|
Host Proof Storage (HPS) is the encryption of user information before it leaves the client to be stored in the server. The keys used to encrypt the information are never sent to the server: this information stored by the server, therefore, can only be opened by the client who has the key used to encrypt it. Given a client server model with a client and a server. The client wants to store information remotely in the server. The client, first encrypts the information with an encryption algorithm and then sends the result of the encryption, meant as encrypted information (in cryptography, referred to as ciphertext), to the server. The server stores the ciphertext. But the server cannot access this ciphertext as the key to decrypt it resides on the client. Never the keys to decrypt the data are sent to the server in plain text. As this would allow the server to access client's encrypted data using such key. The implication of this procedure is that the servers cannot analyze or access the content that the client have stored. For example, this concept would allow secure emails, unreadable by the host., or client's passwords for every site could be centralized in one place, securely encrypted. Multiple applications employing HPS that have been introduced to the market. Operation HPS consists of encrypting the user’s information before it leaves the client to be stored on the server. The keys used to encrypt the information are never sent to the server. This means that the server doesn’t know what it’s receiving, and if done properly, will never be able to access it. Consider thee client application on a smartphone and stored credit card information. The process is: # The user enters a password to access the app. # The client application makes it stronger, if needed, with key salting algorithms (PBKDF2-PK5 standards). # The user marks the data that needs to be stored. # Prompted by the password entered by the user, the client application encrypts the data, using different algorithms provided in its libraries. # The encrypted information is sent to the server to be stored. And when the user wants to retrieve the stored information: # The user, again, enters the password used to store the data. # The client application makes it stronger, if needed, with key salting algorithms (PBKDF2-PK5 standards). # The client application request specific data. # The client application decrypts the data using the password entered by the user. # The data is then provided, clearly, to the user. History The idea of Host Proof Storage was first conceptualized by Richard Schwartz in 2005, and later fleshed out on the Ajax Patterns wiki under the name of Host Proof Hosting. Later, Michael Mahemoff, father of Ajax Patterns, wrote about the technology on his blog and explained how applications privy to sensitive data could use on-the-fly encryption to store that data in remote servers. Similarly, Aldo Cortesi has written several posts about Host Proof Storage. He created an application that could store encrypted notes on the server, using HPS, called cryp.sr - a minimal host-proof cryptographic list manager. It has no authentication, uses no cookies, no email is required for registration and client's password never leaves the client's browser. Aldo Cortesi mentions: :"It turns out that the first tentative steps towards a better way of doing things have already been taken. The broad goal is simple: to design web applications in such a way that we don't have to trust the host. Javascript interpreters are fast enough nowadays to do real-world crypto at reasonable speeds, so we can encrypt and decrypt data on the client side and store only encrypted data on the server. The server never sees our encryption keys, and if the implementation is secure, couldn't access our data even if it tried."
|
|
|