PROTECT
DATA DISCLOSURE & MANIPULATION MITIGATION USING CRYPTOGRAPHY

Cryptography is the practice and study of techniques for secure communication in the presence of third parties (called adversaries) - wikipedia

In relation to mydigitalstructure the focus is on at-rest protection that can be gained via the use of cryptography - given the in-transit protection is inherent in the use of https/SSL protocols.

mydigitalstructure is non-prescriptive in the cryptography scheme you choose to implement as the application owner - mydigitalstructure does provide some helper methods for storing keys and ciphertext (hashes, encypted data etc)

The 1blankspace open-source namespace/webapp uses the crypto-js library and the AES algorithm within its util.protect namespace.

AT-REST PROTECTION USE CASES
Ensure data has not been manipulated by any 3rd party (adversary).

Protect against manipulation at the lowest level.

ie.

Create a hash of the data record using the private key and store on the record.

On retrieval from the hosted model (mydigitalstructure) the View-Controller checks the hash before using the data.

 

Use

CORE_PROTECT_CIPHERTEXT

to store the hash (signature) in the context of the data.

Encrypt sensitive data.

Protect against non-authorised disclosure at the lowest level.

ie.

Store public key in mydigitalstructure space.

Encrypt data using stored public key for at rest protection of sensitive data.

Decrypt data using Javascript & matching private key stored locally.

Store your generated public key within your space on mydigitalstructure using

CORE_PROTECT_KEY

 

 

CRYPTOGRAPHY MECHANISMS COMMONLY USED
IN ENTERPRISE APPLICATION SECURITY

 


EXAMPLE 1
SYMMETRIC (SINGLE KEY)
DATA MANIPULATION PROTECTION PATTERN
WITH MVC & MYDIGITALSTRUCTURE

Add hashed signature to data record using symmetric cryptographic pattern (single private key):

  1. Generate a private key
  2. Store on the secure local device using Web Browser localStorage API.
  3. Retrieve the key and using select data record attributes (typically includes modifieddate etc) create SHA-512 hash (acting as digital signature)
  4. POST to mydigitalstructure using CORE_PROTECT_HASH_MANAGE

Check hashed signature

  1. Get the private key using the localStorage API
  2. Get the data record and hash using SHA-512
  3. Get the existing hash (signature) using CORE_PROTECT_CIPHERTEXT_SEARCH
  4. Check the just created hash and existing hash and if match data is valid (un-manipulated)

If you have multiple users within the space and they need to share the data, then you need to distribute the keys to each of them, unsually in a pem formated file.

Don't use mydigitalstructure to store the private key - as it reduces the value of the protection.

EXAMPLE 2
ASYMMETRIC (KEY PAIR)
DATA MANIPULATION PROTECTION PATTERN
WITH MVC & MYDIGITALSTRUCTURE
Less strict than example 2 as some of the knowledge (public key) is stored on mydigitalstructure and only concerned with in-transit manipulation and don't trust SSL or over non-encrypted connection.

You could use this with the MESSAGING_CONVERSATION endpoint where want message (posts & comments) integrity. ie when viewing the post/comment and with the correct private key, you can be ensured it has not been manipulated in-transit. 

Add hashed signature to data record using asymmetric cryptographic pattern (public-private key):

  1. Generate a public / private key pair
  2. Store the private key on the secure local device using Web Browser localStorage API.
  3. Store the public key on the secure mydigitalstructure service using CORE_PROTECT_KEY_MANAGE api method. 
  4. Retrieve the "public" key using CORE_PROTECT_KEY_SEARCH and using select data record attributes (typically includes modifieddate etc) create RSA/SHA-512 hash (acting as digital signature)
  5. POST the actual data record to mydigitalstructure using object _MANAGE method (ie INVOICE_MANAGE)
  6. POST the hash to mydigitalstructure using CORE_PROTECT_CIPHERTEXT_MANAGE

Check hashed signature

  1. Get the private key using the localStorage API
  2. Get the data record
  3. Get the existing hash (signature) using CORE_PROTECT_CIPHERTEXT_SEARCH
  4. Decrypt using the private key
  5. Check the decrypted select data attributes match select data attributes retrieved.
EXAMPLE 3
ASYMMETRIC (KEY PAIR)
DATA DISCLOSURE PROTECTION PATTERN
WITH MVC & MYDIGITALSTRUCTURE
Using a public key stored on mydigitalstructure to protect data, beyond the existing authentication and authorisation mechanisms within mydigitalstructure.

Add hashed signature to data record using asymmetric cryptographic pattern (public-private key):

  1. Generate a public / private key pair
  2. Store the private key on the secure local device using Web Browser localStorage API.
  3. Store the public key on the secure mydigitalstructure service using CORE_PROTECT_KEY_MANAGE api method. 
  4. Retrieve the "public" key using CORE_PROTECT_KEY_SEARCH and using select data record attributes (typically includes modifieddate etc) create RSA/SHA-512 encrypted data.
  5. POST the hash to mydigitalstructure using CORE_PROTECT_CIPHERTEXT_MANAGE. You could also create an text type structure element and store it there - it could then be retrieved as part of the generic advanced search (although not searchable) and decrypted by the client with the private key.
Do not save the data attributes that you are protecting to the data record - they are being saved in the ciphertext.

Check hashed signature

  1. Get the private key using the localStorage API
  2. Get the data record
  3. Get the data record hash using CORE_PROTECT_CIPHERTEXT_SEARCH
  4. Decrypt using the private key
  5. Add the data to object data record.

 

 

Protection & Security
Authentication protection
Cryptography (wikipedia)
crypto-js
(hosted @ mydigitalstructure)
jsrsasign
jsjwt
Standford Crypto JS Library
ECDSA
PKCS

....