Problem: Docs say little re/ privacy & handling private data #2437
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Solution: Write a new docs page about that
Solution: Create a new docs page, "Production Node Security & Privacy"
Codecov Report
@@ Coverage Diff @@
## master #2437 +/- ##
=======================================
Coverage 88.58% 88.58%
=======================================
Files 40 40
Lines 2312 2312
=======================================
Hits 2048 2048
Misses 264 264 |
| #. Everyone with full access to a BigchainDB node (e.g. the sysadmin of a node) can read all the data stored on that node. | ||
| #. Everyone given access to a node via the BigchainDB HTTP API can find and read all the data stored by BigchainDB. The list of people with access might be quite short. | ||
| #. If the connection between an external user and a BigchainDB node isn’t encrypted (using HTTPS, for example), then a wiretapper can read all HTTP requests and responses in transit. | ||
| #. If someone gets access to plaintext (regardless of where they got it), then they can (in principle) share it with the whole world. One can make it difficult for them to do that, e.g. if it is a lot of data and they only get access inside a secure room where they are searched as they leave the room. |
There was a problem hiding this comment.
is this needed? I guess it's implicit.
There was a problem hiding this comment.
It's something that I've noticed people often raise as an issue, so I figured it would be worthwhile to mention it explicitly, lest they think we never thought about it.
docs/root/source/private-data.rst
Outdated
|
|
||
| There are other ways to accomplish the same thing. The above is just one example. | ||
|
|
||
| You might have noticed that the above example didn’t treat the “read permission” as an asset owned (controlled) by a user. The reason is that read permissions must be controlled by DocPile or a document owner, not by the user. |
There was a problem hiding this comment.
we can add,
... because if the permission asset is given to (transferred to or created by) the user then it cannot be controlled any further until the user transfers it back to DocPile.
| This setup could be used in an enterprise blockchain scenario where a special node should be able to see parts of the data, but the others should not. | ||
|
|
||
| - The special node generates an X25519 keypair (or similar asymmetric *encryption* keypair). | ||
| - A BigchainDB end user finds out the X25519 public key (encryption key) of the special node. |
There was a problem hiding this comment.
finds out can be queries. just to make it clear that the encryption public key of the node will be published by the node.
There was a problem hiding this comment.
I wanted to leave it vague (how the end user finds out the key). Maybe they get it from the node via SMS, Slack or fax.
docs/root/source/private-data.rst
Outdated
|
|
||
| - Ed25519 keypairs are designed for signing and verifying cryptographic signatures, `not for encrypting and decrypting messages <https://crypto.stackexchange.com/questions/27866/why-curve25519-for-encryption-but-ed25519-for-signatures>`_. For encryption, you should use keypairs designed for encryption, such as X25519. | ||
| - If someone (or some group) publishes how to decrypt some encrypted data on-chain, then anyone with access to that encrypted data will be able to get the plaintext. The data can’t be deleted. | ||
| - Encrypted data can’t be indexed or searched by MongoDB. (It can index and search the ciphertext, but that’s not very useful.) One might use homomorphic encryption to index and search encrypted data, but MongoDB doesn’t have any plans to support that any time soon. |
There was a problem hiding this comment.
We can add,
if there is indexing or keyword search needed, then some fields of the asset.data or metadata objects can be left as plain text and the sensitive information can be stored in an encrypted child-object
gautamdhameja
approved these changes
Aug 3, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Solution: