tiCrypt is based on a very strong security model: all resources are encrypted using AES-256 with randomly generated keys managed using public-key cryptography. In essence, each user has a private key that can be used to decrypt the user's copy of the resource encryption key. Due to the strength of the encryption algorithms used, should a user lose or refuse to use their key, the data (files, messages, drives) is impossible to recover.
In order to allow users to re-gain access to their data in case of key loss or to allow data access for law enforcement in extenuating circumstances, tiCrypt provides a sophisticated key-escrow mechanism that can recover user's private key and thus re-establish access. This document provides details on the guiding principles and the mechanisms governing the tiCrypt key escrow and key recovery.
The following principles guided the design of the key escrow mechanism in tiCrypt:
- Cryptographic mechanisms: To the extent possible, cryptographic methods like encryption and digital signature should be used instead of access control lists.
- Separation of duties: Any key recovery should involve the collaboration of multiple players; no single person should be able to recover a key. This way, if a user's credentials get compromised, the key recovering mechanism is not.
- Minimize admin power: The role of administrators (system or tiCrypt) should be minimized to protect against backend security breaches. Specifically, the administrators should not be able to recover user keys and, for the most part, play only a minor role in the process.
There are three distinct roles involved in the key escrow mechanism in tiCrypt:
- Escrow Users: are special types of users that can only perform escrow related activities. The escrow user keys do not allow any tiCrypt user activities.
- Site-key Administrator: determines who the escrow users are and how are they organized into escrow user groups.
- tiCrypt Administrators: apply the signed orders of the site-key administrator, and initiate the escrow key mechanism.
The user key is escrowed using the following mechanism:
- The key escrowing is initiated by tiCrypt administrators (by setting the user state to Escrow On Login)
- The key escrowing happens when the user key is available in a decrypted state (after the user provides the password)
- A random AES-256 encryption key gets generated for each escrow group
- A master AES-256 encryption key is created by the combination of the group keys
- User's private key is encrypted by the master AES-256 key and saved on the tiCrypt backend
- Each group key is cryptographically shared with each escrow user in the group. The encrypted keys are deposited on the tiCrypt backend
Key de-escrowing requires the recovery of each group key and then the reconstruction of the master AES-256 key. The encrypted user key can then be retrieved from the tiCrypt backend and decrypted.
In what follows, we provide a high-level overview of each of the roles together with the set of activities they can perform. The detailed management associated with these roles is described in subsequent chapters.
The site-key is used by tiCrypt to set up and manage the escrow users. For a site-key to be valid, it needs to be counter-signed by Tera Insights, LLC and to be provided to the tiCrypt backend via a configuration file.
The site-key administrator's role involves the following activities:
- Generation of the site-key public-private key pair. This is accomplished via the site-key part of tiCrypt's front end.
- Stewardship of the private site-key. Great care needs to be taken to guard the site-key private key since the escrow keys; thus, the security of the user's keys can be compromised if the site-key is compromised.
- Creation and deletion of escrow groups
- Addition and removal of escrow users
The escrow users' role is to participate in the key de-escrowing activities, and general escrow set maintenance. Specifically, escrow users can:
- Get information of available key escrows for each tiCrypt user.
- Share their group key with other group members. This is required if new escrow users are added to an escrow group
- Share their group key with a designated escrow user that will recover a given tiCrypt user key
- Recover a tiCrypt user's key (if they obtained the required group keys for all the groups)
The main actions with respect to key escrow that can be performed by tiCrypt administrators are:
- Control when/if the user's key is escrowed. This is accomplished by setting the user's state to Escrow on Login.
- Remove existing user key escrows by deleting the encrypted group keys shared with escrow users.
- Apply signed orders from the site-key administrator.
WARNING: Submitting valid but incorrectly signed certificate results in a security violation and is reported by tiCrypt Audit.