Score:-1

Encrypted file sharing with deterministically generated key from user password

tr flag

Background info:

I need to encrypt files in a enterprise workspace with several users. The goal is to encrypt files directly from browser to be saved on a server and each user could decrypt files for viewing.

Technical solution:

Create an random generated key Kw for the workspace for encrypting files with AES. This key won't never be stored either in database or in user session.

For each user, generate another key "Ku" from user password with a Key Derivation Function like PBKDF2 using user id as salt. Then encrypt "Kw" key with "Ku" key using AES and saved this encrypted key "Kw" in database with the user information.

Then at each login of the user, regenerate "Ku" key from user password using the Key Derivation Function like PBKDF2. Retreive the encrypted key "Kw" and decrypt it with Ku. Then use Kw to decrypt/encrypt files.

Is this solution is secure enough to store sensitive files like healhcare document ?

Thanks in advance for your feedbacks.

DannyNiu avatar
vu flag
Reviewing full scheme design is off-topic. However, to be helpful, you might want to reconsider your (symmetric encryption) key escrow framework, because this seem to be the essence of what your solution achieves. Especially since you're **deterministically** deriving the keys.
Gravity avatar
tr flag
Thanks for your response ! It not really a review of a design but more an advice if I miss something "big" which can decrease seriously the security as I am not an security/cryptographic expert.
DannyNiu avatar
vu flag
I just noticed you said "healthcare document". Why would you seek advice from a public Internet forum rather than an established security company such as RSA, Security Innovation, OnBoard Security? I thought of these names because RSA is invented by cofounders of RSA, and Security Innovation and OnBoard Security had owned NTRU for some time.
Gravity avatar
tr flag
I take example of healthcare document just for description but it could be any sensitive (for the user point of view) documents that the user wants "encrypted"
Score:0
vu flag

Let's break this down first.

First, we have the following keys:

  • $K_w$ - the workspace key for encrypting files.
  • $K_u$ - the per-user key for escrowing $K_w$.

Second, there are hidden variables as well.

  • The salt for generating $K_u$ from the user password. The BIG RED FLAG here is that OP is taking its values from the User IDs, where in reality, this value should be random and saved.

  • The nonce for the file encryption algorithm - To encrypt a file, you need a block cipher mode of operation or a stream cipher, such encryption algorithm needs a nonce to make it secure to use the same key multiple times. The encryption algorithm should ideally be authenticated - that is, have an MAC tag appended to the ciphertext, or just straight use an AEAD algorithm such as AES-GCM or ChaCha20-Poly1305.

Now let's revisit the question.

Create an random generated key Kw for the workspace for encrypting files with AES.

Nothing serious other than potential heavy load on the CSPRNG here.

... and saved this encrypted key "Kw" in database with the user information.

This means you encrypt $K_w$ with $K_u$ and escrow the encrypted $K_w$ in the database.

Gravity avatar
tr flag
Thanks for your feedbacks. So first not use User ID as salt but generate an random salt and saved it with User information. Secondly use AES-GCM for files encryption.
Gravity avatar
tr flag
For the final step, yes encrypted Kw will be saved in database. For me the security issue is that user password is sent clearly ( with https for sure ) to backend at login time so hackers could listen and extract clear user password and then rebuild Kw for decrypt file. Am I right ? But I don't know if there is a solution for this point.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.