PrivMX Architecture – Intro

The PrivMX architecture is a set of specifications and components serving the creation of client-server systems based on the concept of client-side encryption as well as servers with zero knowledge.

The systems created on the basis of PrivMX allow for secure transfer, storage and sharing of data.

The purpose of this document is to generally present the main elements of the PrivMX Architecture:

  • encrypting and decrypting data on the client side, thus limiting access to data for the server and reducing of its complexity.
  • Control of data access rights based on cryptographic methods.
  • Work in the request-response scheme and possibility of use of various transport protocols, including non-duplex protocols such as i.e. HTTP.
  • The PrivMX client and server independently secure their own communication, regardless of the security offered by the transport protocol.
  • Own infrastructure for storage and verification of public keys (PKI) independent of third-party certification authorities.
  • Ability to build decentralized systems.
  • Addressing scheme which allows to identify users in decentralized systems.
  • The possibility to share data by "distribution of access keys to specific data" instead of "distribution of user’s right(s)".

Depending on your specific applications and requirements, the system using PrivMX architecture can cooperate with any other software components, also with ones which do not encrypt data and work on the side of the server.

In PrivMX it is possible to find ideas coming from different technologies and use known and proven algorithms:

  • SHA256, PBKDF2, HMAC-SHA512;
  • ECC (Elliptic Curve Cryptography) – asymmetric encryption – private and public keys generation as well as the ECC-related algorithms and schemes of ECDSA, ECDH(E), ECIES;
  • AES (Advanced Encryption Scheme) – symmetric encryption;
  • Bitcoin related ideas such as the Blockchain structure, Bitcoin addresses, BIP-32 (extended keys and their derivation, chaincodes), BIP-39 (Mnemonics for generating of keys)
  • CONIKS;
  • TLS (Transport Layer Security) – handshake procedures, tickets, frames;
  • SRP (Secure Remote Passwords);
  • OpenPGP (RFC 4880) – PGP packets.

Next: Client-server communication – PrivMX addresses, Service Discovery procedure, PrivMX TLS protocol, PrivMX Proxy.
TOC: PrivMX Architecture
PDF version: PrivMX Architecture – whitepaper (pdf)