All right.
Hi, everyone.
Today I wanted to talk about this subject that you can see on the screen.
And yes, as you guessed, it's a click-back title.
So sorry about that.
But let me first talk to you about the origin story.
So a few weeks, a few months ago, I had a chat with former coworkers,
and we had to use JITC to talk.
I don't know if any of you know JITC.
Yeah, all right.
So it's our WebRTC chat, and there's been an update a few weeks ago.
I don't know the exact time frame because I'm not a JITC contributor,
but basically you had to log on to create a room.
And then I thought, yeah, but how do I know that the people that create the room
are actually the people that pretend to be?
Since, you know, right now there's a lot of AI going on,
and you know, you cannot trust people on the Internet.
And as you know, just our neighbor in the next room,
so the RTC room are talking about Skynet and AI and all of this shit.
So, I mean, we have the right to be afraid, right?
So, I thought, okay, how easy would it be to create my own chat platform?
So, I would want to have something that has OJO as well as video,
and I don't want to have huge server requirements
because I don't want to spend money on it.
I also don't want to store, let's say, username and password
because, I mean, it's 2024.
Who uses password?
I'm all right.
But we still want to have a way to, you know, identify the people.
So, what can we do?
Just, yeah, just a few, yeah.
Just a quick recap.
I know the RTC room is next,
so if you're not familiar with it, just go make a tour.
So, I want to explain the whole principle of real-time communication,
but just so you know, I take Dwayne Johnson as a reference.
So, this would be our signaling server.
So, what he does, he brings people together.
So, you have all these people that are joined to Dwayne Johnson.
So, you can, well, it's a central server.
And what he does is then he stands back,
and then the people just are connected together.
So, you know, the first one is connected to these three others,
the other one to the others, and like so.
And you know you can trust Dwayne Johnson.
Well, I mean the signal server because he has a TLS certificate.
So, it's nice, but can you trust the peers?
I mean, you don't know who they are.
How does peer work?
It's actually a bunch of information about the people.
So, actually you would generate an object called an RTC peer connection object,
which will contain information about your connection
that you will stream to the other peers.
So, yeah, can we trust the peers?
And I thought, yeah, let's use a technique that is as old as computer science.
Let's just use cryptographic keys because that's, I mean, it's easy.
And for that, I decided to use the subtle crypto API,
which is available both on Node.js and in the web.
So, it's really great.
And why did I choose keys?
Because digital signatures are everywhere and pretty much foolproof.
And right now we have a lot of ways to interact with keys.
So, I don't know if you guys know about Fido WebOtten.
So, basically like you have like those UB keys,
which are external devices that you can store keys on.
You also have like on your smartphone,
you can just choose to use your fingerprint
maybe on iPhones you can use your face recognition, I don't know.
But yeah, basically you can use different stuff.
You have like the cryptocurrency wallets that are basically a set of key.
So, that's nice.
Or if you don't have an ECDSA key per right now,
you can just use a Kudo SSH key gen.
I mean, it's...
And yeah, for those of you who are unfamiliar with cryptography,
where have you been, but let's just say that.
You have basically two keys.
So, you have your private key, you have your public key,
you should never share your private key with anyone,
even with your mother on her deathbed.
It's for you, it's yours, you don't share it.
And there is your public key that you will share with everybody.
And so, basically what we're going to do is that we're going to send a message
in ClearTech, so the end goal here is not to change the message,
but to keep it as clear as possible.
And to add what we call a signature.
A signature is simply something that your private key will generate,
so your private key is private.
And it remains private.
But you include a signature that is generated from the message
and added to the message.
And then you add your public key,
which would basically will allow anyone to decrypt the signature
and to say that indeed you are the one owning the private key
and that message is genuine.
There's a lot of math stuff behind that.
Well, we are not going into the details,
but it's basically prime numbers and all this kind of stuff.
Okay, so as I told you, we're going to use the Sodel Crypto API,
which is available both on the browser and on Node.js.
And beyond signing and verifying message,
you can even generate and derive new keys.
