:35,440 --> 00:29:36,640 thank you and see you in the next 864 00:29:36,640 --> 00:29:39,640 session 865 00:29:44,960 --> 00:29:47,039 you