Security
Overview
Peergos encrypts files locally on your device and your keys never leave your device. To log in, your username and password are (locally) hashed through scrypt to derive your root key-pair and root symmetric key. This key-pair is never written to disk, and is only used to decrypt follow requests sent to you. The symmetric key is used to decrypt your entry points into your filesystem. This design allows you to log in from any device. You can read more technical information in our book.
Encryption
The underlying encryption uses Tweetnacl for both symmetric and asymmetric encryption. This means files are encrypted with xsalsa20-poly1305, data is signed with Ed25529, and shared keys are exchanged using Curve25519.
Metadata
Peergos protects your metadata as well as your data. Everything from file and directory names, sizes and other properties are encrypted or obfuscated. Unlike other products out there Peergos protects your social graph as well. Your contact list is not visible to the server and is stored encrypted in your own space. Furthermore, if a user shares a file with another user, the server can't deduce this relationship. A Peergos server doesn't store any sensitive data or metadata. We take your privacy seriously!
Trustless Servers
Your Peergos server doesn't store or have access to any unencrypted sensistive information. This means that even if the server is breached, the attacker cannot read your data without a further active attack on users by delivering a malicious web client to those using the web interface.
Trustless Storage
There is further trustfree separation between the server and the actual data storage, which could be local disk, or a remote S3 compatible service. This means that a servers can use S3 compatible storage as a data backend without exposing any sensitive information to S3. You can even mirror your data safely on an untrusted server.
Independent audits
We have been audited by the world leeading security firm, Cure53. Read more here.
Quantum-resistant Cryptography
Your entire file system in Peergos is encrypted with symmetric cryptography and the initial keys are derived using cryptographic hashing. Both of these are believed to be resistant to quantum computer attacks (You at best get a quadratic speedup from Grover's algorithm). We will be switching the asymmetric cryptography, which is used to share files, to a post-quantum algorithm as soon as a clear candidate arrives.
Threat Models
Peergos is designed to be secure against passive network adversaries, even ones with state level computational resources, who are able to store all data on the Peergos network indefinitely. Despite all the encrypted data being publicly accessible, no one but the intended recipients can deduce any data or friendship graphs.
Peergos does not defend against a compromised user's machine. Currently, Peergos doesn't protect files shared between users from an adversary with a large quantum computer.
Peergos should be secure against attackers with read access to a users machine which is not synchronous with the client being logged in.
The casual user
Trusts
- The Internet's SSL certificate hierarchy and DNS system
- That our public server hasn't been compromised
- Javascript crypto delivered over https
Uses
- Can use our public server's web interface over https
The cautious user
Trusts
- A copy of Peergos that they downloaded to their device, optionally verifying the signature of.
- Javascript crypto delivered over localhost, or in process
Uses
- Download and run Peergos locally, and use the web interface over localhost in their browser of choice, or the command line interface
The local only user
Trusts
- A copy of Peergos that they downloaded to their device, and verified the signature of.
Uses
- Can download and run Peergos locally as an effective local encrypted file store, without the social aspects. They can access through the web interface on localhost, through the native filesystem with a FUSE mount of Peergos, or using the CLI.