With a collection of open source distributed servers, all sharing every users data. How can the user authenticate with any server, without the passwords being compromised by a malicious server?
Also, in order to store the users data on the network securely, is the best approach to store the user's public key, private key encrypted with the users password and the users data encrypted with the public key. Then these three values are then passed to the client for decryption using the password?
The solution needs to be as decentralised as possible, but be able share encrypted user data and authentication data with anyone setting up a server using the source code. Once a user has selected a server in the distributed pool and authenticated using the pools authentication data, the server needs to send the collective copy of the encrypted data to the client for client side decryption.
What cryptographic method can I use to achieve this in the client and server application being developed?
I've added a diagram to try and help explain the scenario. Would a possible alternative to authentication be the client having to send signed messages when updating the data? I assume since the data in the 'cloud' of servers is all public, it doesn't matter if the client is sent the encrypted data, public key and AES encrypted private key without authentication? Is it best to pass the AES passphrase through PBKDF2 with a random salt? Or is scrypt and aes more advisable?
Aucun commentaire:
Enregistrer un commentaire