« Rethinking stored document encryption: Part 5 | Main | Rethinking stored document encryption: Part 7 »

Rethinking stored document encryption: Part 6

So Alice has saved her encrypted Word document. How does she read the document on the same machine, a different machine or share a copy with Bob?


Reading the document on the machine used to create it is straightforward. By default the document is saved with a decryption block for the machine-user key and a decryption block for the key management system. The application simply requests that the cryptography sub-system decrypt the decryption block under the machine-user key.


Reading the document on a different machine requires a little more effort. When Alice attempts to open the file the application will need to identify the security policy under which the document is controlled and forward the decryption block to the key management server which must securely determine the security policy to be applied, evaluate the access control request and return either a decryption block for the new machine-user key or a refusal response.


If Alice is going to make a habit of using the same document on multiple machines it may be appropriate to create decryption blocks for each of the machine-users that may require access. Contrawise, if the document is very sensitive it may be desirable to only create a decryption block for the key management server and not for the local user-machine key. This approach may be appropriate where the machine in question is a laptop and there is a possibility of it being carried through customs. If a document is extremely sensitive it might not be readable on the laptop at all.


The same principles may be extended to allow Bob to read the file and we can even automatically create a decryption block for Bob and Carol if there is an expectation that there will be a need to read the data on those machines as well.


If Bob is in the same organization as Alice there really is no difference. But if Alice wants to share the document with Carol who works for another company we need to deal with the fact that we are crossing a trust boundary and that has consequences that may be very significant indeed.

Posted by Phillip Hallam-Baker on October 14, 2008 1:06 PM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)