Security features of NOSTR
Nostr was born as a Decentralized social interaction protocol. So in a social network world is open everything is transparent. Or maybe not everything. Sometimes we have a a secret or something for close friends and a limited group of people, or maybe we want to keep data only for ourselves.
Encrypted Direct Messages
As you can see from a number of communities, think about this idea on a baby steps of protocol for person-to-person communication. So you simply encrypt a message with a public key and the user can decrypt it back
import crypto from 'crypto'
import * as secp from '@noble/secp256k1'
let sharedPoint = secp.getSharedSecret(ourPrivateKey, '02' + theirPublicKey)
let sharedX = sharedPoint.slice(1, 33)
let iv = crypto.randomFillSync(new Uint8Array(16))
var cipher = crypto.createCipheriv(
'aes-256-cbc',
Buffer.from(sharedX),
iv
)
let encryptedMessage = cipher.update(text, 'utf8', 'base64')
encryptedMessage += cipher.final('base64')
let ivBase64 = Buffer.from(iv.buffer).toString('base64')
let event = {
pubkey: ourPubKey,
created_at: Math.floor(Date.now() / 1000),
kind: 4,
tags: [['p', theirPublicKey]],
content: encryptedMessage + '?iv=' + ivBase64
}it is work well and do not require any efforts on a relay side and ask clients to be a bit smarter and understand this event
But what about group resoureces or even idea of resource like in a clasical web ?
Authentication of clients to relays
Well, one of propousal is NIP-42 Authentication of clients to relays make it working in theory so you could create a relay for a limited group of users and ask them to authenticate. It is still a give-all-or-nothing approach.
Auth flow is quite simple user signs ephemeral events and relay could check a signature.
HTTP Auth NIP-98
HTTP Auth NIP-98 even allow to use a nostr events for authorisation of HTTP calls
So, as you can see, it is a lot of good features available that allow you to go far and implement a lot of useful flows, but still, a few things is missed
Missed features
I have my personal wishlist
- group of list base acess
- user resoure focussed access
Group specific sharing
We still need the ability to share content with a selected users. We could reuse a list for this
If a key is included in a list user could get this message but it is require authentification or some kind of athoc protocol where user signs an ephemeral event and uses it for a request.
User Specific resources access
NIP-78 Application data
is very powerful and low to build many use cases and applications on top. I am keen to build Trust tasks and Verifiable credentials protocols on top of it but we need permission-like features. Users should have a secure way to get resources created for them or by them in a certain way. For single users, we still could use encryption, but it has a price. Encrypted data require computation power and processing power to decrypt, and for sure encrypted data require more storage capacity. Encryption is not a silver bullet here.
