1

Alice has symmetrically encrypted the large (100Mb) MessageA with a random key K1, and then asymmetrically encrypted K1 with Bobs public key. She then stores the encrypted large message in a central and public repository and sends Bob's key to him.

Can Bob then decrypt the key K1 with his private key and then encrypt the key K1 again with Charles' public key, and send the resulting key to Charles - Giving Charles the ability to decrypt MessageA in the central repository?

I'm looking for a cryptographic approach to giving multiple users access to the same data without having to massage the actual data. (A gives to B, B gives to C and E, etc). Are there mechanisms for revocation?

kelalaka
  • 48,443
  • 11
  • 116
  • 196
BobbyTables
  • 115
  • 4

1 Answers1

1

One common way is securely sending the encryption key for each user with their public key and store the encrypted data on somewhere where each user can access.

You can do this with RSA-KEM with using RSAES-OAEP padding and any Authenticated Encryption like AES-GCM;

  • The Distributer;

    1. First generate a random encrption key $k$ for AES-128,192,or 256
    2. Encrypt the message with AES-GCM genenerate an $IV$ and $$(IV,ciphertext,tag) = \operatorname{AES-GCM-Enc}(IV,message, k)$$
    3. Upload $(IV,ciphertext,tag)$
    4. For each user send a message with $\operatorname{RSAES-OAEP}(pk_{user},k)$ using their public key.

  • The receivers;

    1. To get $k$, They are using their private key ,$$k = \operatorname{RSAES-OAEP}(priv_{user},k)$$
    2. Decrypts the message with AES-GCM $$message = \operatorname{AES-GCM-Dec}(IV,ciphertext,tag, k)$$

This Key Encapsulation Mechanism (KEM) together with Data Encapsulation Mechanism (DEM) provides the standard of IND-CCA2/NM-CCA2 — ciphertext indistinguishability and non-malleability under adaptive chosen-ciphertext attack.

Note 1: The above described modified the RSA-KEM since the original RSA-KEM for multiple users will fall into Håstad's broadcast attack. Instead, using RSAES-OAEP makes it safe for multiple recipients with the same $k$ encrypted for different recipients as PGP/GPG.

kelalaka
  • 48,443
  • 11
  • 116
  • 196
  • Thank you for the response, im not so versed in crypto so a couple of terms fly over my head here. Im was thinking AES256 + RSA w a 3072bit key. Would that break if enough recipient keys were collected? Im looking to do this "client side" in javascript so im kind of limited to common methods thats avalible in js-libraries – BobbyTables Feb 25 '20 at 10:11
  • 1
    GCM mode is an authenticated encryption mode that provides you Confidentiality, Integrity, and Authentication. RSA should be used with the proper padding scheme. Without a padding scheme we call it The Textbook RSA and that has many problems. Your padding scheme to use is the RSAES-OAEP, OAEP is Optimal Asymmetric Encryption Scheme. With this padding, you will be fine. Both are available in JS. – kelalaka Feb 25 '20 at 10:19
  • 1
    Thank you for the reply! By reading you response a couple of times it all makes sense. Turns out theres even native browser support with large adoption in the window.crypto.subtle namespace. – BobbyTables Feb 25 '20 at 10:59