Skip to main content

Encryption and KMS

Here is the control flow for managing encryption keys during data upload, sharing, and download from the Arcana Store:

Upload

Upload Upload

  1. Generate a symmetric key, S and a temporary public/private key pair T, where

    T = {public key PkP_k, private key SkS_k} associated with an address A

    Symmetric key S is used to encrypt file data.

  2. Initiate a meta-transaction to Gateway. This will record upload request on Arcana blockchain and the address A . Note that this address corresponds to the temporary public/private key pair T, created earlier. T is used to sign the symmetric key S.

  3. Before storing, split key S into key shares KiK_i.

  4. Sign KiK_i with temporary secret private key SkS_k.

  5. Encrypt signed KiK_i using corresponding Pki{P_k}_i, the public key of DKG node, and send a share to each node.

  6. Decrypt signed KiK_i using secret private key Ski{S_k}_i of DKG node to get signed KiK_i.

  7. Verify that signed KiK_i was signed correctly by PkP_k (temporary public key) and that PkP_k corresponds to the address A on chain.

Share

Share Share

  1. The Gateway node communicates with Arcana blockchain and the intended recipient address is updated in the shared data file's access control list.

Download

Download Download

  1. Generate a temporary public/private key pair T, where

    T = {public key PkP_k, private key SkS_k} associated with an address A

  2. Initiate a meta-transaction to the Gateway node. This will record the download request on Arcana blockchain and the address A. Note that this address A corresponds to the temporary public/private key pair T, created earlier.

  3. Get the transaction hash from the Gateway node.

  4. Sign the transaction using the temporary private key, SkS_k and send it to the DKG node.

  5. DKG node verifies the signature.

  6. DKG node verifies on chain that address A has the requisite permission to download the file.

  7. DKG node encrypts the key shares using the temporary public key PkP_k and sends it to the client.

  8. Client uses the temporary private key, SkS_k, to decrypt the key shares.

  9. Client reconstructs the symmetric key S from the key shares.