I’ve been tossing this up in my head and was wondering if this is interesting to others. The problem I’m trying to solve is two-fold. Firstly, how to ensure end-to-end security on data you store on the cloud. Second, how to give services limited access to that data so that once the online processing is complete, no one can decrypt the data. This can allow for, say, webmail where if the cloud device is eventually compromised, no one has access to the data.
The basic architecture is that of a sandbox. The sandbox has a journalling storage and retrieval service, a partial secret service and a monitored network service. Inside the sandbox are “apps” which only have the ability to communicate via those three services.
Whenever the storage service is asked to store data, it is encrypted with a public key. You keep the private key on a remote device. This means that apps can freely store data, but it’s sort of a data black hole, and only a remote device can decrypt it with the private key. An app can forward encrypted data to a device and get it decrypted there.
So far it’s just like an encrypted dropbox, but here’s where it gets fancy. You then use secret splitting to cut the private key into two pieces. You give one piece to the Partial Secret Service, and you give the other to the app. Neither can decrypt the data on their own, but together they can decrypt data for a limited time. You can remove the split secret from the Partial Secret Service (which you trust), which stops the app from being able to decrypt the data. The next time, you split off a different pair of secrets so that replay attacks cannot work.
While you trust the partial secret service, you also have some way of knowing that the system is compromised. If the system is compromised, if either of the keys are gone, the encrypted data is safe. Importantly, if you can shut the sandbox down on intrusion, your data is safe.
Thoughts? Are there any fatal flaws in my idea?