Building web applications on top of encrypted data using Mylar

Available from MIT; authors are Raluca Ada Popa, Emily Stark*, Jonas Helfer, Steven Valdez, Nickolai Zeldovich, M. Frans Kaashoek, and Hari Balakrishnan, mostly from MIT CSAIL, with one starred exception from the Meteor Development Group.

A lightly edited version of my comment from MIT creates a system to “PRISM-proof” websites:

They built a system that lets you store data encrypted in “the cloud”, yet share it with your friends and do searches serverside.

This is really cool. The *only* place the data exists unencrypted is on the client, yet you can share documents with other people and, in the most mind-blowing part, do *server side searches on the encrypted data*. And they also wrote a browser plugin that uses crypto to ensure that the page wasn’t tampered with.

I’m working mostly from memory, so may be a bit off, but here’s roughly how it works: the client creates a new key for each document, and sends it, encrypted with the user’s private key, to the server. Now I can request the document, and get the encrypted document, along with a decryption key that only I can decrypt using my private key.

Voila! Unless the NSA can crack public key encryption (and if they can, we’re all doomed anyway), my data is safe. But how do my teammates read the document? I just grab their public key and the encrypted document key, and locally decrypt the document with my private key, and encrypt it with my teammate’s public key, and send that to the server. Now my friend can get the document’s key, decrypt it with her private key, and read the document, but noone else can.

And how does search work? That’s complicated. I’d probably have to spend a half-hour rereading the paper to fully understand it. Briefly, I send the encrypted word to the server, along with some “deltas” that somehow let the server compute the encrypted word for each document and search the document for it. They server never knows what the word is, though there could well be some information leakage; I don’t understand this part well enough to be sure.

But when you put it all together, this is a system that lets you send documents to a server, share them, and search them serverside. In other words, you can implement e-mail or chat this way – each “message” is a document that you share with the recipient(s) so they can read them, and you can search all of your documents. But none of the data in the “cloud” (whether stored or transferred over the network) is snoopable under reasonable assumptions.

Sure, there may be vulnerabilities and network patterns still exist. But if, say, Gmail were to use this, then all the NSA would know is “I use gmail”, and maybe they can get some weak correlations around message sizes and access patterns. But it’s still a *huge* step forward over the status quo.

(Also, I don’t consider this as cool, but they built a proof of concept by modifying the Meteor web framework, and then modified a couple applications to use Mylar. The LoC added for Mylar (Figure 8) varies from 30-45 lines for applications ranging from 610 to 8410 initial lines. Seems pretty practical.)

This entry was posted in papers and tagged , , , . Bookmark the permalink.


Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s