Escrow Overview
- Introduction to Subadmin Managed Objects.
- Escrow principles to public key cryptography.
- Escrow workflows.
- How to create escrow user accounts.
- How to create the site-key admin account.
- How to import & sign escrow certificates.
- How to escrow other users keys.
In tiCrypt, all resources are encrypted using AES-256 randomly generated resource keys managed via public-key cryptography.
Each user has a private key that can be used to decrypt their copy of the resource key to be able to access a resource such as files, groups, projects, teams, virtual machines, drives, etc.
Due to the strength of the encryption algorithms used, should a user lose or refuse to use their key, the data (files, messages, drives) is impossible to recover.
To allow users to re-gain access to their data in case of key loss or allow data access for law enforcement in extenuating circumstances, tiCrypt provides a sophisticated key-escrow mechanism that can recover user's private key and thus re-establish access. This document provides details on the guiding principles and the mechanisms governing the tiCrypt key escrow and key recovery.
The following principles guided the design of the key escrow mechanism in tiCrypt:
- Cryptographic mechanisms: To the extent possible, cryptographic methods like encryption and digital signatures should be used instead of access control lists.
- Separation of duties: Any key recovery should involve the collaboration of multiple players; no single person should be able to recover a key. This way, the key recovering mechanism is not compromised if a user's credentials get compromised.
- Minimize admin power: The role of administrators (system or tiCrypt) should be minimized to protect against backend security breaches. Specifically, the administrators should not be able to recover user keys and, for the most part, play only a minor role in the process.
There are three distinct roles involved in the key escrow mechanism in tiCrypt:
- Escrow Users: are special types of users that can only perform escrow-related activities. The escrow user keys do not allow any tiCrypt user activities.
- Site-key Administrator: determines the escrow users and how they are organized into escrow user groups.
- tiCrypt Administrators: apply the signed orders of the site-key administrator, and initiate the escrow key mechanism.
The user key is escrowed using the following mechanism:
- The key escrowing is initiated by tiCrypt administrators (by setting the user state to Escrow On Login)
- The key escrowing happens when the user key is available in a decrypted state (after the user provides the password)
- A random AES-256 encryption key gets generated for each escrow group
- A master AES-256 encryption key is created by the combination of the group keys
- Users' private key is encrypted by the master AES-256 key and saved on the tiCrypt backend
- Each group key is cryptographically shared with each escrow user in the group. The encrypted keys are deposited on the tiCrypt backend.
Key de-escrowing requires the recovery of each group key and then the reconstruction of the master AES-256 key. The encrypted user key can then be retrieved from the tiCrypt backend and decrypted.
One user from each escrow group must participate in key de-escrowing.
If all escrow users in a group are unable or unwilling to participate in key de-escrowing, the private key cannot be recovered.
Escrow Principles: Public Key Cryptography
Although escrows are usually for high-level members in the organization and conducted extremely rare, you must know the escrow principles to understand and solve potential problems in the future.
1. Security
Firstly, the escrow system is based on the tiCrypt principle: "Security First".
Most often, accounts are compromised due to the Forgot Password option. tiCrypt will not trust an outside email provider to reset a tiCrypt user password.
There is no forgot password button in tiCrypt. This option is replaced by the escrow mechanism.
2. Compliance
Secondly, the escrow system is compliant before, during, and after the private key recovery process.
Institutions face a significant responsibility when signing for a compliance paper. This action usually falls on the Chief Information Officer. The key to compliance is to solve the core problem of a compliant system, so compliance is compliant because of the system.
Furthermore, compliance can be extended per project, making the project compliant from a single click.
- tiCrypt will not make the compliance for you, tiCrypt offers you the complete infrastructure to be fully compliant.
- In a compliant system, everything is compliant.
Technical Contrast
- The backend level of sophistication is extreme, at the same time the frontend is simple and user-friendly.
- The most complex parts of the tiCrypt system is the escrow.
3. Collaboration
Thirdly, the escrow system forces more individuals to collaborate in the process.
In theory, collaboration is easy; however, in practice, it requires a separation of duties. As a result, no single person can hijack anything at any time.
