npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

private-group-spec

v8.1.0

Published

a spec for private groups in scuttlebutt, using envelope encryption

Downloads

1,525

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

powersourcepowersourcearj03arj03staltzstaltzmixmixmixmixcelcel

Keywords

scuttlebuttspecprivategroupsencryption

Readme

Private-Groups Spec | v2.0.0

A specification for implementing private groups in scuttlebutt.

The fundamentals of this spec are:

  1. uses envelope for encryption of content
  2. has group_ids which are safe to share publicly
  3. adding people to the group is done with group's knowledge
  4. supports disclosing of message content
    • but this leaks info about the group (peak at other messages / authors)

envelope encryption in scuttlebutt

In adition to the envelope-spec, there are some scuttlebutt-specific specifications

See spec here

recipient key derivation

box1 took feedIds from the content.recps field and directly used these for encryption.

In envelope, we instead take "ids" from content.recps, and map each to a key+scheme pair { key, scheme } where":

  • key is the encryption key which will be used in a key_slot, and
  • scheme is the "key management scheme" which that key is employing

| Type of id | How key is derived | scheme | | --------------------- | -------------------------------------------------- | ---------------------------------------- | | private group id | a key-store | "envelope-large-symmetric-group" | | feedId (someone else) | diff-hellman styles | "envelope-id-based-dm-converted-ed25519" | | feedId (yours) | locally stored key | "envelope-symmetric-key-for-self" | | P.O. Box id | diffie-hellman styles | "envelope-id-based-pobox-curve25519" |

see key-schemes.json for the canonical list of accepted schema labels

recipient restrictions

We talk about key_slots or recipients / recps a little interchangeably. Let's assume content.recps are mapped to key_slots preserving their order.

:warning: The following restrictions must be followed :

  1. there are max 16 slots on a message
  2. if there is a group key
    • a) there is only 1 group key
    • b) the group key is in the first key_slot
  3. we disallow you from making a shared DM key with yourself

More detail:

  • (1) means all implementations know to look 16 slots deep when trying to unbox the msg_key
  • (2.a) provides a guarentee that infomation is not leaked across groups, in particular tangle info would leak info about group memember as these ids are not cloaked in this version
  • (2.a + 2.b) means we that we only need to try group keys in the first slot. If that fails, we can try DM keys on slots 1-16. (nice and fast!)
  • (3) is a tight restriction which we think will help people write better apps
    • it's a step towards forward security
    • if you want to send to self, it encourages people to mint a group, which is a better practice when moving to support multi-device identities
    • we may relax this restriction when we have more experience

group management

A minimal amount of agreement to make coordination easier:

TODO

describe

  • how all these things might be woven together
  • where state is tracked off-chain (in a key-store)

changes in v2

Group IDs have moved from being sigil links like

%g/JTmMEjG4JP2aQAO0LM8tIoRtNkTq07Se6h1qwnQKb=.cloaked

to being SSB URIS like

ssb:identity/group/g_JTmMEjG4JP2aQAO0LM8tIoRtNkTq07Se6h1qwnQKb=

scuttlebutt private-groups spec (v3 ?)

Could modify this spec:

    • same
    • same
    • same
  4. supports privacy fiendly disclosing of message content
    • all internal cypherlinks are "cloaked"

Security considerations

While we have tried our best to create a secure end-to-end encrypted communication protocol, this spec is not fit for use in safety critical situations. The specification has not been vetted by an independent party. Even assuming a bug-free spec, we have intentionally left out several security features that are considered state of the art in other apps such as Signal, such as "forward secrecy".

Because of this, we advise that anyone that implements this spec in an app, includes prominent UI that warns the user about possible risks.

Links