Is it possible to have encryption with multiple private keys (PHP)?

StackOverflow https://stackoverflow.com/questions/4605139

  •  25-09-2019
  •  | 
  •  

Question

Or: How to store encrypted data for a bunch of users?

I admit, it's a silly question, a private key is limited to only one person as the term already implies. But I have the following scenario:

User Tom enters data that needs to be stored encrypted in a database. The user decides he wants to make this information available to Jim and Bob. The users John and Jayne must not be able to decrypt it. Of course also not to user Tim who hacked the server and has access to the encrypted data and the scripts that do the encryption/decryption.

I think the public key/private key approach with PHPs openssl_public_encrypt function won't work here as two users need to have that "private" key to decrypt the data.

I guess this a rather general question, but if it's important, it must be done in PHP (and MySQL maybe).

Was it helpful?

Solution

That's how it done in OpenPGP (and, other systems): - you are generating secret symmetric key, which is used to encrypt the data itself; - then, this symmetric key is encrypted with Tom's key; - also, symmetric key can be encrypted with Jim's and Bob's public key, allowing them to decrypt the key and after that to decrypt the data

OTHER TIPS

PHP provides a function for this - openssl_seal(). This function takes an array of public keys, and encrypts the data so that any one of the corresponding private keys can be used to decrypt it (using openssl_open()).

I don't know libraries in PHP. But in general the procedure is as follows:

  • Data is encrypted using a symmetric key
  • For each recipient, key is encrypted using the public key of recipient
  • All this is saved in a PKCS#7 file structure

There should be some results when looking up "PHP and PKCS7"...

Use a data encryption key (call it Kgeneral) that's distinct from Tom's key.

Encrypt Kgeneral with Tom's public key and give the result to Tom - he can use his private key to decrypt it and obtain Kgeneral.

If another user then needs access to the data, Tom (or your application) can then encrypt Kgeneral with his public key, and give him access that way.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top