Skip to content

Encryption and KMS

Here is the control flow for managing encryption keys during data upload, sharing, and download from the Arcana Store:

Upload

Upload Upload

Control Flow

  1. Generate a symmetric key, S and a temporary public/private key pair T, where

    T = {public key \(P_k\), private key \(S_k\)} associated with an address A

    Symmetric key S is used to encrypt file data.

  2. Initiate a meta-transaction to Gateway. This will record upload request on Arcana blockchain and the address A . Note that this address corresponds to the temporary public/private key pair T, created earlier. T is used to sign the symmetric key S.

  3. Before storing, split key S into key shares \(K_i\).

  4. Sign \(K_i\) with temporary secret private key \(S_k\).

  5. Encrypt signed \(K_i\) using corresponding \({P_k}_i\), the public key of DKG node, and send a share to each node.

  6. Decrypt signed \(K_i\) using secret private key \({S_k}_i\) of DKG node to get signed \(K_i\).

  7. Verify that signed \(K_i\) was signed correctly by \(P_k\) (temporary public key) and that \(P_k\) corresponds to the address A on chain.

Share

Share Share

Control Flow

  1. The Gateway node communicates with Arcana blockchain and the intended recipient address is updated in the shared data file's access control list.

Download

Download Download

Control Flow

  1. Generate a temporary public/private key pair T, where

    T = {public key \(P_k\), private key \(S_k\)} associated with an address A

  2. Initiate a meta-transaction to the Gateway node. This will record the download request on Arcana blockchain and the address A. Note that this address A corresponds to the temporary public/private key pair T, created earlier.

  3. Get the transaction hash from the Gateway node.

  4. Sign the transaction using the temporary private key, \(S_k\) and send it to the DKG node.

  5. DKG node verifies the signature.

  6. DKG node verifies on chain that address A has the requisite permission to download the file.

  7. DKG node encrypts the key shares using the temporary public key \(P_k\) and sends it to the client.

  8. Client uses the temporary private key, \(S_k\), to decrypt the key shares.

  9. Client reconstructs the symmetric key S from the key shares.


Last update: January 7, 2023 by shaloo