So even if you don't have all the keys we talked about earlier,
you can still generate keys in your browser or in Node.js,
and that could be useful for things that we'll talk afterwards.
And that's what this talk is all about.
Okay, so here comes the plan.
So basically what we're going to do is that the system we're going to create,
we will create a server, so the signal-signal server I told you about,
and what it will do, so the first client we connect to the server,
we will call him the host, so he hosts the room.
He creates a room with a unique ID, and that's done using WebSockets.
I'm sure you're all familiar with WebSockets.
You can talk afterwards.
No problem.
It's pretty basic stuff as well.
The host can send a special type of message to the room
to send the public keys that he wants to accept in the room.
So basically I would create a room, say I would create a room for my party,
and I will add all the public keys of the people that I know,
and then I will send you the link to the room,
and if you want to join the room,
I will ask you to sign a message to prove your identity.
And basically since now you can use your phone to confirm your identity,
for instance with your footprint,
that's pretty much how I can assume your nut and AI trying to ruin my birthday party or whatever,
so it's nice.
So we do that for each peer, and it's okay.
Just a quick security disclaimer though.
When you land on the Sodor Crypto documentation,
you get that big warning.
So yeah, it's a long text, but basically it can be summed up as
this project we're building is for fun.
There's a lot of security considerations to take into account,
and basically that is how you store key and how you should manage them.
And as Adi Sharmeer says, Adi Sharmeer is one of the guys that created the RSA algorithm.
Sure, it's really hard to brute force cryptography and to try to guess a ciphertext
by just brute forcing, but usually the mistakes come from the system
and not from the algorithm.
So let's dive into the code.
So basically what we're going to do.
Here we're going to import a key from our browser.
So we're going to use the P key, the word that's written there.
To as an input key, we could use, as I said, a crypto wallet, a FIDO device or whatever,
but here let's use something that should be generated from the terminal.
We're using, so it's an elliptic curve signature, so it's using,
once again, it's an algorithm that won't go into the details,
but it's just a way to generate signature.
And we specify that we want to use this key for signing because you can also encrypt,
you can also derive keys that's other use you can have.
Once again, we can talk about that after the presentation.
There's a lot of stuff to do, but yeah, that's basically the stuff.
And I'm also going to give you an overview of the idea in check I was telling you about.
So basically when you connect, the server will ask you to sign this stuff,
which is a JSON message, so well, this is TypeScript, whatever.
So this is the payload we're getting from the server.
I'm also adding a property which is called issued at,
so that ensures that you have to sign the message within a certain time frame,
otherwise you could have what we call replay attacks where people just trying to send a signature until it works.
So this allows us to mitigate some effects.
And so that is what the server hands you over,
and this is what you would send back, so once it's signed,
so you send the payload that you just saw alongside signature
and your public key to verify the signature.
Okay, so this is how we sign the payload.
So once again, it's a big bunch of code, but it's actually quite easy to understand.
So we have the key.
We have the payload.
The key is strictly, so we have the type definition for the script interface.
So I heard the TypeScript question in the audience,
so don't worry, it's fine.
All the interfaces are defined.
So we have the key and we have the payload.
The interface I just showed you,
and this function will return signed payload.
So basically what we do is that we take the payload,
which is a JSON object, you will stringify it,
and then convert it to bytes, because everything happens in buffer and bytes.
And then we will just sign it, and you know it's a simple function,
just crypto.sign.
We just choose the algorithm once again,
ECDSA, so elliptic curve.
We want to produce a 265.56 hash.
We specify the key that we want to use,
and we specify the buffer we want to sign.
So pretty standard stuff.
And we return that signed payload.
So as you can see, it's really, really, really simple.
I was buffered at how easy it was.
And on the server side, it's pretty much the same thing.
So you want to verify the payload.
So pretty much the same thing as I told you earlier.
The function looks pretty much the same.
So we first need to transform the payload into a JSON object,
but then once again we import the key.
Once again, we use the JSON Web Key Format.
You may be aware of the JSON Web Tokens.
