Professional Documents
Culture Documents
Presentation de Lencryptage Bout À Bout Avec NextCloud
Presentation de Lencryptage Bout À Bout Avec NextCloud
in Nextcloud
Contents
●
Intro Nextcloud
●
What is E2EE
●
E2EE requirements
●
E2EE technical design
– Initialization
– File handling
– Sharing
●
Edge cases & limitations
Nextcloud GmbH 2
What is Nextcloud?
●
Nextcloud Files
private, self-hosted cloud
keeping your data secure
●
Nextcloud Talk
self-hosted secure
video/text chat
●
Nextcloud Groupware
Easy mail/calendar/contact
Nextcloud GmbH 3
Features
Nextcloud GmbH 4
What is End-to-end Encryption
Fully protects data/communication from user-to-
user so no interception in between can capture
data, including servers the data passes through.
●
Signal, whatapp, ...
●
PGP/GPG for mail
Nextcloud GmbH 5
End-to-end encryption in Nextcloud
Core goals of our design
●
Protect data 100% from the server
– Keep data safe in case of fully compromised server
or malicious administrator
●
Be super easy for the end user
– Complexity is enemy of security. Assumption: user
makes mistakes, administrator is competent.
Nextcloud GmbH 6
Requirements of E2EE in Nextcloud
●
Allow secure sharing and ●
Ofer optional data recovery
– Guarantee confdentiality
– With of-line admin key. Users gets
warned when this is enabled.
●
Only authorized users can have access
●
Multi-device support
– Guarantee integrity
– Friction-less access for all user devices
●
Files can not be tampered with
undetected ●
Easy key exchange
– Guarantee authenticity – Sharing should be seamless, secure and
●
Ownership is always clear not require passwords
Versioning of protocol
Use tested, widely used libraries
●
●
Nextcloud GmbH 7
Accepted feature loss
●
Only top-folder-level sharing Some of these can, in time, be
– No sharing of individual fles or mitigated. Others are inherent
folders in an encrypted folder to secure End-to-end
●
No group sharing Encryption where the server
●
No public link sharing has no knowledge of the data.
●
No web access to data Example: web interface access
– No collaborative editing requires code from server →
●
No server capabilities like which can’t be trusted. Would
versioning, trash, comments, fundamentally break the
favorites, server-side search. security model.
Nextcloud GmbH 8
Next slides: explain design
●
Initialization
– Create keys, add devices
●
File handling
– Create folder, fles, download fles etc
●
Secure sharing
– Sharing, unsharing
Nextcloud GmbH 9
Creating a secure identity
●
Keys:
– Generating
– Signing
– Encrypting
– Syncing
●
Adding new device
Nextcloud GmbH 10
Initialization – step 1
Nextcloud GmbH 11
Initialization – step 2
Nextcloud GmbH 12
Initialization – step 3
Nextcloud GmbH 13
File handling
●
Create E2EE folder
●
Upload to server
●
Add fles
●
Download on other device
Nextcloud GmbH 14
File Handling – Create folder
Nextcloud GmbH 15
File Handling – Add fle
Nextcloud GmbH 16
File Handling – Upload to server
Nextcloud GmbH 17
File Handling – Add 2 device nd
Nextcloud GmbH 18
Sharing and unsharing
●
Sharing
●
Unsharing
Nextcloud GmbH 19
Sharing
Nextcloud GmbH 20
Unsharing
Nextcloud GmbH 21
Edge case: complete key loss
Any user device can recover mnemonic to decrypt
Options available in case
●
key
the user lost the key. – Lost phone? Add new phone, using laptop to show key
●
Optional recovery key
Recall: design assumes – When recovery key is enabled, private/public key pair is
generated. Users will encrypt all data against public
user is weakest link. So: key. Private key protected with mnemonic, shown once
to server admin for secure, of-line storage.
All devices lost? Admin can use recovery key to recover
User does not choose a
–
–
user data. NOT USER KEY or IDENTITY, they are lost.
password but is given one – Enterprise use case: employees which have left the
company.
– User is asked to store ●
If CSR/HSM: new user key and identity can be
created.
password but assumption – A hardware security module can securely generate a
is user won’t new user identity.
Nextcloud GmbH 22
More information
●
nextcloud.com/endtoend
– Contains link to detailed design whitepaper
●
github.com/nextcloud
– /ios
– /android
– /client
– end_to_end_encryption
– end_to_end_encryption_rfc
Nextcloud GmbH 23
A safe home for all your data
Nextcloud GmbH +49.711.896656-0
Kronenstr. 22A hello@nextcloud.com
70173 Stuttgart
Germany nextcloud.com