doc:rfc_pgp-encrypting-sensible-data-with-pgp

Encrypting sensible data with PGP

OOBD Team S. Koehler
Request for Comments:4
Obsoletes: -
Category: Draft Standard Jan 2013

Status of this Memo

This memo provides information about how PGP data encryption is implemented in OOBD. Distribution of this memo is unlimited.

Copyright (C) OOBD Team (2013). All Rights Reserved.

Introduction

This memo describes only the technical implementation, but it's not a introduction into PGP or into data encryption as such. For more information see the reference list

Concept

PGP is a popular and well proven system to en- and decrypt data. But use it in its normal setup, means encrypting by the originator (script developer) direct to the end user would give some disadvantages:

  • Each developer would need to know each user and his user rights
  • To encrypt each data file for each user separately would end up which a huge number of files (scripts x users) which would need to be maintained
  • All users would need be me supplied with their files separately

To surround these limitations, OOBD uses a different approach:

  • It encrypts the data not per user, but per “Usage Group” instead
  • A central authority controls, which user has access to which usage group

The Three Roles in OOBD

The OOBD security concept distinguish between three different roles:

  1. The User: The user is one out of the many users, who want to use the OOBD files
  2. The Developer: The developer provides the encrypted data files
  3. The Key Master: The key master controls, which user is authorized to access which data

The Usage Groups

Each data file belongs to one usage group. This is realized practically by the directories in the script repository, in which the files are located, where the directory name represents the usage group

Initial Setup

User Setup

  1. The user generates with any PGP tool his personal key pair.
  2. Then he imports his secret key into his OOBD installation and sent his public key to the key master.

Key Master Initial Setup

  1. The key master generates a key pair for each usage group with a application specific secret pass phrase
  2. He provides the developers with the public key ring of the usage groups.

Key Master User Setup

For each user:

  1. for all user groups the user is authorized to, the key master extract the usage group secret keys into a single key ring file
  2. then he encrypts this key ring file with the users public key and sent it to the user
  3. the user than import this group file into his OOBD application

File encryption

  • Files are encrypted by the developers
  • The directory in which the file is in defines the usage group
  • the file is encrypted with the public key of the associated usage group

File Usage (=Decryption)

When the user is going to use a file, the following process happens inside the application

  1. The file containing the usage groups secret keys is opened using the users secret key and his pass phrase
  2. Then the file to use is opened with the usage group secret key (which was made accessible in step 1) and the application specific pass phrase.

Implementation Details

Security Considerations

This RFC raises security issues. It's need to make sure that the secret key files and expecially both passphases are protected against unauthorized access and reverse engineering.

References

Authors' Addresses

Steffen Koehler

Phone: +49 172 410 35 98
EMail:steffen@koehlers.de

Appendix

Copyright (C) OOBD Team (2012). All Rights Reserved.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the OOBD Team organizations, except as needed for the purpose of developing standards in which case the procedures for copyrights defined in the Standards process must be followed, or as required to translate it into languages other than English.

The limited permissions granted above are perpetual and will not be revoked by the OOBD Team or its successors or assigns.

This document and the information contained herein is provided on an “AS IS” basis and THE OOBD TEAM DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.“ Relation to other RFCs

Updates

Obsoletes

Obsoleted-by

Updated-by

Contact

Distribution Lists

The OOBD-RFC announcements are distributed via the oobd-commit-messages@googlegroups.com mailing list.

To join (or quit) the list goto https://groups.google.com/forum/?hl=de&fromgroups=#!forum/oobd-commit-messages

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
doc/rfc_pgp-encrypting-sensible-data-with-pgp.txt · Last modified: 2014/03/01 05:48 by admin