Eiji

Eiji

Security: HTTPS, WSS, PFS and E2EE with Phoenix framework

At start some definitions:

  1. HTTPS (is a protocol for secure communication over a computer network which is widely used on the Internet) - see HTTPS Wikipedia article
  2. WSS (secured WebSocket protocol) - see WebSocket Wikipedia article
  3. PFS (is a property of secure communication protocols in which compromise of long-term keys does not compromise past session keys) - see Perfect Forward Secrecy Wikipedia article.
  4. E2EE (a cryptographic paradigm involving uninterrupted protection of data traveling between two communicating parties) - see End-to-end encryption Wikipedia article

Summary:

  1. HTTPS, WSS protocols can be set in configuration
  2. PFS can be set in configuration too and need more attention (ciphers, SSL version)
  3. E2EE - to setup this we need choose algorithm(s) to generate, export, import, encrypt and decrypt for Web Cryptography API; time between generate new keys depends on what is used in application

Helpful sources:

  1. Mozilla wiki article describes SSL configuration and splits it by client support.
  2. SSL configuration could be set in standard nginx way or in cowboy/phoenix configuration.
  3. An examples of using Web Cryptography API

Most Liked

f0rest8

f0rest8

Maybe I shouldn’t revive this topic (in that case, sorry!), but I believe figuring out ways to make it easier to implement encryption in Elixir and Phoenix applications is more relevant, and pertinent, than ever.

The following library is a good choice to use if attempting to implement encryption in your Elixir/Phoenix applications:

Sodium (libsodium) is a fork of NaCl, a trusted library by security experts. By using enacl (libsodium/NaCl) you set yourself up to not accidentally make a mistake that renders your security not as secure as you think. The PragProg book, Practical Security, also recommends the library for encryption for this very reason.

Additionally, this is an interesting take by Badu on implementing both symmetric encryption and asymmetric encryption (along with user derived keys).

Symmetric Encryption
In regard to symmetric encryption, dwyl made a great Phoenix encryption example that I’ve been testing and works exceptionally well from a developer and client perspective.

It is worth noting however, that the person (or company/people) with access to the encryption keys can theoretically decrypt the data. This is true of all symmetric encryption.

Asymmetric Encryption
Badu has two nice examples here with Elixir, Part III and Part IV.

Asymmetric encryption is commonly referred to as public-key cryptography. I don’t know of any other example in Elixir/Phoenix other than Badu’s.

End-to-End Encryption (E2EE)
The Signal Protocol set the bar here. Good news is that the IETF has a working group (MLS) developing a Messaging Layer Security architecture and protocol standard. In theory, it’ll be an excellent choice for anyone working to implement end-to-end encryption (especially for large groups).

I’ve been following their development: MLS GitHub, Datatracker.

E2EE tends to use combinations of asymmetric and symmetric encryption to make it all work.

I’m not aware of any current example offering end-to-end encryption with a Phoenix app. My initial thinking is that you can take guidance from Badu’s asymmetric encryption example and dwyl’s transparent symmetric encryption example to essentially create an end-to-end encrypted Phoenix app. It would work something like this:

  • password derived key → gives each person/user access to their data
    Since the password is hashed, only knowledge of someone’s password can ever decrypt their data. This ensures the company/person with access to the system cannot access a client’s key to decrypt their data (in theory).

  • transparently shared public keys → gives people the ability to share/edit data with each other
    This would work behind the scenes, transparently to the client, like how dwyl’s example works.

This is clearly not a finished thought, but the idea being that there may be a way to take a symmetric encryption example and combine it with Badu’s asymmetric example to deliver something close to end-to-end encryption in a Phoenix and Elixir app.

Other approaches
For instance, if you’re implementing video chat through Phoenix, over WebSockets, with authentication, using a peer-to-peer mesh architecture and STUN server, then your video chat is already end-to-end encrypted and avoids some of the known WebSocket security vulnerabilities.

I was able to achieve this by following the incredible guide by Jesse Herrick of Littlelines, then tying it into an existing authentication solution (phx_gen_auth for example).

This makes me think that, as mentioned 4 years ago, communication over channels would also be secured similarly provided you setup your Phoenix socket configuration to use :websocket and not :longpoll.

:blush::heart:

Nicd

Nicd

Phoenix has HTTPS and WSS support builtin, see http://www.phoenixframework.org/docs/configuration-for-ssl

For PFS I believe you need to configure your server to use specific key exchange algorithms (i.e. it’s not a matter of the certificate). I don’t know how to do that with Phoenix. Personally I terminate TLS with Nginx and proxy it to Phoenix.

HTTPS and WSS are end-to-end encrypted, one end being the client’s browser and the other end being the server.

For free certificates, take a look at https://letsencrypt.org/

Qqwy

Qqwy

TypeCheck Core Team

There are many different algorithms that are used for very different reasons.

Diffie-Helmann (which is indeed what DH stands for) lets two parties compute a shared secret. It does not do encryption/decryption itself, that’s just not what it is for. Indeed, usually DH is used to find a shared key, which is then used as encryption/decryption key in a symmetric cypher, such as AES or Blowfish.

ArrayBuffers are things that were added to JavaScript to allow easier (more efficient and less error-prone) manipulations of binary data. I am not entirely sure if the HTML5 WebSocket API (regardless of Phoenix) supports transferring such an object directly; it could very well be that it needs to be converted to either a binary file or a Base64 string.

Where Next?

Popular in Wikis Top

axelson
With the new year I am looking at travel for this year and I’d love to base some travel around Elixir. So in the spirit of the 2017 threa...
New
axelson
Preamble This Wiki is intended to be a community-maintained (see the Contribution Guidelines if interested) resource of common “gotchas” ...
New
BartOtten
A wiki for Doom Emacs Doom is a configuration framework for GNU Emacs. It focuses on performance and customizability. It can be a founda...
New
anildigital
Here is list of plugins for different editors Sublime Text 3 — Elixir.tmbundle - GitHub - elixir-editors/elixir-tmbundle: A TextMate a...
New
shavit
To transcode the video there is FFMPEG. On Demand When a user uploads a video, the app renames and copy the file to a path, then call F...
New
Rich_Morin
I’d like to start a discussion of data serialization formats, in the context of Elixir. The rest of this note is a combination of persona...
New
georgeguimaraes
Hi people, since the new year is coming, I’d like to plan my travels for events in 2017. So, what events (Elixir or FP related) that you...
New
AstonJ
I’ve noticed we’ve got a few now - wonder if we can compile a list? This is a wiki - anyone at Trust Level 1 can edit :023: Link: http...
New
AstonJ
We’ve put together this wiki for Phoenix LiveView - please feel free to add any info you feel is worth including. What is Phoenix LiveV...
New
AstonJ
Wonder if we can compile a list of learning resources, blog posts, talks, threads etc to help those who are just learning about Contexts....
New

Other popular topics Top

axelson
This post is a wiki (feel free to hit the edit button near the bottom right of this post to add your own changes!) This post collects co...
239 48475 226
New
lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
fayddelight
I tried installing elixir 1.11.2 erlang 23.3.4 via asdf in my zsh shell. Enabled the versions locally and globally. When I list them ...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New

We're in Beta

About us Mission Statement