2. You are Here Laverna
Markdown
Crypto Pbkdf2
Unnecesssary
Visualization
PBKDF2 For Blue
Synchronization RemoteStorage.io
Markdown.md
Installation
Conclusions
Remotestorage.0wn
.su
3. What are these words
• Laverna and Etherpad are note taking services
• I won’t talk about Etherpad because
• Self-hosted alternatives to cloud apps like Evernote
• Security and encryption are the focus here
4. Laverna
• Node.js based local web page
• HTML + JavaScript = no server required
• Information is stored in the client you’re using
• Encryptomagic
• Remote storage options:
• RemoteStorage.io (self-hosted)
• Dropbox
• Installation:
• git clone git@github.com/laverna-static
• Done
8. Encryption
• All encryption happens client side (there is no server)
• PBKDF2
• Manually entered salt (random)
• Manually entered password
• Can adjust iterations (1000 default)
• AES 128 or 256
• Generated ciphers are stored in the browser local storage
9. Crypto/Sync JSON
• {"id":"0cc9da4f-a47f-c9fd-e1ba-
55cb0ddb14e7",
• "title":"{
• "iv":"uSrC4YzSxgvjueOBn+kb3A==",“
• v":1,“
• iter":"1000",“
• ks":128,“
• ts":64,“
• mode":"ccm","adata":"",“
• cipher":"aes",“
• salt":"ZwuH03ajWY0=",“
• ct":"WvpHRh50YbhdGeWFORR5b1xUui
Rb
• UID of the app
• This is the title of my note
• This is the IV for the note
• Supports versioning of your note
• PDKDF2 iterations
• Key size is 128
• Something else size is 64
• Mode is CCM stream cipher
• AES
• Salt that you set
• The cipher text of the title itself
10. • DK = Derived Key
• PRF = HMAC - pseudorandom function like HMAC-SHA256
• c = Salt
DK = PBKDF2(PRF, P, Salt, c, dkLen)
12. What this defends against
“monkey”
Salt
HMAC-SHA
HMAC-SHA
HMAC-SHA
HMAC-SHA
HMAC-SHA
HMAC-SHA
HMAC-SHA
HMAC-SHA
HMAC-SHA
HMAC-SHA
HMAC-SHA
HMAC-SHA
HMAC-SHA
Different Derived key
14. Laverna Crypto
• PBKDF2
• Server never knows your key
• Server never knows your keys
• Fuck the cloud
• Client side Crypto
15. Javascript Based Crypto
• Not a big deal - it’ll be fine, what could
go wrong
• Relying on client side crypto with a
server authenticator
• Relying on client side crypto to protect
client side information
Well
Actually
20. Operating Environment
• Can host on any web server because crypto is on the client
• Does not require PHP or programming environment
• If remotely hosted, should be done over HTTPS
• Github provides easy hosting over https for free
• Can also run on your own computer
21. Wait have I done a demo yet?
https://laverna.cc/index.html#notes
22. Here’s a diagram of something
Laverna Etherpad Evernote
License GPL GPL No
Storage RemoteStorage,
Dropbox
None Sync with evernote
Encryption PBKDF2 (AES) None (SSL with plugin) SSL + magic?
Software JavaScript: Node.js,
bower, grunt
JavaScript
Collaboration Not Realtime Yes Supports sharing
Subfolders Infinite None Only 1 subfolder
allowed
Stored Format Json Export supports PDF,
Word, and many other
formats
23. Conclusion
• Fuck the cloud
• Use laverna
• Use markdown
• Use PBKDF2
• Use RemoteStorage.io (remotestorage.0wn.su?)