- Because of the escrow key security; the escrow system is completely separated from the main system.
- Escrow users cannot carry out everyday activities, and regular users cannot escrow users.
Example:
An escrow key is 44 characters long and may be shared between four escrow users. If 3 out of 4 escrow users have their private key and decide to hijack and guess your private key, they still have to decrypt 44 characters instead of 11 characters each.
This action also leads to intense trials in the auditing system which can be immediately noticed by the audit team. An escrow needs collaboration between all members to take place.
4. Slowness
Fourthly, escrowing a private key is a sensitive action. From a functionality perspective, speed contributes to a user-friendly experience. However, speed is an element of contrast with security. This means an escrow process will be conducted slower to achieve a fully controlled and secured recovery.
In tiCrypt, super-admins can create an order to delete escrow users but cannot themselves delete them.
A private key's slower recovery is not a bug but a feature that abides by the primal "Security First" tiCrypt principle.
The key to security is to traditionally enforce multiple users to collaborate so that they escrow private keys together with full transparency. This action massively reduces the risk of impersonation and social engineering.
5. Separation
Fithfthly, super-admins, escrow users, and the site-key user are entirely separated from each other, fulfilling the tiCrypt principle: "Separation of duties". However, all of them must contribute in the escrow process.
- The Super-administrator prepares key orders for signature and creates escrow users' deletion requests.
- The Site Key user counter-signs keys with a master key from Tera Insights LLC.
- The Escrow users hold a part of the key.
The escrow process is a continuous chain of trust between digital signatures and the site-key.
Neither the super-admin nor the site-key admin has complete control over the escrow process.
- You can use the site-key without being connected to the internet.
- The best separation of role is cryptographic and mechanical.
6. Clarity
The primal tiCrypt principle is "No security through obscurity." which states that:
- You have to assume that the penetrator has all your source code.
tiCrypt team can reverse-engineer the code both in the Frontend and Backend.
The escrow mechanism does not hide things from a penetrator but allows infinite trials. The difference is that you will know precisely what tiCrypt does to secure the escrow process and still calmly recover the user's private keys.
Private Key Password Journey
- User Private keys are located virtually in something we call the 'box'.
- The password protects the box of the private key.
- The user is in the possession of a box the whole time.
- The user password opens the box to get their private key.
- When the key gets escrowed, user has to provide their password to open the box, then you create three keys out of the one key, and they must all be handed over to the system by escrow users and the rest of the parties.
Users can never recover their passwords, but they can recover their private keys so they can put them in a different 'box' with a different password.
Escrow Workflows
In the following, we will provide a high-level overview of each role and the set of activities they can perform. The detailed management associated with these roles is described in subsequent chapters.
Every institution has its personalized workflow when it comes to escrowing.
Example: An escrow user may be the head of department or a teacher, while a site-key admin could be the CIO or the librarian. It is hard to tell who should take specific roles since the ultimate decision belongs to the institution using tiCrypt.
Most of the time, the escrowing events will progress as follows:
- The user who lost their private key will use the institutions' designated mechanism to inform the person responsible for escrowing their key.
- Escrow users from every group and the site-key admin nominate a designated escrow user who will collect all the private key parts physically.
- Once an escrow user gets designated the institution is notified.
- Once the single escrow user collects all parts the escrow is technically made available.
- In the user's physical presence, the escrow user will hand over the recovery key offline.
- The user will type a new password on the newly recovered key.
The Super Admin has no use of doing anything in the above process.
Side note: tiCrypt audits this process thoroughly by millisecond.
As an escrow user within an institution, attempting to impersonate a user's account password constitutes a severely illegal and fraudulent action and does law punish.
We recommend a workflow for your escrowing strategy, which includes unrelated trustworthy people from your organization.
Create Escrow User Account
Create Site-key Admin Account
Import and Sign Escrow Certificates
Escrowing Users
You have completed the escrow tutorials. You can practice more of the actions you learned by using tiCrypt. Optionally, you can explore Escrow section to learn more about other escrow accounts.