Offline private key protocol
- Offline private key protocol
-
The offline private key protocol (OPKP) is a cryptographic protocol to prevent unauthorized access to back up or archive data. The protocol results in a public key that can be used to encrypt data and an offline private key that can later be used to decrypt that data.
The protocol is based on three rules regarding the key. An offline private key should:
- not be stored with the encrypted data (obviously)
- not be kept by the organisation that physically stores the encrypted data, to ensure privacy
- not be stored at the same system as the original data, to avoid the possibility that theft of only the private key would give access to all data at the storage provider; and to avoid that when the key would be needed to restore a backup, the key would be lost together with the data loss that made the restore necessary in the first place
To comply with these rules, the offline private key protocol uses a method of asymmetric key wrapping.
Security
As the protocol does not provide rules on the strength of the encryption methods and keys to be used, the security of the protocol depends on the actual cryptographic implementation. When used in combination with strong encryption methods, the protocol can provide extreme security.
Operation
Initially:
- a client program (program) on a system (local system) with data to back up or archive generates a random private key PRIV
- program creates a public key PUB based on PRIV
- program stores PUB on the local system
- program presents PRIV to user who can store the key, e.g. printed as a trusted paper key, or on a memory card
- program destroys PRIV on the local system
When archiving or creating a backup, for each session or file:
- program generates a one-time random key OTRK
- program encrypts data using OTRK and a symmetric encryption method
- program encrypts the (optionally padded) key OTRK using PUB to OTRKCR
- program stores the OTRKCR and the encrypted data to a server
- program destroys OTRK on the local system
- program destroys OTRKCR on the local system
- the server stores OTRKCR and stores the encrypted data
To restore backed up or archived data:
- user feeds PRIV into program
- program downloads data with the respective OTRKCR
- program decrypts OTRKCR using PRIV, giving OTRK
- program decrypts data using OTRK
- program destroys PRIV on the local system
See also
Wikimedia Foundation.
2010.
Look at other dictionaries:
Offline private key — An offline private key is a cryptographic key that is not stored on a network connected medium. The key can be used to decrypt archive or backup data. The key can be the result of an offline private key protocol. In printed form the key can be a… … Wikipedia
Key Wrap — constructions are a class of symmetric encryption algorithms designed to encapsulate (encrypt) cryptographic key material. The Key Wrap algorithms are intended for applications such as (a) protecting keys while in untrusted storage, or (b)… … Wikipedia
Trusted paper key — A trusted paper key (TPK) is a machine readable print of a cryptographic key. The printed key can be used to decrypt data, e.g. archives or backup data. A trusted paper key can be the result of an offline private key protocol.The paper printed… … Wikipedia
Public-key cryptography — In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt. Security depends on the secrecy of that private key … Wikipedia
Online Certificate Status Protocol — The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 2560 and is on the Internet standards track. It was created as an alternative… … Wikipedia
Topics in cryptography — This article is intended to be an analytic glossary , or alternatively, an organized collection of annotated pointers.Classical ciphers*Autokey cipher *Permutation cipher*Polyalphabetic substitution **Vigenère cipher*Polygraphic substitution… … Wikipedia
Outline of cryptography — See also: Index of cryptography articles The following outline is provided as an overview of and topical guide to cryptography: Cryptography (or cryptology) – practice and study of hiding information. Modern cryptography intersects the… … Wikipedia
Encrypting File System — The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS[1] that provides filesystem level encryption. The technology enables files to be transparently encrypted to protect confidential data from… … Wikipedia
Password — For other uses, see Password (disambiguation). A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password… … Wikipedia
Electronic business — Electronic business, commonly referred to as eBusiness or e business , or an internet business, may be defined as the application of information and communication technologies (ICT) in support of all the activities of business. Commerce… … Wikipedia