Escrow Accounts Setup
Escrow Principles
Although escrows are usually for high-level members in the organization and conducted extremely rare; you must be knowledgeable of the escrow principles to understand and solve potential problems in the future.
1. Security
Firstly, the escrow system is based on the tiCrypt principle: "Security First".
Most often, accounts are compromised due to the Forgot Password option. tiCrypt will not trust an outside email provider to reset a tiCrypt user password.
There is no forgot password button in tiCrypt. This is replaced by the escrow mechanism.
2. Compliance
Secondly, the escrow system is compliant, before, during and after the private key recovery process.
Institutions face a significant responsibility when signing for a compliance paper. This action usually falls on the Chief Information Officer. The key to compliance is to solve the core problem of a compliant system, so compliance is compliant because of the system.
Furthermore, compliance can be extended per project hence making the project compliant from a single click.
- tiCrypt will not make the compliance for you, tiCrypt offers you the complete infrastructure to be fully compliant.
- In a compliant system, everything is compliant.
Technical Contrast
- The backend level of sophistication is extreme, at the same time the frontend is simple and user-friendly.
- The most complex parts of the tiCrypt system are the escrow and the backup.
3. Collaboration
Thirdly, the escrow system forces more individuals to collaborate in the process.
In theory, collaboration is easy; however, in practice, it requires a separation of duties. As a result, no single person can hijack anything at any time.
- Because of the escrow key security; the escrow system is completely separated from the main system.
- Escrow users cannot carry out everyday activities, and regular users cannot escrow users.
Example:
An escrow key is 44 characters long and may be shared between four escrow users. If 3 out of 4 escrow users have their private key and decide to hijack your private key and guess your private key, they still have to decrypt 44 characters instead of 11 characters each.
This action also leads to intense trials in the auditing system which can be immediately noticed by the audit team. An escrow needs collaboration between all members to take place.
4. Slowness
Fourthly, escrowing a private key is a sensitive action. From a functionality perspective, speed contributes to a user-friendly experience. However, speed is an element of contrast with security. This means an escrow process will be conducted slower to achieve a fully controlled and secured recovery.
In tiCrypt, super-admins can create an order to delete escrow users, but cannot themselves delete them.
The slower recovery of a private key is not a bug but a feature that abides by the primal "Security First" tiCrypt principle.
The key to security is to traditionally enforce multiple users to collaborate so that they escrow private keys together with full transparency. This action massively reduces the risk of impersonation and social engineering.
5. Separation
Fithfthly, super-admins, escrow users and the site-key user are completely separated from each other fulfilling the tiCrypt principle: "Separation of duties". However, all of them must contribute in the escrow process.
- The Super-administrator prepares key orders for signature and creates escrow users' deletion requests.
- The Site Key user counter-signs keys with a master key from Tera Insights LLC.
- The Escrow users hold a part of the key.
The escrow process is a continuous chain of trust between digital signatures and the site-key.
Neither the super-admin nor the site-key admin has full control over the escrow process.
- You can use the site-key without being connected to the internet.
- The best separation of role is cryptographic and mechanical.
5. Clarity
The primal tiCrypt principle is "No security through obscurity." which states that:
- You have to assume that the penetrator has all your source code.
tiCrypt team can reverse-engineer the code both in the Frontend and Backend.
The escrow mechanism does not hide things from a penetrator but rather allows infinite trials. The difference is that you will know exactly what tiCrypt does to make the escrow process secure and still calmly recover the user private keys.
Escrow Workflows
Every institution has its personalized workflow when it comes to escrowing.
Example: An escrow user may be the head of the department or a family member of a teacher; while a site-key admin could be the CIO or the librarian. It is hard to tell who should take specific roles since the ultimate decision belongs to the institution using tiCrypt.
Most of the time, the escrowing events will progress as follows:
- The user who lost their private key will use the institutions' designated mechanism to inform the person responsible for escrowing their key.
- Escrow users from every group and site-key admins get together to nominate a designated escrow user who will collect all the private key parts physically.
- Once an escrow user gets designated the institution is notified.
- Once the single escrow user collects all parts the escrow is technically made available.
- In the physical presence of the user, the escrow user will hand over the recovery key offline.
- The user will type a new password on the newly recovered key.
The Super Admin has no use of doing anything in the above process.
Side note: tiCrypt audits this process thoroughly by millisecond.
As an escrow user within an institution, attempting to impersonate a user's account password constitutes a severe legal penalty and is punished by law.
We recommend a workflow for your escrowing strategy which includes unrelated trustworthy people from your organization.