[Commotion-dev] Mylar: client-encrypted web applications

[Dan Staples]

Browser crypto is nothing new, but this project has some interesting
aspects: homomorphic encryption, safely sharing keys in presence of
adversary (not sure if this refers to forward secrecy?), authenticating
client code even when served from malicious server.

http://css.csail.mit.edu/mylar/

"""
Mylar is a platform for building secure web applications.

Web applications rely on servers to store and process confidential
information. However, anyone who gains access to the server (e.g., an
attacker, a curious administrator, or a government) can obtain all of
the data stored there. Mylar protects data confidentiality even when an
attacker gets full access to servers. Mylar stores only encrypted data
on the server, and decrypts data only in users' browsers. Simply
encrypting each user's data with a user key does not suffice, and Mylar
addresses three challenges in making this approach work. First, Mylar
allows the server to perform keyword search over encrypted documents,
even if the documents are encrypted with different keys. Second, Mylar
allows users to share keys and data securely in the presence of an
active adversary. Finally, Mylar ensures that client-side application
code is authentic, even if the server is malicious. Results with a
prototype of Mylar built on top of the Meteor framework are promising:
porting 6 applications required changing just 35 lines of code on
average, and the performance overheads are modest, amounting to a 17%
throughput loss and a 50 msec latency increase for sending a message in
a chat application.
"""

-- 
Dan Staples

Open Technology Institute
https://commotionwireless.net
OpenPGP key: http://disman.tl/pgp.asc
Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9