Hi, !programming@programming.dev. I’m curious about zero-knowledge encryption, and I would like to use it in my CS50x final project. My goal is to authenticate users and store their encrypted data on the server so that only the users can decrypt it.
I understand the general concepts of public and private keys, as well as symmetric keys, and how to use them to protect data. However, I don’t understand how to authenticate users. I have searched online for information on implementing the zero proof knowledge authentication flow, but I found either vague high-level descriptions or research papers that require a strong background in mathematics and cryptography to understand and implement.
Could you maybe suggest some resources on this topic? When your search for “how to implement jwt authentication”, you can find many articles that describe the flow with code examples. I’m looking for something similar.
Or should I choose a simpler project?
So… to store encrypted data that only the user can decrypt you don’t need any fancy zero knowledge algorithms. Just have the user keep the encryption key.
For authentication you could use one of these algorithms. OPAQUE seems to be popular. I’m not an expert but it seems like it has several neat zero-knowledge style properties.
But probably forget about implementing it without a strong background in cryptography.
Thanks, I will take a look! Implementing the encryption algorithm itself wasn’t my goal, I was hoping to find and reuse an existing library. You know, like we don’t implement our own algorithms to hash passwords or generate keys.
I believe I understand what you want. “Zero” login. So when a user comes to your site or first boots up your app a private key gets generated locally. It will then do a handshake with the server, where that the server understands that these encrypted messages are from this user, this uniquely identifies the user, and also can be used for e2e.
Reference https://dev.to/spalladino/a-beginners-intro-to-coding-zero-knowledge-proofs-c56
I think he means something like challenge-response type of auth flow that while using user/pass, the password waa never sent to the server?
Similar to a diffie-hellman key exchange maybe? https://en.m.wikipedia.org/wiki/Diffie–Hellman_key_exchange
I believe this has been broken but that is the general gist.
DLP broken? Didn’t heard of that.
Probably saw this in passing. It doesn’t seem to indicate fully broken just this instance.
https://www.reddit.com/r/math/comments/wc4gkx/supersingular_isogeny_diffiehellman_broken/
SPAKE2+ is probably something worth researching as the server never receives the password. I believe it’s used in HomeKit and Matter as well 🙃
research papers that require a strong background in mathematics and cryptography to understand and implement.
Lol. I guess that makes sense. Outside of school, we hope that all authentication will be implemented only cryptography experts anyway.
Could you maybe suggest some resources on this topic?
Not really, sorry. I’m not aware of anyone creating resources for your situation.
Or should I choose a simpler project?
For some context, cryptography isn’t even usually implemented “completely correctly” by experts. That’s part of why we have constant software security patches.
If I were in your shoes, I guess it would depend on my instructor and advisors.
If I felt like they have the skills to catch mistakes and no time to help correct mistakes, then I would just choose a simpler project. If they’re cool with awarding a good grade for a functional demo, I might just go for it.
I guess I would take this one to an advisor and get some feedback on practicality.
For some context, cryptography isn’t even usually implemented “completely correctly” by experts. That’s part of why we have constant software security patches.
Yeah, I totally agree, and I don’t expect to implement it properly or go public with this. I just got this idea for the final project. When it comes to password hashing, we have libraries in all popular languages that handle this, and we have open-source tools to generate keys. So, I was hoping to find something ready to use for my project. Unfortunately, it seems this area isn’t very popular.