Secret-Handshake

[00:00:00]
>> In terms of what you can use a node right now that's somewhat audited. There's this package that's part of a project called Secure Scuttlebutt and they have some preliminary auditing done on this package called Secret Handshake that's used for this offline peer to peer encrypted social database.

[00:00:21]
Which I'm going to talk a little bit more later. So it all uses this thing called pole streams, which are kind of one of these alternative streaming interfaces. One nice thing about pole streams is they're a bit smaller in the browser, but then you have to use pull streams and they're different.

[00:00:39]
So you have to like wrap things like standard in and standard out if you want to use those. So you can use this package pull- stream- to -stream there's also one called stream- to -pull -stream to like take a pull stream, turn it into a node stream and vice versa.

[00:00:52]
So I almost had a demo for setting up secret handshake correctly but it's actually quite difficult cause there's so many moving pieces with a lot of these stuff. If you wanna learn more, there's an example in the read me for secret handshake and you can pick it apart to kinda see how it works.

[00:01:12]
So this would be useful tool if you want to establish a connection without divulging to either an passive adversary, who's who's inspecting the traffic on the network or if you accidentally dialed the wrong number connecting to a server. You don't wanna accidentally divulge who you are, or who you're trying to connect to.

[00:01:34]
So, these are different guarantees that this module can provide.
>> If you use something like passport js so will it take care of this or is it, you need to do this under that?
>> So if you use something like passport js, that's more dealing with kind of like web sessions like session data.

[00:01:54]
So this is a lot lower level than something like you would get with passport or some other kind of similar tool. This is like calling out to see routines and doing like low level crypto. So you can build your own things like passport, maybe on top of this stuff, but it's not something that you get for free.

[00:02:18]
>> From an end user developer standpoint, if I'm using passport, should I be considering all this what crypto does or elaborate like passport take care of that?
>> Yeah, so I think you would use this kind of these kinds of routines. These kinds of low level API's if you want to do things that are very different from what you would use something like passport for, like, for example, if you want to build a system where you can securely connect to other peers across the network, maybe that's a node utility that works on the command line.

[00:02:53]
Maybe you have an electron application and you want to make secure connections and you want to implement things like encrypted messages. That's when you would use a library like chloride, or chloride actually is just a wrapper around the sodium package and another package called sodium browserify, that does all the same routines in JavaScript.

[00:03:12]
So that's kind of what you might use these things for. You could also use these routines in the browser on a web page, but then your security model is going to be subject to the whims of whatever JavaScript payload the server wants to send you. So it's just even more stuff you have to take into consideration.

[00:03:32]
Okay, so, these are some basics of the Sodium API. Maybe we can take a short break, like five minutes and people can install Chloride. And you can just run some of these routines and generate a key pair with crypto assign key pair and then verify some messages.