Zero Knowledge Architecture

The 2nd Zkproof Workshop 2019 page

# Zero Knowledge Architecture, is it possible?

Zero Knowledge Architecture, is it possible? How to protect users privacy? Presented by: m4dz from alwaysdata m4dz is a strange animal. Through many lives, he always tried to teach to others what he learnt himself. Previously a web developer (nobody's perfect), concerned about privacy, a respect of private data, and cyber security. He's now Tech Evangelist at alwaysdata. He tries to inform about present and future of digital issues. His favorite book always remains «Alice in Wonderland». Did you already hear about the ZKA pattern? Zero Knowledge stands for a pattern where no-one but the owner is aware of the content of the data. It's mainly in use in the Zero Knowledge Proof pattern, an authorization design. Despite its powerful concepts, Zero Knowledge patterns remain misunderstood. In fact, there's a small amount of contents about what Zero Knowledge really is, what it implies, and how to use it. Architectures that use ZK by Design are nearly undocumented. It's a widely unknown territory. Here's a wide and comprehensive talk about ZKA, with cryptography, keys exchange, data storage, blob secured transfers, privacy use-cases, and many more. Finally, we'll be focused on how to implement it in a web browser environment which is unsecured by design (because always bet on JavaScript). Let's see how we can build secured (web)apps to improve our users' privacy.

# ZKP Zero knowledge proof asymmetric keys # ZKP Bob and Alice inside the cave Register Intermediate certificates No password exchanges Keys can be revoked using intermediate certificates


Client side only


# Security Concerns

- Each symmetric key is unique per Blob/Service/Client

# No name approach - Never share complete

# Frameworks Node Coassak labs

# Web Apps - CORS presents requests - CSP explicitly allow resources - Verify assets checksum (prevents MITM attack) - Referrer-Policy - WebCrypto to manage keys

#How to protect the Encyption Layer? - Can sniff plain JS - Solution WebAssembly -- Prevent the data accesses on the fly -- Binary

# Minimize the Mayhem ....

Questions on ZKA 1/ Migrating from an existing codebase 2/ Applying ZKA to the Big Data 3/ Losing The Keys 4/ Storing metadata on the server 5/ Server security failure 6/ Exporting the keys (recovery system better for users) 7/ Recovery - Recovery server - [new] Client -- Extract the payload -- Restores the contents

# Main problem with ZKApp - Constructors? - Operating systems (bios)? - Trust the users

# ZKA Summary -

# Bonus