INTRODUCTION

#whoami

Yashin Mehaboobe

Independent Security Researcher, Student

Speaker Nullcon, c0c0n, Toorcon and HITB

CURRENT SITUATION

Systems such as dropbox or box does not allow

secure transfer of files

Easy and secure transfer of files need technical

knowledge

The layman does not understand concepts such as

PGP and asymmetric encryption

WHAT IS ARCANUM?
An

asymmetric encryption based file storage service.

Intended to allow the sharing of files between clients securely.

The

client handles encryption as well as decryption.

The

server merely handles file storage and user management.

This

ensures that even if the server is compromised, the user

data is not.
The

server extends a REST based API to clients.

MODULES

Client side

Handles encryption,decryption and key

generation

Server side

Handles file storage and user

management

CLIENT SIDE - OVERVIEW

Completely

handles encryption, decryption as well as user

credential storage.
Communicates

with the server over HTTP

The

private key is stored locally while public key is sent to the

server.
Connection

is SSL secured

Authentication

is HTTP Basic Authentication

CLIENT SIDE - REGISTRATION

During

registration a RSA 2048 bit public/private keypair

is generated
The

public key is sent to the server while the private key

is stored locally
The

username, password and email is also sent to the

server.

APIs

used:

/create/ for registration

CLIENT SIDE - SENDING

Sending

Get the public key of the user to send to

Generate AES Key
Encrypt file with the generated AES Key
Encrypt AES Key with RSA Public Key
Prepend encrypted AES key with encrypted file
Send file to server

APIs

file:

used:

GET /send/username to get the public key

POST /send/username to send the file

CLIENT SIDE - RECEIVING

Receiving

Fetch file from server

Decrypt AES key using RSA private key (locally stored)
Decrypt rest of the file using AES key.

APIs

file:

used:

GET /receive/all to get list of files

GET /receive/number to fetch a particular file

SERVER SIDE
Uses

a bucket file storage system

Database

used is sqlite3

Passwords

10

are stored as MD5 hashes

Exposes

a REST API so the clients can be easily created.

Created

using flask, sqlalchemy and restful.

ENCRYPTION

11

Handled by Keyczar

AES-256 for symmetric encryption

RSA 2048 for asymmetric

HMAC for data integrity

SSL for security in transit

LOGIN

12

REGISTRATION

13

SEND TAB

14

RECEIVE TAB

15

TODO

16

Web interface (partially done)

Change to digest authentication

Encrypt local keys

REQUIREMENTS
Python

2.7

Server:

flask,flask-httpauth,ofs,pairtree

Client:

requests, keyczar, pyqt

Minimum

requirements:
512 MB RAM
Dual core processor
Atleast 1 GB storage.

17

WRAPPING UP

Code is available at:

https://github.com/sp3ctr3/arcanum-server
https://github.com/sp3ctr3/arcanum-client

18

Completely functional

Multiplatform

Further clients are being developed

THANK YOU
11-13 , 2014
Korea University, Seoul, Korea