Mylar is a platform for building web applications that protects data confidentiality against attackers who fully compromise the servers.
Mylar is built on Meteor, a purely Javascript web application framework: http://docs.meteor.com/
You'll need the following libraries to build Mylar:
- libreadline
- libgmp
- libpbc
- libcrypto++9
Download the EncChat app: git clone git://g.csail.mit.edu/EncChat
cd EncChat /path/to/mylar/meteor
Open a browser and visit localhost:3000 or from a different machine than the server, visit http://:3000. Have fun with the application!
The app is secured against passive adversaries (adversaries who read all data at the server, but do not actively change information).
Check that messages are encrypted in the mongo database. EncChat$ /path/to/mylar/meteor mongo
db.messages.findOne()
You should see a field "message_enc" that contains the encryption of the message. There should be no field "message", which before contained the unencrypted data. You can also see "roomprinc", which is the principal for the room that the message is encrypted for.
If you want to reset the application, do: EncChat$ /path/to/mylar meteor reset
To enable search, you need two things:
-
Install the search plugin In order to use the search plugin, you'll need to build it for your system using the FireBreath framework for Firefox. You should navigate to enc_modules/crypto_fire and follow the README there in order to set it up. In addition, there is a binary that works on some systems in the enc_modules/crypto_fire/Binaries/ folder, which you should copy to: $(HOME)/.mozilla/plugins/, creating the plugins folder if necessary.
-
add the search package to the application EncChat$ /path/to/mylar add search
[documentation coming soon]
Follow the steps:
-
Write a regular Meteor application. Meteor is very easy and fun to learn! https://www.meteor.com/ has great tutorials and documentation.
-
Secure it with Mylar:
First, read the Mylar paper and make sure you understand the section "Building a Mylar application".
2.a. in model.js, annotate which fields are sensitive and should be encrypted For example, to encrypt the field "message" of the collection "Messages", do: Messages._encrypted_fields({ 'message' : {princ: 'roomprinc', princtype: 'room', attr: 'SEARCHABLE'}}); Only the principal for the room will have access to the message.
2.b. Indicate access control annotations. Each user has a principal Principal.user() automatically created. Based on the access control desired, create principals, give principals access to other principals using "add_access", and find principals with "lookup" or "lookupUser". For example, to invite the user "invitee", to a room with principal "room_princ", do:
Principal.lookupUser(invitee, function(princ){ Principal.add_access(princ, room_princ, function () { [..] } }