Scribd Logo
Upload

Welcome to Scribd!

  • Presentation de Lencryptage Bout À Bout Avec NextCloud

    Uploaded by

    Muhammad Usman Khan
    5 views24 pages
    This document discusses end-to-end encryption in Nextcloud. It introduces Nextcloud as a self-hosted file sharing and communication platform. End-to-end encryption fully protects user data and communication from interception by encrypting it from the user's device to the recipient's device. The document outlines Nextcloud's design for end-to-end encryption, including key generation and management, file handling processes like uploading and sharing files, and some limitations like lack of server-side capabilities or public links. It also discusses options for users who lose their encryption keys like optional recovery keys or generating a new identity.

    Original Description:

    Original Title

    Presentation-de-lencryptage-bout-à-bout-avec-NextCloud

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses end-to-end encryption in Nextcloud. It introduces Nextcloud as a self-hosted file sharing and communication platform. End-to-end encryption fully protects user data and communication from interception by encrypting it from the user's device to the recipient's device. The document outlines Nextcloud's design for end-to-end encryption, including key generation and management, file handling processes like uploading and sharing files, and some limitations like lack of server-side capabilities or public links. It also discusses options for users who lose their encryption keys like optional recovery keys or generating a new identity.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    5 views24 pages

    Presentation de Lencryptage Bout À Bout Avec NextCloud

    Uploaded by

    Muhammad Usman Khan
    This document discusses end-to-end encryption in Nextcloud. It introduces Nextcloud as a self-hosted file sharing and communication platform. End-to-end encryption fully protects user data and communication from interception by encrypting it from the user's device to the recipient's device. The document outlines Nextcloud's design for end-to-end encryption, including key generation and management, file handling processes like uploading and sharing files, and some limitations like lack of server-side capabilities or public links. It also discusses options for users who lose their encryption keys like optional recovery keys or generating a new identity.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 24

    End-to-end Encryption design

    in Nextcloud
    Contents

    Intro Nextcloud

    What is E2EE

    E2EE requirements

    E2EE technical design
    – Initialization
    – File handling
    – Sharing

    Edge cases & limitations

    Nextcloud GmbH 2
    What is Nextcloud?

    Nextcloud Files
    private, self-hosted cloud
    keeping your data secure

    Nextcloud Talk
    self-hosted secure
    video/text chat

    Nextcloud Groupware
    Easy mail/calendar/contact

    Nextcloud GmbH 3
    Features

    Open Source Auditing, workfow

    Easy to use web UI External storage

    Video/text chat LDAP/ SAML/2FA

    Collaborative editing Developer APIs

    Control access rights Mobile/desktop clients

    Nextcloud GmbH 4
    What is End-to-end Encryption
    Fully protects data/communication from user-to-
    user so no interception in between can capture
    data, including servers the data passes through.


    Signal, whatapp, ...

    PGP/GPG for mail

    Nextcloud GmbH 5
    End-to-end encryption in Nextcloud
    Core goals of our design

    Protect data 100% from the server
    – Keep data safe in case of fully compromised server
    or malicious administrator

    Be super easy for the end user
    – Complexity is enemy of security. Assumption: user
    makes mistakes, administrator is competent.

    Nextcloud GmbH 6
    Requirements of E2EE in Nextcloud

    Allow secure sharing and ●
    Ofer optional data recovery
    – Guarantee confdentiality
    – With of-line admin key. Users gets
    warned when this is enabled.

    Only authorized users can have access

    Multi-device support
    – Guarantee integrity
    – Friction-less access for all user devices

    Files can not be tampered with
    undetected ●
    Easy key exchange
    – Guarantee authenticity – Sharing should be seamless, secure and

    Ownership is always clear not require passwords

    Versioning of protocol
    Use tested, widely used libraries

    – Improvements can be made


    – Available on recent versions of iOS,
    Android, Mac, Windows, Linux, PHP7

    Full activity logging possible for auditing

    Nextcloud GmbH 7
    Accepted feature loss

    Only top-folder-level sharing Some of these can, in time, be
    – No sharing of individual fles or mitigated. Others are inherent
    folders in an encrypted folder to secure End-to-end

    No group sharing Encryption where the server

    No public link sharing has no knowledge of the data.

    No web access to data Example: web interface access
    – No collaborative editing requires code from server →

    No server capabilities like which can’t be trusted. Would
    versioning, trash, comments, fundamentally break the
    favorites, server-side search. security model.

    Nextcloud GmbH 8
    Next slides: explain design

    Initialization
    – Create keys, add devices

    File handling
    – Create folder, fles, download fles etc

    Secure sharing
    – Sharing, unsharing

    Nextcloud GmbH 9
    Creating a secure identity

    Keys:
    – Generating
    – Signing
    – Encrypting
    – Syncing

    Adding new device

    Nextcloud GmbH 10
    Initialization – step 1

    Nextcloud GmbH 11
    Initialization – step 2

    Nextcloud GmbH 12
    Initialization – step 3

    Nextcloud GmbH 13
    File handling

    Create E2EE folder

    Upload to server

    Add fles

    Download on other device

    Nextcloud GmbH 14
    File Handling – Create folder

    Nextcloud GmbH 15
    File Handling – Add fle

    Nextcloud GmbH 16
    File Handling – Upload to server

    Nextcloud GmbH 17
    File Handling – Add 2 device nd

    Nextcloud GmbH 18
    Sharing and unsharing

    Sharing

    Unsharing

    Nextcloud GmbH 19
    Sharing

    Nextcloud GmbH 20
    Unsharing

    Nextcloud GmbH 21
    Edge case: complete key loss
    Any user device can recover mnemonic to decrypt
    Options available in case

    key

    the user lost the key. – Lost phone? Add new phone, using laptop to show key

    Optional recovery key

    Recall: design assumes – When recovery key is enabled, private/public key pair is
    generated. Users will encrypt all data against public

    user is weakest link. So: key. Private key protected with mnemonic, shown once
    to server admin for secure, of-line storage.
    All devices lost? Admin can use recovery key to recover
    User does not choose a


    user data. NOT USER KEY or IDENTITY, they are lost.

    password but is given one – Enterprise use case: employees which have left the
    company.
    – User is asked to store ●
    If CSR/HSM: new user key and identity can be
    created.
    password but assumption – A hardware security module can securely generate a
    is user won’t new user identity.

    Nextcloud GmbH 22
    More information

    nextcloud.com/endtoend
    – Contains link to detailed design whitepaper

    github.com/nextcloud
    – /ios
    – /android
    – /client
    – end_to_end_encryption
    – end_to_end_encryption_rfc

    Nextcloud GmbH 23
    A safe home for all your data
    Nextcloud GmbH +49.711.896656-0
    Kronenstr. 22A hello@nextcloud.com
    70173 Stuttgart
    Germany nextcloud.com

    You might also like