Tuesday, March 23, 2010

How zkBox works?

In my previous posts I was presenting how the idea behind zkBox was born and what is zkBox trying to solve. Now I’ll try to talk in general lines about the chosen architecture, to show a simple usage example and to discuss some thoughts about the future.

First of all, I want to mention that I’m Windows guy, almost all the projects I worked on were on MS technologies. Add to this that zkBox was started as a hobby project and you’ll guest pretty easy what technological approach I had for this project: Microsoft technologies.

zkBox is developed in C# using ASP .NET on IIS7/Windows Server 2008 platform. Moreover, I developed a client to be used from JavaScript (so platform independent) along with a zkBox proxy (to be used in ASP .NET web projects) and also a C# client. Clients for others platforms might be added later, but depending on how the project will be perceived. The service is exposed via a RESTful API understanding and talking the JSON dialect. The possible backends are Amazon Web Services (using Amazon S3 + Amazon SDB, ideally hosted on EC2 instances) or Microsoft SQL Server 2005/2008 (for the case when security demands are very strict and physical hosting the data outside of the perimeter of the company is not allowed). On top of the backend layer there is a distributed caching layer (Microsoft Velocity used for the moment) for minimizing the trips to the storage and speeding up the system.

At the moment there is one instance of zkBox running, the official one running on the main website. This instance is free for everybody, so fell free to register your application and use zkBox as backend for your application.

Usage example
Similar to the line “A picture is worth a thousand words”, I think that having an example can shed a lot of light when trying to explain technical things.
Although too technical discussions are not in the scope of this post, I would like to present in a few steps what a developer will use to interact with the free hosted version of zkBox from his/hers own application. More is detailed in the developers section on the website, but, briefly, the following steps are required:
  • Get the JavaScript API client to be included in your pages
    The functions that you’ll call from you JavaScript code will use this library

  • Get jQuery if you don’t already use it in your project and included it as well

  • Get the zkBox proxy and add it to your web project
    • You can get it from here: http://www.zkbox.com/developers/downloads (look at the “zkBox JS client” package)
    • Configure it (e.g. in your Web.config file) to be accessible from your application (e.g. to be reachable at https://yourdomain.com/zkboxproxy)
      The zkBox JavaScript methods that you’ll use from your code will call this proxy from your application; the proxy will sign the requests and will forward them to the zkBox server.
    • You need the zkBox proxy for two reasons:
      • First, because the requests going into zkBox should be signed by your application with you application’s key (which never leaves your server) in order to authorize the application on the zkBox server to access your users’ data
      • Second, because anyway it’s a technological limitation of the browsers that it’s stating that you cannot make calls but only to the origin site, in this case your web application; in geeky terms, it’s known as XSS (Cross-Site Scripting)
      ...so the requests coming from your application’s users must pass through your server

  • Initialize in your code the zkBox proxy
    • In your initialization routine (e.g. usually Application_Start from Global.asax) you’ll provide the zkBox API endpoint (i.e. the zkBox server that you’ll use, if using the public instance, then you’ll need to use the address: http://api.zkbox.com/rest)

  • Initialize in your JavaScript code the zkBox API client
    • By providing the address of the zkBox proxy from your web application (e.g. https://yourdomain.com/zkboxproxy)
That’s it, only a few steps to get connected and start using the zkBox in your applications. Check out regularly the developers section as more examples and documentation will become available.

Future evolution
There are several directions under consideration for the project in the future, but at this moment there is no clear roadmap available, only some draft ideas. However, one thing will be for sure in the coming future: the possibility to have your own installation of zkBox so you can deploy it on your premises (most likely backed up by a SQL Server instance) or in the Amazon cloud (on your managed instances).

When talking about the future, a lot is depending on zkBox’s impact in the developers’ community and if the project will be a real useful tool. One of the goals will be to make it self-sustainable; I have some ideas how this can be approached in the future, but now it’s too early to analyze this.

This will be the last post from this trilogy where I’m presenting some facts behind zkBox’s birth, but keep close as more writings on security and adjacent topics will come.

