-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
consider encrypting the actual location data? #7
Comments
Thanks for your suggestion. We do actually encrypt the data when it is in transit, if you configure TLS which we strongly recommend. As soon as the data reaches your MQTT broker, it is unencrypted, that is correct. While we have thought of this previously, we see no reason to do this currently. The location data must be visible to servers because programs like OwnTracks Recorder need to store it. To be honest, we also felt that symmetric encryption would also be a challenge in terms of key distribution (server-side, and apps, say of family members or friends). While it may be possible that we revisit this opition some time, it won't happen soon. |
The main use case would be to be able to use third party, or public brokers (where anyone can subscribe to any topic) without exposing your location (to the entire internet). My suggestion would be to use symmetric encryption with a password, e.g. the client would expose the options "Encrypt position data yes/no", and "Password: [...]" in the user interface. Similarly, any subscriber would also have to have the same password configured. The position data could be encrypted by passing the json payload { "_type": "location", "lat": X, "lon": Y } through a symmetric crypto, using the configured password, then base64-encoding it and putting it inside a new message: { "_type": "xlocation", "data": "" } |
I hope you'll be glad to know we are discussing this now. 😄 These are some very preliminary notes I've jotted down about how we would do this. I'd appreciate some feedback. Payload encryptionStarting in version x (iOS) and version x (Android), the apps can be configured to transmit encrypted payloads. We have implemented this for people who insist in using public brokers without considering the implications of publishing their location data for everybody to read publically. While TLS (if enabled) protects the data in transit, a public broker will store (retain) messages for everybody to see. If enabled, encryption requires the use of a secret key. This key is entered on the device in the form of up to 32 characters. (The apps strip leading and trailing white space, and fill up the 32 octets with binary zero.) As soon as the device has encryption enabled on it, the full JSON payload our apps would otherwise publish in the clear is encrypted with libSodium as follows:
The new payload will look like:
The receiving application detects encrypted payloads from the
A client which is unable to decrypt data will simply ignore it and continue. In particular, the OwnTracks Recorder will have a run-time option to specify a table of secret keys which can map topics from family or friends to their key:
The Recorder will store decrypted data in its original (unencrypted) JSON format in its storage. |
@jpmens haven't looked into libSodium yet, but wonder if something like this will work with arduino to encrypt the data since tls isn't working yet. |
I'm not aware of libsodium actually fitting (space-wise) on a microcontroller.
|
We have successfully tested payload encryption in iOS, Android and the Recorder. This means that we'll be releasing this when we're satisfied it's all ready and documented. I am now closing this ticket. |
Is it 32 characters or 32 octets? |
The field will accept 32 octets. |
http://owntracks.org/booklet/features/security/ states that it is possible to use encrypted communication as well as authentication with the servers. However, as I understand it, the actual location data is still visible to the servers. When using a third party hosted solution, would it be convenient to be able to encrypt the actual location data using a symmetric crypto and a key, shared and only known to the data publisher and the subscribing clients? (not sure if this is the correct place to make suggestions like this).
The text was updated successfully, but these errors were encountered: