backbone-python VS krypton

It's only impractical if you actually require end users to understand and apply all of these technologies. It's a lot more tractable if they're abstracted away.

The fact is that developers very (very) rarely have to interface directly with TLS or the Signal protocol, yet billions of non-technical users implicitly use them in our browsers and via Signal or WhatsApp.

In my view, the challenge in the adoption of secure/private-by-design tech is the simplicity and usability of the interfaces and the capabilities these tools provide.

We need secure tools to compete on capability in order to garner mass usage. Without (significant) feature superiority there's little reason for users to make the switch. I'm actively trying to solve some of these problems at Backbone [0]; aiming to build a usable, secure experience for end users and a simple, robust end-to-end-encryption interface for developers.

[0] https://backbone.dev/

> Data in our cloud is end to end encrypted so your credentials are never exposed to anyone but you.

A few comments:

1. You might want to avoid calling this zero-knowledge. While your docs suggest some use of E2EE, there seems to be a significant amount of metadata that remains both unencrypted and unauthenticated.

2. Having read your white paper, it appears your E2EE setup is vulnerable to various forms of forgery. In a simple case, an attacker that has compromised your infrastructure can easily substitute the credentials of arbitrary users in a way that is NOT tamper-evident.

3. There seems to be no post-compromise security. If your user private key is compromised (e.g. extracted from the extension's local storage), there seems to be no way to reset it.

4. The recovery flow is questionable. Do you really want to store critical cryptographic material in plaintext and in a third-party cloud?

When rolling out E2EE from scratch, it's very easy to give rise to issues like #2. At Backbone[1], we've built a framework for building end-to-end encrypted applications with building blocks designed to preserve confidentiality, integrity and nonrepudiatiability under a strict threat model.

Feel free to reach out if you might like to discuss how we're solving issues the above.

[1] https://backbone.dev/

Backbone is designed to reduce the need to trust third parties — it operates under a strict threat model, providing confidentiality, integrity and nonrepudiatiability even under the assumption that Backbone itself is pwned. We’re dedicated to operating transparently, leading us to build our open-source client on top of libsodium.

Hello, all!

Encryption and user authentication are crucial to cybersecurity.

Encryption can be implemented at various levels. I believe that handling encryption at the application level is the most secure since it decreases the attack surface. For example, the SQL server doesn’t get to see the plaintext.

Krptn is a piece of software I’m currently building which could be used as a user authentication service, which also handles encryption (at the application level) of the user’s associated data (e.g.: the users’ phone number).

(Krptn only has a Python API right now.)

It would run in the same server instance as your Python code, so no need to host anything new (decreased complexity) - just install the Python module and call the APIs.

For additional security, I designed the system to derive the encryption keys from the users’ credentials. This prevents an attacker who gains access to the database from being able to decrypt all the data since the encryption keys aren’t stored anywhere. Additionally, each user gets an asymmetric keypair. This enables users to share specific pieces of information with each other.

I know that, for many projects, this level of encryption is not required to secure their system and hence not everyone would benefit from using this. But I hope that for the people who do wish to have such security, this project will help.

It would be much appreciated if you would try this out. Please let me know what you think of this! Also please provide some feedback if you have any!

Here is an example Django integration: https://github.com/krptn/djangoExample

Here is an example Flask integration: https://github.com/krptn/flaskExample

GitHub repo: https://github.com/krptn/krypton

My friend and I have been working on Krptn, which handles encryption of data for web apps, and would love some feedback!

Link to source code: krptn/krypton: Zero Knowledge Security for Python (github.com)