Friday, February 5, 2010

Always remember: A chain is no stronger than its weakest link

Sometimes I’m surprised to see how big companies are handling security issues. Other times I’m simply shocked to see products coming from big players and marketed as extra-secure, super-strong or military-approved-security-level when in fact they are not.

Recently it happened that the German security research group SySS GmbH played a little bit with some so-called “encrypted USB drives” and managed to get access to the protected data. They were testing products from SanDisk, Kingston and Verbatim (like “SanDisk Cruzer Enterprise - FIPS Edition” and “Kingston DataTraveler BlackBox”) and they were able “to gain access to all stored data by just a few mouse clicks fairly easily”. That’s it, “just a few mouse clicks” and the information from the super-secure enterprise-grade encrypted drive US Government FIPS 140-2 approved featuring 256-bit AES encryption is as secret as the text from this page.

Mainly, a design flaw, in my opinion plain stupid, contributed to this circus. The poor AES encryption algorithm used was fine and doing his job ok, but the decryption key used was always the same no matter the user’s password. It took them just some little time to crack the authentication software in order send always the fixed decryption key and voila, zero security for the secure drive. Clear and obvious hacking. No computer clusters burning megawatts to crack keys, just a simple and straight forward approach.

Obvious I have a question: Who had the great idea to design a security system in 2010 the way we’re doing in the 90's in college? I understand that mistakes can happen, but I find this case the mistake is totally unacceptable for such products coming from such companies.

Something is amazing me even more: how did they get the FIPS 140-2 certification?

In general, I’m a skeptic person; I don’t take things for granted. However, with this kind of security devices coming from important companies, when AES 256 was waived in front of my eyes, I always had in my mind that the data is encrypted with your key. Well, I was terribly wrong.

Monday, January 25, 2010

What is zkBox?

In my previous post I was giving a short insight on how the zkBox idea appeared. Now I’ll try to refine the concept a bit and describe even more what zkBox is meant to be used for.

Although the concept was very simple I could not find any easy to use implementations of it. The idea had everything it was needed to have great potential. In short, having a host proof storage platform on top of which client applications might be easily developed sounded very appealing to me.

Some might wonder what that “host proof" storage is. It’s about having a storage back-end designed in such a way that no one, but only the owner of the data, is able to read it. The answer is no-brainer: just store everything in the encrypted form. Add to this one extra ingredient, the fact that server-side one should not be able to obtain the user’s encryption key (this is where a “zero-knowledge password proof” kicks in, I’ll present this later) and voila, you have a secure storage solution in the way that even if the database gets stolen, the attacker will not be able to do anything with the data.

Architectural thoughts
After endless analysis sessions, things were starting to connect to each other and the shape of a complete solution started to emerge.
  • It was becoming clear that an online solution is a good decision (e.g. everything is getting connected nowadays, have a central point of maintenance, etc...), but room should be left for the possibility to go offline, with synchronization afterwards, when needed (e.g. HTML 5’s offline storage, Google Gears, etc...)
  • The main functionality of the system is to keep the data encrypted and accessible only to one user by a given key, so the system started to slip somehow into the key-value storage systems realm. That’s it, no complex database schemas, no relations, no graphs; only key-encrypted value data accessible to the user. This is limiting for sure the type of applications that can be built on top of zkBox, but, depending on the project’s impact, the philosophy might be changed in the future to allow something like “object sharing” functionalities (e.g. via shared keys). However, in the first version, the stored objects will be accessible only to one user
  • We are discussing about a hosted solution, so it seems naturally that the service will have to be exposed via an API; the most likely client to be used is obvious a browser scripting language; so a JavaScript client must be implemented from the beginning
  • Many computations, like the heavy CPU usage during encryption, will be performed on the client; this has the advantage that there will be less pressure put on the zkBox server since the encryption will be a distributed process across the clients, but it has the disadvantage that sometimes some clients are not powerful enough. However, the disadvantage tends to get away as the technology evolves and the clients are getting faster and faster. And the moment of writing this article, the blazing fast WebKit engine (e.g. it’s embedded into Chrome or Safari) or the JavaScript engine from Firefox can do heavy computations without disrupting the users experience but other browsers, like Internet Explorer, are not there yet
  • Being a key-value storage, there should not be a big problem to have an architecture that it’s truly scalable and reliable; there are already nice solutions out there, varying from ordered key-value storages (e.g. Tokyo Tyrant or MemcacheDB) or document oriented storages (e.g. MongoDB or CouchDB) to already hosted solutions in the big clouds (e.g. Google’s BigTable or Amazon’s Simple DB).

