The article cover

R3

Encrypted Sharing

June 3rd, 2020

I enjoy doing lots of different coding projects, but one that has been quite consistent and kept up-to-date is Rocket.

Rocket started as a simple URL shortener with some encryption functionality built in. But it has now become much more.

R3 is the latest iteration of Rocket and it comes with complete rewrite and redesign of the front end, a new back-end written in Go, a new and better Encryption logic, and much more.

R3 allows you to share not only URLs, but also messages, images and files up to ~1.5MB. If you try to share an image larger than 1.5MB it will automatically compress it in browser.

You can check out this latest iteration of Rocket at rkt.one and you can find the code on GitHub.

Just a word of caution: Rocket encryption was written by me (aka: not a cryptographer) and not verified by any expert. Consider Rocket a fun personal project, not a secure way to share secrets.

Rocket's new UI

Encryption

You can read how the encryption works on GitHub; you can also read the Threat Model and useful definitions as well.

I used the encryption primitives provided by JavaScript's Web Crypto API - crypto.subtle - to create a custom encryption logic illustrated by the image below.

A diagram describing the encryption View Diagram

Writing my own crypto logic (although not something I would do for any production system) was quite fun and it forced me multiple times to question my choices again and again and to plan for new scenarios.

A combination of a complete redesign of the crypto and the newly found performance (thanks to the new API) made me push way pass what was my previous design.

The new design considers more things such as the estimated entropy for the random Share ID generator and employs new tactics to attempt to deal with more powerful adversaries.

If everything works according to my plan, the bigger threat is not the encryption anymore but is that a threat might compromise the user, the CDN, or the server hosting the service.

Ideally if the site or CDN gets compromised at any point in time or if the database gets leaked, all transactions up to that point are well protected.

Future Improvements

There are many tweaks and fixes I'd like to apply to R3. I would like it to support multiple images/files per share, improve the UI further and iron out bugs, add a QR code feature, and much much more.

My goal would be - if I can keep it up - to release a bunch of minor updates and fixes as I go along instead of waiting a few years and releasing another completely redesigned version.

I would also like to have someone review the crypto, but that will take time and I can't guarantee anything.

CLOSE