Creating a data-secure app with IronCore Labs
Posted 5 years ago by Christian Krutsche
“Cyber crime is the greatest threat to every company in the world.”
Ginni Rometty – Chairman, President, and CEO, IBM
The consequences of data breaches are devastating. In 2017, there were 1,579 data breaches in the U.S. alone, an increase of nearly 45% from 2016. And it’s expensive. The average cost of a data breach in 2018 is $3.86 million. Equally devastating is the enduring damage to a company’s reputation and future business opportunities. As we saw in September, data leaks can happen to any company—even giant companies such as Facebook. Now more than ever, data security is paramount. How can businesses ensure their data is safe from breaches and their attendant consequences? In this post, you will learn about a startup that offers an easy way to keep data safe.
About Ironcore Labs
IronCore Labs, a new startup, provides the first commercialization of proxy re-encryption. The technology is based on encrypting more than once; two keys are needed to decrypt data. One key decrypts the data for the group you must be member of, and the second key is your private key. The most interesting thing about this approach is that it can re-encrypt data that has already been encrypted without knowing what’s inside (in decrypted form). The graphic that follows illustrates the process.
But if you would prefer to use your own server instead of the cloud solution, you can buy enterprise version of their platform. More on that later in this post.
If you would like to read more about the encryption techniques behind the library you can check out this IronCore document describing behind the scenes cryptography.
We demoed the SDK and reviewed all of the examples provided with it. They have a really nice example here which you should definitely check out. We think the best way to try new technologies is to get your hands dirty by coding. Because their example is a web app, we decided to create a desktop app based on React inside an Electron container. We just wanted to create a small app which uses most of the SDK features. The application works well as a very simple group messenger. You simply create your group, add members, and chat with them securely. You can check out the full code here: https://github.com/profiq/ironcore-demo-app.
There are two versions; a free version, which accommodates up to 500 different users, or a paid, enterprise version. If you want to make your application publicly available, you’ll need to buy the enterprise version.
First, you need to register and generate keys on their admin page, which will be added to the configuration of the SDK. You can select either IronWeb SDK or IronNode SDK. We chose the the first option, because we want to handle everything directly in the page. In both cases, the packages are published in the npm repository, so you can easily import them to your app. You can also just include the minified standalone script to your app.
After installation, you initialize the SDK. If you are using a backend in your app, you will need to implement a JWT generator for the app. Thankfully, the IronCore Labs team created adequate documentation which helps you with basic code examples for initialization, as well as other SDK functions.
If you are not using the backend, the JWT NPM package works directly in a web browser. This is the scenario we used for our messenger app. After initialization, you can quickly create and manage groups and encrypt/decrypt documents with easy commands. The last thing we would like to mention is promises. Almost every function returns promise, which is perfect, and gives you nice way to handle everything on your web application.
Our Messenger App Demo
As mentioned earlier, we’re using group conversations (both group conversations and user-to-user conversations are available through the SDK). We wanted to test the functionality of the product and how the data is handled.
Most of the process is hidden even to developers because the encryption and everything is running inside the SDK. IronCore gives you the choice of storing encrypted data on their servers or storing it manually in your app or anywhere else. Since messages do not take much space, it would be harder to implement it into an app. An encrypted message could be generally be stored anywhere. Because it cannot be decrypted without keys, we chose to store it on their servers.
Registering a new account in the app is really easy. If you have never logged in before, the platform will register you as a new user. The next time you log in, you can use same credentials to log in to your account. However, if anyone has same login name as you do, it will reject you, and you will need to create an account with another name.
Let’s take a look how we can simply handle the login.
Hiccups During Development
The first issue we noticed with the current version is there is no way to completely delete a group. Although you can kick out (revoke access) everyone except the creator of the group, every group you create is permanently listed and cannot be changed.
Another issue concerned the provided encrypted data info. The encrypted data is provided with basic info such as the ID of document, the IDs of groups (or users) who can decrypt it, and the ID of its creator. It is more than enough info for some encrypted storing of data, yet it was harder to implement sorting of messages in our messenger app.
We could have timestamps inside the messages, but that would mean that we would first need to decrypt everything so it can be sorted.
We also noticed that SDK is responding with encrypted data that is already sorted, but the application needs to manually assign order numbers to avoid mixing the array of documents when working with them.
We shared our findings with IronCore. They explained that the reason groups cannot be removed is to maintain database integrity, which is actually a pretty good move. In future releases, they consider adding the feature of setting the group as removed. The user experience will be similar; data will still be stored in the database, but cannot be decrypted by anyone in any way.
They also shared with us that future versions of the SDK should expose the property storing the document at the time of creation via the public API.
Working with the SDK was pretty straightforward. Even though the data went through their servers, we never noticed any delay in the API when when we tested bigger chunks of data.
Ensuring that your own implementation of communication and servers are really secured might be a challenge. This implementation might be resource-intensive, given that you need to implement it and do thorough security testing. IronCore Labs offers an alternative; a range of tiers you can select from. The first 500 users are free, which might be sufficient for some small apps.
Feel free to check out our test app which utilizes the SDK: https://github.com/profiq/ironcore-demo-app
Also published on Medium.