1

I am currently investigating the architecture of the secure, but user friendly service, which combines storing of sensitive private data together with simple authorization procedure.

The approach is perfectly described in the answer on this question. However it assumes that user enters a password during authorization, which it used to generate a derived key (or keys). In this case, the login/password derived slow hash is checked on the server and in case of success the server-stored individual salt transferred back to client which generates password/salt derived key to decrypt the private data protection key.

Please advice what to use instead of password as the client-specific piece of key, when users authenticate through external 0auth providers like google, facebook, etc.?

A saw this question on the same topic, but, unfortunately, there were no suitable answers. I believe, it is possible to generate some kind of key on client side, but have no idea, how to securely transfer this key to another client device. Maybe it could be good idea to do it via special server, not connected to the main one?

Community
  • 1
Alexandr Priezzhev
  • 111
  • 3
  • So, what is the authorization procedure used in your application? – Ángel Jul 24 '14 at 20:29
  • Currently it works the following way: 1. User enters login/password; 2. Slow hash of password salted by login is calculated on client side; 3. Normalized login digest (not salted) and calculated hash are sent to server; 4. Server looks for a row (table: digest, salt1, salt2) containing received digest; 5. If found server calculates digest from received hash salted by salt1 and looks for it in the same table; 6. If result found (digest, salt3, salt4) user is authorized; 7. Salt3 is transfered to client together wth encrypetd private key; – Alexandr Priezzhev Jul 26 '14 at 18:56
  • 8. Client decrypts private key with slow hash of password salted by salt3). (salt2/4 are used for other purposes). In case of external authorization via 0auth I do not want to ask user for a password and here is the problem - what piece of data use to encrypt the private key? There should be no possibility to get the private key on server side. – Alexandr Priezzhev Jul 26 '14 at 18:57

0 Answers0