I envisioned a solution for Key Management some time agosome time ago but only today I am posting this as a question requesting professional feedback.
replaced http://security.stackexchange.com/ with https://security.stackexchange.com/
I envisioned a solution for Key Management some time ago but only today I am posting this as a question requesting professional feedback.
I envisioned a solution for Key Management some time ago but only today I am posting this as a question requesting professional feedback.
How can we serve sensitive encrypedencrypted data without storing the key? Should I use user-defined passwords for keys?
When an user account is Authorized to access/export sensitive data:
Password reset is required, with very high strength checks.
An Asymmetric (RSA) Key-pair is generated for the User. The Public key is stored in plain.
The Private User Key is encrypted using a Symmetric encryption derived from the user's (strong) password.
→ To access the Private User key for this User, you need to guess the user's password.
As usual, the password hash itselfis saved with BCrypt, quite separately from Key Derivation.
Sensitive data is submit from a less-authorized user.
An Asymmetric Key-pair is generated for the Data. The Public Data key is stored in plain.
The Private Data key is encrypted using every single Authorized user's Public User key.
The sensitive data is encrypted using the Data key.
→ To access the sensitive data, you need to determine the private Data key, which is not stored directly, but can be accessed if you guess the password of an Authorized User.
The same Data key is re-used for up to 90 days.
Older keys are purged when no data is associated with them.
When an Authorized user signs in.
The sign-in is verified using BCrypt.
A Session Token is generated with at least 72 bits of entropy and passed to the browser.
The Private User key is temporarily decrypted (using Symmetric key derived from Password), and then re-encrypted for the current session. (using Symmetric key derived from Session Token)
→ To access the sensitive data, one can either guess a user's password, or steal the Session Token.
The server-side only stores a simple SHA-256 hash of the Session Token.
While signed in, the Authorized user's browser will pass the Session Token, which is used to decrypt the User Key, used to decrypt the appropriate Data Key, and then the Sensitive data can be served where appropriate.
When an user account is Authorized to access/export sensitive data:
Password reset is required, with very high strength checks.
An Asymmetric (RSA) Key-pair is generated for the User. The Public key is stored in plain.
The Private User Key is encrypted using a Symmetric encryption derived from the user's (strong) password.
→ To access the Private User key for this User, you need to guess the user's password.
As usual, the password hash itself saved with BCrypt.
Sensitive data is submit from a less-authorized user.
An Asymmetric Key-pair is generated for the Data. The Public Data key is stored in plain.
The Private Data key is encrypted using every single Authorized user's Public User key.
The sensitive data is encrypted using the Data key.
→ To access the sensitive data, you need to determine the private Data key, which is not stored directly, but can be accessed if you guess the password of an Authorized User.
The same Data key is re-used for up to 90 days.
Older keys are purged when no data is associated with them.
When an Authorized user signs in.
The sign-in is verified using BCrypt.
A Session Token is generated with at least 72 bits of entropy and passed to the browser.
The Private User key is temporarily decrypted (using Symmetric key derived from Password), and then re-encrypted for the current session. (using Symmetric key derived from Session Token)
→ To access the sensitive data, one can either guess a user's password, or steal the Session Token.
The server-side only stores a simple SHA-256 hash of the Session Token.
While signed in, the Authorized user's browser will pass the Session Token, which is used to decrypt the User Key, used to decrypt the appropriate Data Key, and then the Sensitive data can be served where appropriate.
When an user account is Authorized to access/export sensitive data:
Password reset is required, with very high strength checks.
An Asymmetric (RSA) Key-pair is generated for the User. The Public key is stored in plain.
The Private User Key is encrypted using a Symmetric encryption derived from the user's (strong) password.
→ To access the Private User key for this User, you need to guess the user's password.
As usual, the password is saved with BCrypt, quite separately from Key Derivation.
Sensitive data is submit from a less-authorized user.
An Asymmetric Key-pair is generated for the Data. The Public Data key is stored in plain.
The Private Data key is encrypted using every single Authorized user's Public User key.
The sensitive data is encrypted using the Data key.
→ To access the sensitive data, you need to determine the private Data key, which is not stored directly, but can be accessed if you guess the password of an Authorized User.
The same Data key is re-used for up to 90 days.
Older keys are purged when no data is associated with them.
When an Authorized user signs in.
The sign-in is verified using BCrypt.
A Session Token is generated with at least 72 bits of entropy and passed to the browser.
The Private User key is temporarily decrypted (using Symmetric key derived from Password), and then re-encrypted for the current session. (using Symmetric key derived from Session Token)
→ To access the sensitive data, one can either guess a user's password, or steal the Session Token.
The server-side only stores a simple SHA-256 hash of the Session Token.
While signed in, the Authorized user's browser will pass the Session Token, which is used to decrypt the User Key, used to decrypt the appropriate Data Key, and then the Sensitive data can be served where appropriate.
Loading
Loading
Loading