Skip to main content

Introduction

tiCrypt is based on a very strong security model: all resources are encrypted using AES-256 with randomly generated keys managed using public-key cryptography. In essence, each user has a private key that can be used to decrypt the user's copy of the resource encryption key. Due to the strength of the encryption algorithms used, should a user lose or refuse to use their key, the data (files, messages, drives) is impossible to recover.

In order to allow users to re-gain access to their data in case of key loss or to allow data access for law enforcement in extenuating circumstances, tiCrypt provides a sophisticated key-escrow mechanism that can recover user's private key and thus re-establish access. This document provides details on the guiding principles and the mechanisms governing the tiCrypt key escrow and key recovery.

The following principles guided the design of the key escrow mechanism in tiCrypt:

  • Cryptographic mechanisms: To the extent possible, cryptographic methods like encryption and digital signature should be used instead of access control lists.
  • Separation of duties: Any key recovery should involve the collaboration of multiple players; no single person should be able to recover a key. This way, if a user's credentials get compromised, the key recovering mechanism is not.
  • Minimize admin power: The role of administrators (system or tiCrypt) should be minimized to protect against backend security breaches. Specifically, the administrators should not be able to recover user keys and, for the most part, play only a minor role in the process.

There are three distinct roles involved in the key escrow mechanism in tiCrypt:

  • Escrow Users: are special types of users that can only perform escrow related activities. The escrow user keys do not allow any tiCrypt user activities.
  • Site-key Administrator: determines who the escrow users are and how are they organized into escrow user groups.
  • tiCrypt Administrators: apply the signed orders of the site-key administrator, and initiate the escrow key mechanism.

The user key is escrowed using the following mechanism:

  • The key escrowing is initiated by tiCrypt administrators (by setting the user state to Escrow On Login)
  • The key escrowing happens when the user key is available in a decrypted state (after the user provides the password)
  • A random AES-256 encryption key gets generated for each escrow group
  • A master AES-256 encryption key is created by the combination of the group keys
  • User's private key is encrypted by the master AES-256 key and saved on the tiCrypt backend
  • Each group key is cryptographically shared with each escrow user in the group. The encrypted keys are deposited on the tiCrypt backend

Key de-escrowing requires the recovery of each group key and then the reconstruction of the master AES-256 key. The encrypted user key can then be retrieved from the tiCrypt backend and decrypted.

One user from each escrow group needs to participate in key de-escrowing
If all escrow users in a group are unable or unwilling to participate in key de-escrowing, the private key cannot be recovered.

In what follows, we provide a high-level overview of each of the roles together with the set of activities they can perform. The detailed management associated with these roles is described in subsequent chapters.

Site-key Administrator

The site-key is used by tiCrypt to set up and manage the escrow users. For a site-key to be valid, it needs to be counter-signed by Tera Insights, LLC and to be provided to the tiCrypt backend via a configuration file.

The site-key administrator's role involves the following activities:

  • Generation of the site-key public-private key pair. This is accomplished via the site-key part of tiCrypt's front end.
  • Stewardship of the private site-key. Great care needs to be taken to guard the site-key private key since the escrow keys; thus, the security of the user's keys can be compromised if the site-key is compromised.
  • Creation and deletion of escrow groups
  • Addition and removal of escrow users
The site-key administration is fully dissociated from the tiCrypt backend and does not require any backend access.
It is highly recommended Internet access is disabled during site-key activities.
In essence, the site-key is only used to sign digital orders that indicate escrow users and group administration.
Site-key actions do not take effect until a tiCrypt administrator adds them to the system using the certificates interface.
Once signed, the site-key administration orders can be safely emailed or transferred via common means to the tiCrypt administrator.

Escrow Users

The escrow users' role is to participate in the key de-escrowing activities, and general escrow set maintenance. Specifically, escrow users can:

  • Get information of available key escrows for each tiCrypt user.
  • Share their group key with other group members. This is required if new escrow users are added to an escrow group
  • Share their group key with a designated escrow user that will recover a given tiCrypt user key
  • Recover a tiCrypt user's key (if they obtained the required group keys for all the groups)
Unless a group key is shared with a specific escrow user, the key cannot be recovered by the escrow user. The simple act of belonging to an escrow group is not sufficient.
The simple act of generating an escrow user key does not grant any permissions in tiCrypt. Unless the escrow user key is counter-signed by the site-key administrator, the escrow users are not recognized by tiCrypt.
If multi-factor authentication is enabled, the recovered user private key can only be used if the multi-factors are satisfied.
If the purpose of the key recovery is to re-establish user access, have the tiCrypt user be present during the key recovery process so that the recovered key can be protected by a password only known to the tiCrypt user.

tiCrypt Administrators

The main actions with respect to key escrow that can be performed by tiCrypt administrators are:

  • Control when/if the user's key is escrowed. This is accomplished by setting the user's state to Escrow on Login.
  • Remove existing user key escrows by deleting the encrypted group keys shared with escrow users.
  • Apply signed orders from the site-key administrator.
The administrators can control whether to submit site-key signed orders but cannot change such orders in any way.

WARNING: Submitting valid but incorrectly signed certificate results in a security violation and is reported by tiCrypt Audit.

The role of the administrators for key de-escrowing is severely limited.