public interface EncryptionService extends CipherVersionGenerator<CipherVersion>
EncryptionService is bound to a single namespace and creates
unique CipherVersion instances for that namespace.
The EncryptionService may make use of an encryption server persisting
CipherVersion instances per namespace. It could actually generate a
dedicated cipher just once, so any unauthorized system having access to the
ciphers gets a different cipher not used by any of the authorized
participant. Never two participants will encrypt with the same cipher (taken
the probability that two participants generate the same cipher is very low
and nearly never to happen; in case it happens there is still no security
risk). The key advantage is that if an intruder can also retrieve ciphers,
those ciphers being retrieved are never used by other systems for encryption
as a cipher version is bound to the requester.
To later determine which cipher to use when decrypting data, each cipher has
a cipher UDI assigned to it (a cipher UID and cipher make up a
CipherVersion). Encrypted data is prefixed with this cipher UID so
later it is easy to determine which cipher is responsible for decryption. The
cipher UID is assumed to be public as it's generation must be completely
independent from the cipher itself. Unauthorized systems having access to the
cipher UID cannot reverse calculate the cipher
There is not even a relation between cipher and cipher UID in terms if hash code. This means using brute force approaches with rainbow tables or whatsoever to reconstruct the cipher from the cipher UID is to fail.
Depending on the implementation, the EncryptionService makes use of a
public key of an asymmetric encryption approach for encrypting the
CipherVersion instances; to be persisted by the encryption server.
Encrypting only the cipher is sufficient, the cipher UID can be stored in plain text; it securely can be assumed to be public. As said before, any intruder knowing the cipher UIDs does not weaken the forward secrecy cryptography infrastructure as knowing the cipher UIDs is only of use with the according ciphers; which cannot be calculated from the cipher UIDs.
nextforEachRemaining, removeCopyright © 2017. All rights reserved.