Skip to content

Instantly share code, notes, and snippets.

@raynirola

raynirola/encryption.md

Created March 24, 2024 20:38
Show Gist options
  • Save raynirola/80e941b3dfa9f653b98306e2c71a61f9 to your computer and use it in GitHub Desktop.
Save raynirola/80e941b3dfa9f653b98306e2c71a61f9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
encryption.md

Authentication and data storage flow incorporating both asymmetric and symmetric encryption methods for securely handling sensitive data in a client-server architecture. This approach uses Web Cryptography API functions and ensures that sensitive data is encrypted before being transmitted to the server, with decryption only possible by the rightful owner of the corresponding private key.

User Registration and Initial Setup

  1. User Visits Onboarding Page:

    • User creates an account on the client application.

  2. Account Creation:

    • User provides necessary information to create an account.

  3. Passkey Creation:

    • As part of the account creation process, the user also creates a Passkey, facilitating passwordless authentication. This will be executed on the extension context.

  4. Asymmetric Key Pair Generation:

    • Client: Generates an asymmetric key pair (RSA-OAEP recommended) upon successful Passkey creation. The private key is stored securely in the browser using the Web Cryptography API, marked as non-extractable, and the public key is prepared for transmission.
    • Description: This key pair is used for encrypting the symmetric key, ensuring that only this user can decrypt it.

  5. Transmit Public Key to Server:

    • Client: Sends the public key to the server.
    • Server: Stores the public key associated with the user's account for later use.

  6. Input Sensitive Data:

    • User inputs sensitive data intended for encryption and secure storage.

Encryption and Secure Transmission of Sensitive Data

  1. Symmetric Key Generation:

    • Client: Generates a symmetric encryption key (AES-GCM recommended) for the actual data encryption.
    • Description: Symmetric encryption is efficient for encrypting large amounts of data.

  2. Encrypt Symmetric Key with Public Key:

    • Client: Encrypts the symmetric key using the public key retrieved earlier.
    • Description: This step ensures that the symmetric key can only be decrypted by the holder of the corresponding private key (the user).

  3. Encrypt Data with Symmetric Key:

    • Client: Encrypts the sensitive data using the symmetric key.
    • Description: Utilizes AES-GCM for efficient and secure encryption of the actual data.

  4. Transmit Encrypted Symmetric Key and Data to Server:

    • Client: Sends both the encrypted symmetric key and the encrypted data to the server.
    • Server: Stores the encrypted symmetric key and encrypted data, associating both with the user's account.

User Access and Decryption of Sensitive Data

  1. User Authentication with Passkey:

    • User authenticates using their Passkey to initiate a secure session.
    • Description: This step verifies the user's identity through WebAuthn, ensuring secure access.

  2. Session Establishment and Data Retrieval:

    • Server: Upon successful authentication, starts a secure session and sends the encrypted data and encrypted symmetric key to the client.
    • Description: The server must ensure that only encrypted data is transmitted, maintaining confidentiality.

  3. Decrypt Symmetric Key with Private Key:

    • Client: Retrieves the private key securely stored in the browser and decrypts the encrypted symmetric key.
    • Description: Only the authenticating user's device, which holds the private key, can decrypt the symmetric key, ensuring data privacy.

  4. Decrypt Data with Symmetric Key:

    • Client: Uses the decrypted symmetric key to decrypt the sensitive data.
    • Description: The decrypted data is held in memory and not stored locally, ensuring it's only accessible temporarily.

  5. Data Usage:

    • The app can now access and use the decrypted sensitive data within the application.
    • Description: The application ensures that decrypted data is only kept in memory for a set duration or until the session ends, enhancing security.

Security and Privacy Considerations

  • HTTPS: Ensure all communications between client and server are over HTTPS to prevent eavesdropping and man-in-the-middle attacks.
  • Data Handling Policies: Implement strict data handling and retention policies on the server to ensure that encrypted data is securely stored and access is logged and monitored.
  • Private Key Security: The private key, stored using the Web Cryptography API, should be marked as non-extractable to prevent it from being accessed or exported.
  • Access Controls: Enforce strict access controls and authentication checks on the server to ensure that encrypted data is only sent to authenticated and authorized users.

This flow combines the strengths of both asymmetric and symmetric encryption to ensure the secure handling of sensitive data, from encryption, transmission, storage, to decryption and access.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment