![James Mills](/assets/img/avatar_default.png)
Alternative to #177 The way this works is: Client: - Client creates a normal `net/http.Request{}` object using the `Request()` function in `utils.go`. The `http.Request{}` object is then signed using the Client's Ed25519 private key. - The HTTP Method and Path (_note this is important_) are hashed, as well as the request body (if any) using the FNV128a hashing algorithm. - This hash is then signed by the Client's's Ed25519 private key. - The resulting signature is then encoded to Base64 (_standard encoding_) and added to the HTTP headers as a `Signature:` header. - In addition the Client's Ed25519 public key is added to the HTTP headers as `Signer:` Server: - The server calculates the same FNV128a hash of the HTTP Request Method and Path and the body (if any) - The server decodes the HTTP header `Signature:` - The server then uses the Client's Ed25519 public key in the HTTP header `Signer:` to verify the signature of the `Signature:` HTTP header which gives us back the original FNV128a hash the Client calculated for the request. - The server then compares the Client's hash with the expected hash to see if they compare equally. Co-authored-by: James Mills <1290234+prologic@users.noreply.github.com> Co-authored-by: Jon Lundy <jon@xuu.cc> Reviewed-on: https://git.mills.io/saltyim/saltyim/pulls/178 Reviewed-by: xuu <xuu@noreply@mills.io>
4.3 KiB
title | description | tags |
---|---|---|
Salty.im Blob Storage v1 | A proposal for a secure blob store for the reference broker and client for Salty.im | blob, store, saltyim |
Salty.im Blob Storage v1
Design proposal for a blob storage v1 design for the reference broker and client https://git.mills.io/saltyim/saltyim
[toc]
API
Types
// Blob defines the type, filename and whether or not a blob is publicly accessible or not.
// A Blob also holds zero r more properties as a map of key/value pairs of string interpreted
// by the client.
type Blob struct {
Type string
Public bool
Filename string
Properties map[string]string
}
// BlobRequest is the request used by clients to update blob metadata for blobs stored on a broker.
type BlobRequest struct {
Blob
}
Endpoints
PUT /api/v1/blob/:key
- Stores or updates a blob's contents.
POST /api/v1/blob/:key
- Updates metadata of a blob
DELETE /api/v1/blob/:key
- Deletes a blob
HEAD /api/v1/blob/:key
- Returns metadata of a blob
GET /api/v1/blob/:key
- Returns metadata and the blob's contents
General flow of requests and responses:
- All requests are signed by the client using it's private key.
- Updates to metadata are performed using a
POST
requests and a body marshaled to JSON using theNewBlobRequest()
object, all other requests either use their raw request body (PUT
), headers (HEAD
, andGET
) or an empty body (DELETE
). - Verification of all signed requests are performed to ensure only the owner of the blob(s) can make modifications, delete or otherwise update a blob's metadata or its contents.
- All responses are standard HTTP response codes as appropriate to the success or failure of a given request:
200 Ok
201 Created
400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
500 Internal Server Error
Storage
Blobs are stored on-disk in a path structure:
/path/to/data/blobs/<owner>/<key>
Where:
<owner>
is owner's public key.<key>
is the key for the blob (computed or specified by the client) and is the content address of the stored blob.
Security
It is up to the client to decide whether or not the stored blob and its contents are encrypted. before submitting it to the blob store service on the broker for storage.
Threat Model
[name=James Mills] Still working on this...
The following list of items are threat we simply do not care about or are considered "out of scope":
- public key -- This is public knowledge by design, it can be looked up via a user's Salty Address using for example
salty-chat lookup <address>
. - law enforcement / state actor -- We will consider state actors and law enforcement to be out of scope simply because given the resources of powerful actors, if they really wanted to access the contents of a blob, they probably will. However we will make it as hard as we can.
Threat Actor | Affected Data | Vulnerability | Priority |
---|---|---|---|
operators1 | blob2 | everything3 | P1 |
other users | blob2 | everything3 | P1 |
Threat Actors
- another user
- broker operator
- server operator
- network operator
- casual eavesdropper
- law enforcement
- state actor
Affected Data
- public key
- blob location
- blob contents
- blob metadata
Vulnerabilities
- learn the data
- spoof the data
- delete the data
- prevent owner from reading the data
- prevent owner from modifying/deleting the data
Properties
A blob can be accompanied by one or more "Properties" that are stored alongside the blob:
Stored on-disk as a simple .json
file along-side the blob as <key>.json
Sharing
If a blob's .Public
flag is set to true
then the blob is publicly accessible via a shared URL of the form:
Where:
:owner
is the owner's public key.:key
is the blob's identifying key (content-addressing).
Access Controls
[name=James Mills] TBD