Naledi Key Service
A secure service for exchanging symmetric encryption keys between two or more registered users...
Naledi Key Service is used to manage a set of encryption keys for a user's documents. A "document" can be a single file or multiple files of any type combined into a single tar-ball. The service generates and stores document keys for a user to enable encryption and decryption. The author may share these keys with other registered users. The actual document(s) never pass throught the service.
Document Key Sharing
A document owner may grant access to one or more registered users by requesting a shared key for that user. The user obtains shared keys by logging in to query document access.
When a document key is requested, it is granted only after a back-channel code has been verified. With the key, the user is able to decrypt the owner's shared document(s).
It is important to note that the actual documents never pass through the service, only the keys.
All communications are through a single endpoint, e.g. https://naledi.com/KeyService with routing and data parameters specified using public/private key encryption. Keys and document specs are stored on separate private machines.
Public/Private Key Communications
Establishing a Session
- requestor sends public key
- service creates a session and symmetric key to enable encrypted messaging
- service returns session and key encrypted with requestor's public key
- using the shared symmetric key, the user submits login data to the service
- if the user is authenticated the full user record including file lists are returned
- an authentication error invalidates the session and returns a simple error
Creating a Shared Key
- the document owner requests a symmetric key for a given document and registered user
- the server validates the document meta data and registered user then generates a shared symmetric key
- the shared key is stored with the owner, registered user and document meta data
- the server then returns the shared key to enable encryption by the client
Requesting a Shared Key
- the registered user requests a decryption key for a specified document
- if the shared key exists and has not expired, a code is generated and sent via back-channel to the requestor
- when the code is submitted by the requestor and verified by the service, the shared key is returned
See the user stories document for examples of typical use.
API Use Cases
See the detail document for use cases for each exposed API.
Data Model Diagram
See data model diagram for a full list of data models and attributes.
See the LICENSE file.
Copyright 2015, darryl west | version 0.90.10 2015-12-14