Closed onlykey closed 4 years ago
rodgolpe
commented
7 years ago I think we could support both, no? Forking OpenPGP could be done independently.
Thinking about large emails and files, they'll need to be buffered/streamed to the OnlyKey over several messages, and then is the OnlyKey supposed to hold both the encrypted and decrypted versions in memory? Seems like that will be the big challenge.
onlykey
commented
7 years ago @rodgolpe Yes we could support both. I guess I was trying to decide which one would be easier to do first. The only thing I dont know about method 2 is how does a chrome app receive messages from a chrome extension like Mailvelope with the modified OpenPGP.js. Next question, would this be different/big change when moving to an electron app? If so we should probably just do method 1 as that would not change when going to electon.
So to answer your question, no we dont have to do anything with encryption. There are already good solutions out there for encrypting like Mailvelope. Encrypting uses a public key which is already public so having this done on an embedded device would just be slow with no gain in security. For decryption of RSA encrypted files/emails we actually don't need the whole message either. All we need is this 32 - 64 bytes of data where the session key is. This is the code I highlighted above. We decrypt the AES session key and send it back to the app to do the message decryption. Pretty easy to do as we could likely send this in one USB packet.
We want to be able to use the OnlyKey to perform private key operations (decrypt/sign). The reason is that this allows the private key to remain secure on the OnlyKey instead of exposed on a computer to hacking. A compromised private key can be used to decrypt all past and future messages.
OnlyKey supports decryption operations using the message OKDECRYPT.
We want to integrate this with existing OpenPGP implementations like mailvelope and protonmail but the problem is communication between the web app and the OnlyKey.
There are two ways to solve this problem. 1) In app support - To support multiple apps we could allow copy and paste of the encrypted message into the OnlyKey app where it can be decrypted and viewed. Similarly we could have plaintext message copied and pasted in to be signed. We would use a modified OpenPGP.js file to support the decryption and signing but the session keys would come from the OnlyKey.
2) Middleman - Both mailvelope and protonmail rely on OpenPGP.js. We could modify OpenPGP.js so that both apps would support OnlyKey without being aware of OnlyKey. The decryption function generates a sessionkey. If there was a way to do a function call that instead of generating the session key it sends the encrypted data to the OnlyKey app, the app would then send to the OnlyKey, the OnlyKey send the decrypted data back, the app then returns the function with the decrypted session key to OpenPGP.js.
What Method 1 would look like in the OnlyKey App -
New Tab - Email and File Decryption
Email Decryption
a box where a user would paste their encrypted email "Your encrypted message:"
a drop down list that is filled with the key labels (Getlabels same method as slot labels) "Select decryption key"
a button that says "decrypt message"
File Decryption
Add file button to select a local file
Decrypt file button
Save as button to save the decrypted file
What Method 2 would look like in the OnlyKey App -
Pop up message when the function call is received from OpenPGP.js
In the pop up a drop down list that is filled with the key labels (Getlabels same method as slot labels) "Select decryption key"
A button that says decrypt
OpenPGP.js changes required
I think all we need to change is this -
https://github.com/openpgpjs/openpgpjs/blob/master/src/packet/public_key_encrypted_session_key.js
var result = crypto.publicKeyDecrypt( this.publicKeyAlgorithm, key.mpi, this.encrypted).toBytes();
We would want this.encrypted to be sent to the OnlyKey via USB. and we would send back var result generated on the OnlyKey