Users are sending messages to each other and publish private information for other users via rails app.
The goal is to secure the messages, so neither system admins, nor database leaks won't be able to compromise the data. Javascript client side encryption with recipient key, encrypted data is stored in the database and decrypted on recipient's side. Keys are not stored in the system.
Does is make sense? Is there a solution? Thanks a lot!
Update: I mean asymmetric cryptography. Two keys for each user: one public for encryption, one private for decryption. And a password for the application itself. User logs in using his password, creates a message, which is encrypted client side with a recipients public key (stored in the system) and saved in the database. Recipient logs in using his password, then enters his private key to decode messages. Decryption is also client side, private key is not sent to the server.
If you want to encrypt data in your own applications (client-side encryption), you're encouraged to use envelope encryption with AWS KMS or AWS CloudHSM. Both services offer client libraries and SDKs to add encryption functionality to their application code and use the cryptographic functionality of each service.
If you're looking for the most secure, private way to send email or transmit data, client-side encryption is your best bet. Using client-side email encryption makes it less likely for your information to be intercepted by hostile third parties on the Internet.
Sure. Use this http://crypto.stanford.edu/sjcl/. Especially look at the demo http://bitwiseshiftleft.github.com/sjcl/demo/
One thing to keep in mind, the only way for you to not store the keys is for the user's to derive them from a password ( which should not be the one they use for your site). This is fine and is what the above library does.However,if they forget the password, there is no helping them,
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With