At Cambridge Blockchain, we are working to empower our customers with the ability to leverage the latest in cryptography standards and best practices in a seamless way. At the same time, providing the user with full control for sharing their data securely and keeping businesses integrated with our platform fully compliant with data privacy regulations.
We accomplish these seemingly contradictory requirements through our encryption protocol design between stake holders within the platform. In terms of tamper resistant auditing and dispute resolution our solution is in the company name (blockchain), but we also offer excellent data security by leveraging modern cryptographic standards for safe cloud based data storage for our users.
Our security protocol uses a combination of asymmetric and symmetric encryption specifications to provide secure and performant functionality for the end user. The system is highly configurable, but by default we rely on 2048-bit RSA for sharing symmetric key material, and 256-bit authenticated AES for encrypting user data. For best security practices the key used for every user attribute is different, which means that a compromised attribute key does not compromise the security of any other attribute of that individual user or any other user.
As the symmetric key that is stored is encrypted by the internal platform's master key, the user has no direct exposure to the complexities of the cryptographic internals. To the customer, our flagship web interface Confidare is no more challenging to use than a standard SaaS product like Gmail or Facebook.
Besides a facility to store and manage a user’s personal information, central to the Cambridge Blockchain offering is the ability for a user to share that data only after providing explicit consent to do so. The process of giving read access to someone else is facilitated by the platform's master key that enables the transfer for another individual to decrypt a user's data.
It is important to keep in mind only the end user (data owner) can trigger this data sharing with an explicit action within their interface and only for a specific piece of data.
With the fluidity in cryptography best practices and new software security vulnerabilities being disclosed constantly, our security model needs to remain flexible and configurable. To that point, most importantly, we need the ability for an end-to-end encryption option for data sharing, so that even a breach of Cambridge Blockchain servers would not threaten a user’s data.
For those technically minded individuals or businesses who look to have full data ownership and want the ability to manage their own keys, they should have that option. Additionally, intermittent solutions exist for user’s who may want to use end-to-end encryption, but not have the responsibility of managing their own cryptographic keys.
A key custodial service would never see a user’s private keys in plain text, but would store data encrypted that could later be used to recover the key client side. Cambridge Blockchain would provide a key custodial service leveraging geographically isolated servers along with an HSM (hardware security module). The user can then have the option of using our services or a third party to manage keys depending on their needs and use case.
Find useful code for implementing this and additional crypto functionality at our repos on GitHub and NPM. We are working actively each week to add features and make improvements: