Simple Encryption Suite built for Web3 using ECDSA keypairs for Identity, Key Generation, and Key distribution.
Introduction - Getting Started - Support & Contact - License
A lot of effort has been put into building Web3's decentralized infrastructure. Connecting to Ethereum and other services such as decentralized storage or applications relies on decades-old protocols such as TLS, which in turn require heavily centralized services like Certificate Authorities. This existing centralized web security puts web3 at risk.
These protocols are limited by their dependence on location-based addressing (IP). As the web evolved, centralized services and infrastructure emerged to compensate for the limitations of IP addressing. Most of these services exist to associate and verify identity with location. In addition to Certificate Authorities, these now range from multi-factor authentication schemes (e-mail, SMS), to cookies (validated devices). Each additional service adds attack surface and vulnerability, which is amplified by centralization.
Web3 Encryption Suite (W3ES) uses cryptographic addressing (ECDSA key pairs, such as ETH wallets) as the root digital identity for encryption protocols. This allows Web3 services and applications to circumvent vulnerabilities introduced by IP addressing while still using established cryptographic libraries and protocols.
- Digital Identity Verification using Smart Contracts, and Web3 services such as ENS
- Secure key generation, using verified WASM/eWASM, or remotely in networked Trusted Execution Environment (e.g. Intel SGX)
- Decentralized Key Distribution, via public blockchain networks
- Support for Ethereum and SKALE (more coming soon)
- Integrations with decentralized storage networks (IPFS, Arweave, SIA, Archon, Storj)
Currently, the suite consists of three unique encryption services:
- Single-party Encryption
- Multi-party Encryption
- Proxy Re-encryption
The encryption code is originally written in GoLang, and makes use of Go-Ethereum's crypto libraries. It is compiled to WASM for execution in browser, as well as compiled for IntelSGX.
With single-party encryption, only one address can verify and retrieve data. This is useful for privately storing data on public networks. As this is single party, compiled and verified code is executed in WebAssembly:
Encryption:
- Read plaintext data / file into memory buffer
- Generate random AES key
- Encrypt plaintext using AES key
- Sign ciphertext (ECDSA)
- Create "Companion" struct, including Signer's Public Key, Ciphertext Signature, Ciphertext Hash, AES Key
- Encrypt "Companion" struct using Public Key (ECIES)
- Store encrypted data and companion on public network
Decryption:
- Retrieve encrypted file and "Companion"
- Decrypt "Companion" using Crypto Identity (ECIES)
- Verify Signature + Data
- Recover AES Key
- Decrypt file
- Local use of decrypted file
Multiparty Encryption enables multiple parties to securely exchange information without any dependence on centralized or trusted infrastructure.
This is useful for securely connecting to both Web2 and Web3 sites using a modified OpenSSL library, End-to-End Encrypted Messaging over LibP2P, Shared access to files stored on decentralized storage networks, etc.
This happens in three key phases:
- Identity Verification through Request and Confirmation
- Key Generation and Distribution
- Encryption and Decryption
Identity Verification through Request and Confirmation
- Alice forms Request to connect using Bob's Address
- Bob verifies request, and forms Confirmation
Key Generation and Distribution
Within Trusted Execution Environment:
- Receives Request + Confirmation Messages
- Verifies both messages for authenticity
- Generates random AES-128 Key
- Encrypts AES-128 Key with Alice's Public Key (ECIES)
- Encrypts AES-128 Key with Bob's Public Key (ECIES)
- Publishes encrypted keys on-chain
Symmetric Encryption & Decryption
Encryption
- Retrieves Encrypted AES Key from public network or storage
- Decrypts AES Key using Private Key A (ECIES)
- Encrypts file with AES Key
- Publishes file
Decryption
- Retrieves Encrypted AES Key from public network or storage
- Decrypts AES Key using Private Key B (ECIES)
- Decrypts file with AES Key
- Prints to terminal + local plaintext file
This encryption suite is still in development
Securely distribute content and manage access using networked Trusted Execution Environments
Modified Handshake
- Submit Request with Pubkey, Signature, Hash of CID
- PRE Service (SGX) verifies signature, request
- PRE Service (SGX) generates new keystore
- PRE Service (SGX) Confirms with SGX Pubkey, Sig, Hash
- Publishes file
Proxy Re-encryption Request
- Submit request with CID, destination address, AES Key
- Encrypt PRE Request with SGX Pubkey
Decentralized Proxy Re-Encryption
- PRES receives proxy request
- PRES decrypts proxy request (ECIES)
- PRES retrieves file from CID
- PRES decrypts file using provided AES key
- PRES generates new AES key
- PRES encrypts plaintext file with new AES key
- PRES creates Companion file for target address(es) (ECDSA)
- PRES encrypts Companion file using target Pubkey (ECIES)
- PRES publishes newly encrypted file + Companion
- Encryption suite, compiled in WASM for testing, Single- and Multi-party
- Decentralized Authority 1.0 Smart Contracts deployed on Ropsten + SKL Testnet
- GETH compatible wallets via keystore files and local wallets
- APIs with IPFS, SKALE, Arweave, ETH Ropsten
- Basic Public Docs + Demos
- Ethers.JS/Web3.JS Wallet APIs
- Networked SGX Testing for Multi-party Trustless Keygen + PRES
- Decentralized Authority Contracts v2.0
- Additional APIs: OpenSSL, ENS, Opera/Brave, LibP2P
git clone git@github.com:Guer-co/Web3-Encryption-Suite.git
cd Web3-Encryption-Suite
npm i --force && npm start
Manage your decentralized data app example
Gitcoin Grants: https://gitcoin.co/grants/1261/guer-empowering-data-custody-for-web3-through-sec
Substack: guer.substack.com
Website: guer.co
ETH/ERC20: 0x13541d356bCC7156e234fF15091BA9B8f1D9B2dd
This software is under development and should be used at your own risk. As it is largely experimental, do not use it for any sensitive or otherwise important data
For now, all rights reserved by Guer Labs, LLC 2021. Upon review and audit, the codebase will be released as Free-and-open-source, with responsible limits to permissible modifications for compatibility and security.
Any questions, please contact us directly via our website.