We store customer information that we shouldn't have access to, and don't want to inconvenience users by making them lose information if they forget their passwords, is there a good way to solve this problem, so that the devs who have access to our AWS can't read customer data, and so the customers can reset their passwords, without losing access to their data?
Asked
Active
Viewed 171 times
1 Answers
0
From your description of the problem you already seem to have considered using (a derivation of?) the user's password as an encryption key. Hence loss of the password means loss of the encryption key means loss of access to the data. It also means that only a single user can access a specific dataset.
If, however, you assign a random key for encrypting the data then you can create multiple copies of this encrypted with DIFFERENT user keys. i.e. user access looks like
PLAINTEXT = DECRYPT( CIPHERTEXT, DECRYPT ( KEY_DATA[USER], USER_PASSWORD))
The problem this leaves is how you restore access - at some point, someone or something needs to know both the user's new password (or the derived equivalent used to encrypt the data key) and an alternate key. Further it opens a door to a denial of service type attack since the process should also revoke access using the forgotten key. How you minimize the risks arising is an operational consideration.
symcbean
- 23,767
- 2
- 38
- 58