We wanted to make a data security product that leveraged the safety that 2 factor authentication brings to passwords. We believed that using a mobile phone as the extra layer of file security would be akin to using a padlock to secure property in a locker.
What it does
FileSec allows users to encrypt and decrypt files by using their phone as the private key. Upon attempting to encrypt, the user is given a six-digit code, and is prompted to enter the given code on their mobile device. Once the code is verified to be the same, the phone generates a unique private key for the file which the computer uses to encrypt the file. The same process is repeated for the decryption. This means that in order to ever access the encrypted files, users must have access to both the computer client as well as its associated mobile client.
How we built it
FileSec is built on top of AngularJS for both the mobile and desktop clients, in order to allow easy sharing of libraries and to make each client cross-platform. The desktop client is wrapped in Electron, and the mobile client in Ionic. Both clients connect to the NodeJS Socket.IO server. We use Firebase to authenticate users, but no other information is ever permanently collected.
Challenges we ran into
We had to figure out the most efficient way of organising the network flow, such that we could minimise the number of network messages sent between the clients. This meant that we had to organise all 3 programs to send and receive the correct information at every stage. This took a lot of trial and error in testing to ensure that variable names and structures were all the same.
We also needed to figure out a cryptographically secure way of sending network messages and keys to ensure there was no possibility of man in the middle attacks. In the end we used an SSL socket, so that our connection was secure. However before doing so we ensured no private information about the files or the encryption was ever sent.
Accomplishments that we're proud of
We were able to effectively synchronise three separate networked devices in real time, so that they all knew their part in the encryption and decryption of files. This meant learning how to use socket.io in the most effective manner, such that the server could route all necessary messages to the right clients at the right time.
What we learned
We learned how difficult it can be to cryptographically secure a process. Many times we stumbled over the best way to send information across the network in order to maximise security yet still minimise network overhead. In the end we believe that we've made a relatively strong encryption method, however without proper analysis it is difficult to tell.
What's next for FileSec
- Integration into the Windows/Linux/OSX UI, such that specific files/folders are encrypted upon saving them.
- Possible NFC communication between devices
- Better UI/UX design within the applications