--- "Patrick R. Michaud" <[EMAIL PROTECTED]> wrote: > On Thu, Oct 25, 2007 at 12:38:00AM +0900, Paul John > > The tricky part to the whole process is figuring out > where to store the encryption key ...the key has to > be stored in cleartext somewhere, so anyone who is > able to gain the encryption key (e.g., > by looking at the configuration file containing the > key) will also be able to decrypt the files. > > There has also been some discussion about this at > http://www.pmwiki.org/wiki/PITS/00545 .
I have added the following suggestion to that page: I think that key management could be done by separating the keys used to encrypt each page and the passwords used to access the keys. Each page would get a randomly generated key, a "page-key", and be encrypted with that key. The page-key would then be stored in the page-key management infrastructure which could have various implementations. This page-key would not ever need to be changed, even when passwords change. One form of page-key management could be implemented with a directory called "page-keys". In this directory there would be various key files which would be bound to a specific password for a user or group (role) depending on the authentication method being used. So, for each combination of password that can be used to log into the site a separate key file would exist. This key file would contain all the page-keys to all the pages that this particular password can access. The page-keys in a key file would be encrypted with a public key for this file. This public key would be stored unencrypted at the beginning of the key file allowing anyone to add page-keys to this file without necessarily being able to decrypt the file contents. The use of PKI here is important to ensure that any user creating a page does not have to know the passwords of all the other users/groups allowed to access this page. Finally, the private key for a key file could be encrypted in the key file with a password allowing the private key to be something obtuse generated along with the public key, but the password can be something simpler for users to remember/type. This makes it very easy to change a password, simply re-encrypt the private key for one key file and voila, done. No need to re-encrypt any other pages, files or keys! A scheme like this would even allow for a (or several) site wide admin passwords which could be used for recovery. -Martin __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
