Incorporation of WebAuthn
WebAuthn is a web standard published by the World Wide Web Consortium (W3C) for strong user authentication. It's typically used to replace or supplement password-based authentication with public key cryptography, providing a way for users to prove their identity to a service without transmitting a shared secret over the network.
However, in our system, we use WebAuthn for a different purpose: secure key storage and encryption. Specifically, we use the public-private key pair associated with a WebAuthn credential as the basis for an encryption scheme, with the private key securely stored on the user's device and the public key stored on the Authentication field of the User’s DID Document.
In the context of Sonr, the data that WebAuthn encrypts is the associated Multi-Party Computation (MPC) shard for the device. The MPC shard, a piece of data crucial for the operation of our system, must be kept private and secure. By using WebAuthn for encryption, we can ensure that the MPC shard is only accessible to the legitimate owner of the device. When linking a new device, we regenerate the pool of MPC shares and add an additional share to be mapped for the new Device credential.
ECIES Asymmetric Encryption
ECIES (Elliptic Curve Integrated Encryption Scheme) is a cryptographic protocol that uses elliptic curve cryptography to secure data transmission. It allows a sender to encrypt a message using the recipient's public key in a way that ensures only the recipient, who possesses the corresponding private key, can decrypt and access the message, thereby providing confidentiality in message exchange.
To achieve encryption, we employ an Elliptic Curve Integrated Encryption Scheme (ECIES). In this process, we first convert the public key from the WebAuthn credential from webauthncose.EC2PublicKeyData format to ecdsa.PublicKey format.
Following this, we generate an ephemeral key pair and derive a shared secret from the ephemeral private key and the public key. Using the derived shared secret, we then derive encryption and MAC (Message Authentication Code) keys.
The MPC shard is then encrypted with AES-256-GCM using the derived encryption key and a randomly generated IV (Initialization Vector). A MAC tag is also computed to ensure the integrity of the ciphertext.
The final output of this process is a single byte slice that concatenates the encoded ephemeral public key, the IV, the ciphertext, and the MAC tag. This byte slice is then stored securely on the IPFS Network.
NACL Secret Box
In the context of Sonr, the sender encrypts the message using the recipient's public key and their own private key. The encrypted message can then be safely sent across the network, secure in the knowledge that only the recipient, with their corresponding private key, can decrypt it.
The NaCl secret box is used for encrypting and decrypting messages. The 'secret box' construct in NaCl provides authenticated encryption. This means that data is not only kept confidential, but also that any tampering with the data can be detected.
Sonr File System (SFS)
The SFS is a distributed file system that provides a high-throughput, content-addressed block storage model, with content-addressed hyperlinks. This forms the basis for a decentralized version of a traditional hierarchical file system.
A KDF, such as PBKDF2 or HKDF, takes an input (or 'password') and produces a derived key. By inputting different parameters for each use case, we can produce distinct keys for each application. This ensures that a compromise in one area, such as a user's inbox messages, would not lead to a compromise in another, such as their MPC shards.
Within the SFS, user data such as inbox messages, push notifications, and MPC shards are stored in an encrypted form. Only the user, with their derived keys, can access and decrypt their own data.