Users
What is tiCrypt Key Pinning?
Key pinning in tiCrypt, also known as crowd security, is designed to prevent impersonation attacks and fraudulent digital certificates.
- Key pinning calculates the fingerprint from the key and stores it locally.
- Key pinning requires only 0.1 milliseconds to compute and store the fingerprint.
- A full Public Key contains 650 decimals.
- A full Private key is approximately the same size.
- A fingerprint contains about 80 digits, enabling much faster computation.
Do not confuse the key pinning principle with the key pinning action in the Vault.
The term fingerprint is synonymous with digital signature.
What is the Mechanism Behind Pinning Keys in the Vault?
Imagine you collaborate with a user.
An admin deletes the user, and creates a new one with the same username photo that looks almost, if not exactly, the same. Now they can impersonate the other user.
To prevent this from happening, tiCrypt looks into the backend and stores the hash of all users' public keys so anytime an interaction takes place with a user, in the present or in the future, tiCrypt knows if it's genuinely the same user with the same hash.
When you pin a key of a frequent user you collaborate with, you cannot perform operations with an impersonated user (similar to how SSH servers work).
Everytime you interact with a user, the front-end pins their key, to avoid man-in-the-midle attacks. tiCrypt memorizes the relationship between the user and the public key to an extremely detailed difference of 1 bit within a window of 0.1 ms.
Even if an attacker makes an exact copy of a public key, the system does not allow the attacker to do anything with it. The hash remembers the fingerprint of the user (standard name of the hash of the public key). The public key is large, while the fingerprint is small. It is easier to mine all Bitcoins in the world than to fake one tiCrypt digital signature.
Key fingerprinting takes less space and is standard practice. You can view this process live when you open your web browser on your local machine and check the certificate of SSH websites in the top left.
Fingerprints also propagate the digital signature as a standard cryptographic practice.
tiCrypt raises the cost of the attack above the profit an attacker would gain from a successful attack.
The moment the VM learns about the user, it pins the public key of the user and checks its signature every time you connect. This is one reason users are asked to enter their password when they start their VMs.
All operations in tiCrypt require a session; some operations require the key.
You can see the difference between these actions if you click your Open User Menu in the top left panel and notice the Key Timer on the left and the Session Timer on the right.
The session gets renewed every time you perform an operation. You also need your key every time tiCrypt requires a digital signature, such as sharing files, connecting to a VM, or viewing a new file, all of which are live decryption mechanisms.
The front end asks for your password to access to your private key to decrypt things in the backend.
The front end searches for your private key in your local machine, not in the backend, because your local machine and the backend don't trust each other.
Not even the VM controller trusts either the front end or the backend. The front end and the backend are always decoupled.
And that is how key pinning mechanism works in tiCrypt.
What is tiCrypt Crowd Security?
tiCrypt employs a form of crowd security.
The front end (typically the browser) stores the public key fingerprints of previously interacted users locally, beyond the reach of system administrators. When sharing a file with a user, tiCrypt front end requests and verifies the user's public key from the server using their digital signature.
tiCrypt uses SHA-256 as a secure signature technique, which is the NIST FIPS 140.2 recommended secure hashing scheme.
How does the Chain of Trust works with Crowd Security?
The chain of trust is given by the countersigning action of the Tera Insights key. Crowd security is another term for key-pinning.
How can I Pin User Keys?
Follow the instructions in Pin a User Key in the Vault.
How can I Unpin User Keys?
Follow the instructions in Unpin a User Key in the Vault.
What is the Distinction between a Key's Fingerprint and the Key Itself?
Fingerprint is a unique computed fingerprint(SHA-256) key summary of 44 characters and 256 bits which allows you to sign your private key and verify the signature with the public key.
Public/Private keys are cryptographic, hard to forge, symmetric and can be used when you sign a resource key.
For example, suppose you have a large PDF document and want a method to ensure we never edit the document. One method to ensure we never edit is to compare your original bit-by-bit document with what we edited to it. This action is known as secure hashing. Calculating numbers is how digital signatures work.
. Bitcoin depends on secure hashing.
How does tiCrypt Compute my Private Key?
The public key is a fixed exponent e and the product of the primes n = pq.
The private key is d =(p −1)(q −1) /e and n. The public and private keys are opposites of each other: messages encrypted with one have to be decrypted with the other.
Specifically, for m, a message, me mod n is the encrypted message; it can be decrypted by performing d(me) mod n = m mod n. Conversely, dm mod n is a digital signature that can be verified by performing e(dm) mod n = m mod n.
What is a Private key?
Private Keys are hidden SHA-256 asymmetric keys used to decrypt resources in tiCrypt and perform various actions.
- In tiCrypt, private keys are randomly generated for each user whenever they create a new tiCrypt account.
- Private keys work hand-in-hand with public keys and are 1/2 of a user key pair.
- Decryption of resources is used in combination with the resource key.
What is a Public key?
Public keys are visible SHA-256 asymmetric keys to the server and other users used to encrypt resources in tiCrypt and perform various actions.
- In tiCrypt, public keys are randomly generated for each user whenever they create a new tiCrypt account.
- Public keys work hand-in-hand with private keys and are 1/2 of a user key pair.
- Encryption of resources is used in combination with the resource key.
How does my Private Key Helps me Receive a File?
You do not have to perform anything in the front end; the following process happens in the backend under 0.1ms automatically.
Receiving a file requires your fingerprint and your private key blended.
fingerprint + private key = digital signature
Once the sender's digital signature is sent to you, your public key is used to verify the user's digital signature you received.
- You cannot perform anything in the system without your public key.
- The public key is stored on the server.
What is a Resource Key?
The resource key is the symmetric key, also called AES-256 key, which encrypts a tiCrypt resource.
The symmetric AES-256 resource key works hand-in-hand with the asymmetric RSA-256 public key where the user's public key is used to open the resource key.
Resource keys are never left naked or randomly stored; they are used in the shortest amount of time possible and automatically destroyed afterward. If the AES-256 resource key is lost then the tiCrypt object can never be decrypted again.
What is the Resource Key Exchange when Creating A File in tiCrypt?
When you create a new file, your public key makes a "box" where the hidden resource key resides. Next, you automatically combine your public key with the hidden resource key from the "box" to create a new encrypted user key tagged by the resource ID and your user ID. At this point, the server can view the new encrypted user key. The new encrypted user key can now be decrypted only with your private key.
The above process takes place in 0.1 milliseconds.
- You can only decrypt resource keys that were encrypted with your public key.
- Cloning a resource key is useless because it is only encrypted with your key. As an admin, you can never create new encrypted user keys.
What is the Purpose of a Retained Pane Width Between Sessions?
The pane separator position is automatically saved between sessions on the same local machine/browser. The info is saved in Local Storage and will be remembered as long as the browser cache is not deleted.
The pane separator position is not shared between local machines/browsers. The main reason is the fact that the best layout depends on the screen used, thus is most likely different for other local machines.