Approach for ASP.NET, HTTP/S and PGP framework - asp.net

Scenario:
Multiple clients to upload files to server over HTTP/S.
Files are to be encrypted with company public key, for later decryption with company private key on a different environment. On upload, files are dropped (encrypted with company public key) on server.
Going the other way, company has to send documents back to clients. Each document is encrypted using public key of client and posted to the company server for retrieval. Client logs in to server over HTTP/S and grabs encrypted file. Once document is on client machine, they are to decrypt it using their private key.
Questions:
- What is the best way to store the client public keys such that the application can easily grab these at encryption time? If a key server, where should the key server reside?
- Once client has grabbed the encrypted file and downloaded it to their environment, is there an opensource option to decrypt the file?
This is ideally done in a Microsoft environment using ASP.NET. Any additional components, including keyserver are ideally opensource or failing that, affordable to a non-profit.

Related

USB token PKI decryption

I'm looking for USB token solution for asymmetrical decryption purpose. The server has encrypted sensitive data with periodically rotating data encryption key (DEK), which is stored alongside with the encrypted data, encrypted itself with pre-distributed public key of the USB token (KEK).
The user (web browser client) logins to the single page application with username and password. User then inserts the USB token, which will trigger the following sequence:
Retrieve the encrypted DEK's from the server
Decrypt the DEK's with USB token private key
Retrieve the data from the server with the DEK's
I have looked into solutions like Yubikey, but it seems to be more focused on the user authentication than cipher services. What is the correct product to implement hardware based cipher in portable format? Expensive HSM is out of question, as multiple users should posses an instance of the portable token. Also, each instance should contain the same private key.
Nice idea, however you are having a few issues
Decrypt the DEK's with USB token private key
Currently no browser supports using decrypting by pkcs#11 (smart card or usb token keystore protocol) directly.
The browsers can use a stored keypair to authenticate and that's it. (if I missed something, please correct me).
Though you could use some local utility(non-web) to decrypt using a smartcard (gpg, openssl,...)
Also, each instance should contain the same private key.
Most of the serious smart cards allow generating a new private key, but you not importing own key material (at least the ones I had). So it is difficult to create multiple smart cards with the same keypair
What you could do is encrypt the DEK for a set of public keys

How to store user uploaded files with only client side encryption?

I want to build an app where users upload files. But the owners of the server should never be able to have access to any data from the files, only encrypted content.
If I had to implement it myself using Java, I would do something like:
symmetric encryption for the files using a random key per file (or per user because I don't need per file access control). The random key is then asymmetrically encrypted (one time for each user needing access to the file) and stored along the file on the server
Users have a password encrypting their randomly generated on account creation private key stored on the server along with the public key.
The user password hash (not the password itself) is also used as an authentication password to avoid having multiple passwords but also to avoid sending the user password to the server (the server then normally computes and compares the salted hash of this hash of the password)
How can I implement a custom app like this (using libraries?, running additional servers with http APIs?, something else?) ?
I found https://www.minio.io/features.html, an http server with s3 compatible rest APIs which has "Both server side and client side encryption are supported" but couldn't find enough documentation on the client side encryption.

PGP encryption for the server based app

Here is context:
I am using PGP to encrypt messages in a chat web app. After going through some articles, I get brief idea how PGP works and here is how I am doing it with openPGPJs :
Client(web browser) generate the public/private key-pairs and send public key to server to store it.
Sender use receiver's public key to encrypt data and send it.
Receiver use their own private key to decrypt the message.
As a chat app I need to store all messages and decrypt them when user wants to see old message. decryption of messages need the private key. here the client is web browser which neither can store the private keys for long nor can keep them safe. so I decided to store the private key on web server. Now client(web browser) asks server for the private key whenever decryption of message needed.
Considering PGP an End to End protocol, storing private key on server is vulnerable. my question is:
How PGP encryption works for web based applications where client is not able to keep private key safe and confidential?
Is it Okay to store private key on server?
Is there any better way to do this?
Thanks for any suggestions.

Public Key Encryption vs HSM for storing encryption keys

Let's say I have sensitive data in the database server that needs to be encrypted (i.e emails, etc..) and I want to make sure that in the event that the server is compromised, the attacker shouldn't be able to decrypt these data (at the very least make it harder).
I've read some solutions online, and it seems like I can either
Use Hardware Security Modules (i.e. Amazon KMS/Vault) to having a separate server handle encryption/decryption.
Use Public Key Encryption (where the public key in database server encrypts data, and a private key is stored in separate server that solely handles decryption)
What are the tradeoffs of each other and which one would you choose?

Decrypt data only for authorized client

I have an asp.net mvc web application with some customers.
A new customer tells me that its data should be crypted on its client and then sent to server (that will store the data into database).
When the client will request the data, they will be read from db and decrypted on client side.
As is, only he will be able to display the correct data.
I found another post, but i need some samples.
Can i make it with javascript?
How it works? javascript read the private key from a certificate on client machine?
How could you encrypt user data so only they can decrypt it?
tks
Public Key Encryption with Javascript:
http://shop-js.sourceforge.net/crypto2.htm
Keep in mind that you can't read local files with javascript alone. You might need to have a Silverlight app running on the client-side as silverlight can read local files. Maybe have your login screen done in Silverlight?
http://www.insidercoding.com/post/2008/08/17/Reading-Local-Files-in-Silverlight.aspx

Resources