SecureBase for secure Cloud Services
SecureBase is used for the storage and Secure Exchange of all confidential Documents such as contracts, patent data, papers, photos, videos.
- storing and retrieving encrypted documents
- exchanging documents with authenticated users
- managing the key pairs of a user
- and authenticating third-party users
SecureBase can also be used as a platform for OEMs to provide Secure Cloud Services and be used both within a Public Cloud and within a personal or enterprise-wide Private Cloud.
The procedure can be applied to different services:
- Mail Service
- Archive Service
- Message Service
- Calendar Service
Learn more about using SecureBase as a Secure Document Exchange System (SDES).
SecureBase is funded by the Federal Ministry of Economics and Technology based on a resolution of the German House of Representatives.
The central component is the SecureBase database server. There all keys and all metadata of all documents are stored encrypted. The encrypted documents can also be stored in SecureBase as well as in the cloud. A Java-based graphical frontend tool provides access to SecureBase.
√ Save and retrieve encrypted documents
√ Exchange of documents between authenticated users
√ the management of the key pairs of a user
√ Authentication of foreign users
1. Document encryption
Each document is encrypted with a randomly generated symmetric key (document key). Each user has one or more key pairs that are used to encrypt and decrypt the document keys.
Documents can only be decrypted if the user can decrypt the associated document key with his private key. Therefore, documents can be stored anywhere in the cloud and transported over the Internet without compromising the privacy of the data.
The private key is saved with a password on the device of the user, a smartphone, a telephone or a PC. The associated public key is stored in SecureBase and is thus accessible to other users, e.g. to exchange documents. Before this happens, the identity and authenticity of the key must be checked.
2. Key pairs
Each user generates a different random key pair on each device. Its public key is stored in SecureBase, while the secret key is stored securely and exclusively on the device. The secret key never leaves the device.
Due to the strict end-to-end encryption, the user can no longer see his own documents if he loses his secret key. No administrator can restore this access.
We therefore recommend that each user should have at least two key pairs to two different devices to compensate for such a loss. If a user has multiple devices and key pairs, he can use SecureBase to read all his documents with all the keys on all devices. If a key is lost, the remaining keys can be used to decrypt the documents or create new keys. The data associated with the lost key can then be deleted.
Similarly, a user can create a new key pair on a new smartphone and authenticate it for his other devices and keys. This makes all documents available to the new device.
3. Management of keys
SecureBase stores and manages all document keys, all public keys and all authentications. Document keys are symmetric, but are not stored directly, but only in encrypted form, with the respective public keys of all authorized users. These have access to the document key and thus to the document only with their respective private key.
Foreign users or foreign keys must be authenticated before they can be used to exchange documents. This is done so that a user A signs the key of a user B after checking his identity.
4. Synchronization of documents
Due to the end-to-end encryption, the SecureBase database can not decrypt the documents and their metadata, and therefore can not offer any search functions or create search indexes.
In order to be able to search for documents and simultaneously enable offline operation of SecureBase, the Securebase client has a local database on each device, which it automatically synchronizes with the server database. This local database contains all the metadata (document keys, document attributes, timestamps, keywords, descriptors) in unencrypted form so that they are searchable and indexable. The local database can thus be indexed and searched.
The metadata is typically a few kbytes per document, so the local database handles a few MB for every 1,000 documents, which can be stored on any smartphone today. The documents are not synchronized by default, but they are fetched (encrypted) into the local database as needed, and can remain there as long as local storage allows it. These documents can then be used offline.