Main goals
The above are only a few points presenting how zkBox should work, what zkBox is and what it’s not, what should do and how. Some initial ideas were improved, others were postponed or new functionalities appeared during the first months, but the main goals of zkBox were always the same:
  • To provide to developers a solution that they can use from their applications to store securely their users’ data
  • The design should be in such a way that the storage provider is not able to see the data that it’s stored
  • Moreover, the application that is using the zkBox storage should not be able to see the data that the application users are manipulating
  • To have an anonymous authentication mechanism
  • To be a scalable and reliable solution, preferable built on top of existing (cloud) architectures

The implementation behind this idea is, again, not rocket science and, in short, can be easily presented in a few steps, like:
  • Authenticate to the storage
  • Encrypt some data with my secret key
  • Sent the encrypted data to be stored on the server

What’s challenging is to have the project as a whole, everything to be in the right place, all the pieces functioning together, so that someone who wants to use it when developing, for example a personal finance application, will just write in JavaScript a few lines like:

// John is logging in into the application
$zkBox.Authenticate("john", "my secret password");

// store some data into the system
$zkBox.AddObject({ spent: "47$", when: "11/26/2009", description: "dinner with Alicia"});

Only two lines, that simple. Everything else is happening behind the scenes: encryption, caching, authentication, authorization, redundant storage, etc...

In the next post I’ll talk in more details about the technical solution chosen.

Wednesday, January 13, 2010

Why zkBox?

This is the first of a 3-posts series presenting the idea behind zkBox and how the project was started.

In the beginning of 2009 Google decided that they will no longer support their product, Google Notebook; they were pointing the users to other products like Google Docs.

Although the existing users are still able to use it, at the moment there is an uncertain future for Google Notebook. Most likely it was a business wise decision taken by Google at that time, but, in my opinion, I still think that from a point of view the targeted users for the two products do not overlap. Google Docs it’s a nice tool but I strongly believe that a considerable niche of users still prefer the simplicity of Google Notebook.

The spark
At that moment I said to myself: What the heck? Perhaps there are hundreds of other online notebooks out there and, if not, for sure I can develop one of my own in one week.
That was the moment when the idea appeared.

The idea
In the next period I was trying to find a tool that would suit my needs. I was using Google Notebook to keep various notes, and sometimes some less important sensitive information (like passwords for some websites, etc…). I was looking for something hosted, reliable and above all uber-secure. After some days of research I learnt that there are not so many tools in that area and the existing ones were not satisfying completely my demands. So, I was flirting with the idea of building my own online and secure notebook.

Everything should have been just fine and everything should have been ready as predicted, in short time. Well… it wasn’t that simple.
I had a friend visiting me at that time and we’re having some debates on how the tool should work and what should be supposed to do. Most of the discussions were in the security area, how it should be approached and which model should be chosen in order to reach one simple target: to allow users to store notes online in the most possible secure and trustable way. On day we were in the zero knowledge applications discussions, when my friend raised the big question “Why aren’t you making a platform for zero knowledge applications to allow building on top of it various applications?
That was the moment when the zkBox idea was born.

Wednesday, December 2, 2009


zkbox [zed kay boks]
noun (plural

secure container:
software layer placed on top of an existing storage solution that provides zero knowledge data storage capabilities.
We’re using zkbox installed at our premises having company’s SQL Server as backend.

secure online storage:
encrypted storage solution implemented on top of Amazon Web Services and accessible from a zero knowledge client web application
The hosted zkbox instance is basically unlimitedly scalable.

[Around 21st century. Abbreviation from Zero Knowledge Box]


Welcome to the zkBox blog.
zkBox is a solution designed to store online, in a secure way, your highly sensitive data.
Here you'll find information about zkBox and products built on top of it, but also thoughts on more general topics like security, performance or scalability.