It's pretty much the same spec, but there is just a key.
So it's a key that's been serialized as JSON.
False mean we don't want to export it,
and verify means it's a public key,
and it's used to verify signature.
Once again, we generate a signable variable,
and it basically bytes to pass to the verify function.
And then once again, the algorithm, the key, the signature.
See, it's very, very easy, and it works.
So all right, so I'm not going to give you the whole code
of the single server because, well, it's not hard,
not hard at all, but it's just switch statements.
And I don't think it's really interesting to talk about here.
Basically what we're going to do is that we have two types of,
we have several types of message we send to the socket.
I told you about the one that the host sent at the beginning,
so just to white list a bunch of public keys.
And then here I'm going to show you two.
The first one is the one I call request.
So when a new guest want to come into my room,
that's one of the functions,
and the other one is the out, so that's the one we just saw.
So it's basically verifying the signature.
So yeah, when I receive an off message,
I will call the connect peer function.
So basically what it does, simple as that,
first it looks if the public key is valid for the room ID.
So if I indeed white listed that public key.
The second one is the issue that timestamp,
which looks if that timestamp is valid.
So for instance, if my server sent that message two minutes ago,
I deemed that it's still an acceptable time to have,
to receive the payload back.
If it dates back to one hour,
I just teach the message because that's probably a curve
trying to ruin my birthday party.
And the last one is just the signature verification
that we just talked about.
And if it's all good, and that's how WebRTC works,
we will give the peer information to all the other peers
so that they can chat together.
One thing that I didn't mention, but it's important to know,
is once you're using WebRTC,
everything is, every information is from peer to peer.
So the server gets back and there's no information
that are sent to the server, so it's really important to know.
And that's actually quite a cool design.
Last thing I want to say is that I didn't get into the details
and specific of WebRTC, but for the sake of simplicity,
I recommend to use the simple peer library.
I'm not paid by this guy, but this guy does awesome stuff.
So use the library.
And I just want to go a bit deeper.
So I talked about video and audio chat,
but what more can we do?
So since we have, I guess this is your call
to go further down the peer to peer rabbit hole.
So let's use that sort of crypto stuff.
You can do a lot of stuff.
WebRTC is really great.
You can do a lot of really great stuff.
And I want to finish by doing a quick shout out section.
So all these people already trust the process.
So I'm going to give you a quick overview of some project
that I worked with far or less far.
And yeah.
So first of all, I want to shout out about WebTorrent.
Anybody know about WebTorrent?
Nice.
So it's a Torrent client that's built in the browser.
It uses WebRTC data channels to stream data.
It's really nice.
It means that you don't have to depend on a central server
to actually stream data.
IPFS, anybody knows about IPFS?
Yeah.
So great guys also.
They were there last year at Fosdame.
I don't think they're here this year,
but it's basically a protocol that it tends to not replace HTTP,
but be side by side with HTTP.
Basically it works by creating a unique hash for files.
So they're fingerprint files with just a shaft fingerprint.
And basically if you know the hash of the file,
you can just request the file and it will flow a DHT.
It's a really complex system.
It's really interesting.
You can retrieve that file that is hosted somewhere on an IPFS node.
And IPFS nodes are connected to each other using also WebSocket
and WebRTC.
So it's a really, really interesting project.
You should have.
It's very nice.
Some of us are here, but only a few of us.
IPFS?
Yeah.
Oh, nice.
You're so great.
I love you.
And if you want to know more about IPFS,
I'm not the one to ask, basically, as those guys.
And lastly, that's the project I've also worked on last year.
It's basically a project that allows computation on top of IPFS.
Also a great project.
I think they are trying to hire a front-end developer.
So if you like stuff with crypto and just talk to these guys.
All right.
I don't know how much time we still have left,
but I made this great slide for questions.
So does anybody have a question?
Any questions?
A few minutes for questions.
All right.
Or else I have that slide with my credentials.
So this is my GitHub.
This is my telegram.
She wanted to reach me.
And this is my public key if you want to.
Thank you.