I believe the cryptnote application is currently in the place it needs to be. It is fully functional and can be used here.
Some things to try out are attaching a file to a note, putting a confirmation email (check your spam folder if it doesn't arrive), and setting a time for the note to expire on it's own.
As of right now, the only thing that would be missing security-wise from the application that would prevent it from being an actual application for the the public is the lack of SSL. This is very important as it would allow the data sent through forms to be encrypted before it hit the server. Currently, anybody who would be sniffing the network would be able to see the data being sent in the form. This pretty much nullifies the entire point of the application and it's purpose, but, besides this everything else seems to be up to par security wise.
In terms of web-based security applications, one would need to make sure wherever their app is being hosted is secured in terms of root/user passwords, any OS exploitations, software on the machine that may have vulnerabilities, etc. It would be a shame that that a web application with the purpose of being a security/encryption service would have issues that would compromise the data of its users.
All in all, I believe the application is well-put together and solid. Spring is sometimes difficult to work with but once you get it working it provides enterprise-level functionality and is one of the best frameworks in the Java world that can be used for enterprise applications.
I mentioned in a previous post that I would touch on the services that I have created for cryptnote that could be seen as the business logic of the application.
I will be going through the two files located here.
First, I will run through the EncryptionService. The first thing of note (and this goes for any service) is the annotation @Service being applied to the class. During runtime, Spring will scan for various component annotations such as this @Service and then allow you to inject an instance of it into other areas of your code using @Inject (an example is in the MessagesController).
This EncryptionService class is a place where we can handle all the business logic of encrypting text or files in a single place without having to reuse code in various places and creating unnecessary bloat. It really helps keep the code-base organized and just makes life easier.
One thing to note, Spring comes with its own security library (javadoc) which simplifies the process of encrypting data tremendously. By default, they use the AES256 algorithm to do encryption so that works out perfectly for me as that is what I hoped to use from the beginning.
Taking a look at the init method we can see it basically acts as a constructor for the service. Take note of the @PostConstruct annotation. This annotation is used as a reference to execute whatever method it is on after the class instance has been created. In this method, we are simply setting up our encryption password and salt based on whatever values are located in the properties file. It then sets up two Encryptors, one that will encrypt a literal string and one that will encrypt any data. The rest of the file just contains quick helper methods that encapsulate using these encryptors with ease to encrypt and decrypt data.
The other service that is used is the MessageService. This service is relatively small but handles all aspects of creating and deleting a message/note. We can see that it makes use of the EncryptionService to encrypt/decrypt data. We are also doing database work here such as inserting and deleting records. This service is also where files are handled if attached to a message. This service provides the functionality for deleting a message automatically if the user has specified a time (lines 74-89) by using Spring's TaskScheduler. Finally, the service also provides the means to sending a confirmation email if the user specified that, too.
Projects are always a good place to mess with fun, interesting technologies. For example, this blog is being ran by a simple Sinatra app with a Redis instance maintaining all the posts. I initially wanted to use Redis for the database in cryptnote but was unsure, having never used it before, how long it would take to learn and get set up in a fashion that was working well for what I needed. Hindsight from making my blog app, it's actually pretty simple and straight-forward but oh well.
I have decided to use the good old standard MySQL database for cryptnote, instead. It may be overkill but really all I need is a single table (that I call MESSAGES) with a few columns to store information for each note.
When developing a project that uses a fresh database, there are multiple iterations it goes through. You decide you need a new column for this or you realize you don't need this column after all. Perhaps you need another table and some sort of relationship setup, perhaps you could have done it all in one table. With that being said, I hope to just keep it all in one table.
Some features that I have come up with to add to cryptnote include attaching a file to a note with is also encrypted, allowing the option for a confirmation email to be sent to the note creator when their note has been read, and the option of allowing the note to expire on it's own after a certain time (as specified by the user) if the note has not been read beforehand.
With Java, you get the option of a few different build tools that can help ease the use of dependencies in your projects. The main one is Maven, developed by Apache. You can declare various build plugins and configuration settings, along with all library dependencies in a single file named pom.xml. You can view the pom file for cryptnote here.
Going through the file, some of the more important dependencies to note are all the Spring-related libraries that are being declared. Spring can be used for many different things and it provides many tools that can be employed in any type of project. Perhaps the most relevant for web applications is the use of the spring-web and spring-webmvc libraries. These allow you to setup a project that follows the Model-View-Controller software pattern for implementing a user interface and doing so as a web application.
The MVC architecture is an entire topic on it's own but the basic idea is that you split up various parts of an application into areas. The Model typically deals with objects. The View is the interface that the user encounters and interacts with, in this case various web pages. The Controller acts as the mediator between the model and the view.
For example, take a look at this controller this. Let's say an HTTP request comes in for "/messages" on whatever domain you're running your web application. Spring will look through all of the registered routes in each controller as declared by the @RequestMapping annotation. Assuming you have that route declared somewhere, as in the example file, it will map to a method. In this case, it maps to the message messagePage (assuming it was a simple HTTP GET request).
In the messagePage method you can see we are adding a new Message object to the model and then returning the view located at "messages/new".
This is the typical cycle in an MVC web application regardless of the language or framework used. One more area that I will touch on in my next post is services, where I will discuss two services that I implement for cryptnote: EncryptionService and MessageService.
Note: all cryptnote controller files can be looked at here, all model/domain objects can be viewed here and all view files can be seen here.
Security and privacy on the internet is currently a very hot topic with everything going on related to the NSA. There are many different encryption tools out there that employ various types of encryption techniques. For my senior seminar project, I am looking to create a web application that allows a user to create encrypted notes that can be sent to a friend to decrypt and read. Once they note is read it is automatically destroyed.
I plan on using AES256 encryption to encrypt whatever data is sent in. Notes will be stored (encrypted) in a simple MySQL database. Although I typically like to do projects in Ruby, I plan to write the backend of this project using Java and the Spring framework. A small web application like this can be written in anything, really, but using Java/Spring is a nice change of pace.
The project has even been given its name: cryptnote. Simple and straight forward. It actually even sounds like a real product!