Hello All,
I've been working on v2 of Teknik and am designing a new Upload system and would like your guy's feedback on it.
The entire service will use AES-256-CBC regardless of location of encryption/decryption.
Web Interface:
•Client Side Encryption using Crypt-JS
•Opt-in for keeping key in URL vs storing in Database
API Interface
•Opt-in for stating that the file is already encrypted ◦Allows the option to supply a key to be stored in the DB
◦Otherwise will assume the user will supply the key in the URL when viewing
•By default, will encrypt the file server side and store the key in the DB ◦Opt-in available to be passed the key instead of storing in DB (or both)
Viewing Files
•When viewing a file via a browser, UI will display showing download status and decryption status ◦Via Web Browser will be Client Side decryption
•When embedding the URL, the file will be decrypted Server Side
•The key must either be stored in the DB or passed via the URL. If neither have the key, then the file will be downloaded as is without trying to decrypt
Hey this looks great, nice job
And this is?
>>51984151
https://u.teknik.io/
>>51984151
File host for illegal content
>>51984151
File hosting, like pomf.we or sr.ht
>>51984151
How new?
>AES-256-CBC
i threw up in my mouth a little
it is nearly 2016 and people are still rolling their own crypto and they clearly have no idea what they are doing
>>51984302
um... that is a standard crypto that is used everywhere...
>>51984057
Why CBC?
>>51984612
its what crypto-js uses
>>51984612
>>51984625
How does CBC even add any security? Doesn't it just obscure the data?
what's your policy with DMCAs?
>>51985337
Currently I will comply with DMCA's if the accuser can provide sufficient proof of infringement and that they are the party being infringed upon. The infringement needs to be against the law in order to be a valid dmca.
>>51984057
>bootstrap
Burn in hell.
>>51984151
a ponyfucker spamming shit
you are welcome, newfriend
>>51984057
You could just leave out the crypto and mine bitcoins with all those stolen cycles you use for basically fuckall.
> server side keys
> key via url
> symmetric algorithm
> but muh AES
> DMCA compliance
Totally not cool.
>>51984321
Used everywhere by people who don't know what the fuck they're doing. If you don't know what you're doing, find someone who does.
CBC has several nasty gotchas that will absolutely eat your lunch money, and on top of that, it's not authenticated. You should be using AEADs instead: ChaCha20_Poly1305 is fast, very secure, and pretty foolproof, or AES_(128|256)_GCM, and only use the AES_GCM one if you have hardware support.
If you don't want to think about it at all, and if you don't know what you're doing, you probably shouldn't: NaCl cryptobox and secretbox are absolutely fine and as foolproof as modern cryptography gets.
Doing your encryption in client-side on the browser, with or without any webcrypto support, is a little dangerous: browsers have a huge attack surface.
Even MEGA are doing it better than you're proposing.
>>51985785
how does OP know that you know what you're doing?