The Hacker News Logo
Subscribe to Newsletter

CloudFlare's Red October Crypto app with two-man rule style Encryption and Decryption

It is always important to secure our system against outside threats i.e. Hackers, but it also required to protect against insider threats.

The potential of damage from an Insider threat can be estimated from the example of Edward Snowden who had worked at the NSA, and had authorized access to thousands of NSA's Secret Documents, networks and systems.
'According to a recent Verizon report, insider threats account for around 14% of data breaches in 2013."
Mostly, securing data involves just encryption in the cloud and keeping encryption keys out of the hands of rogue employees, but it is not enough where rogue employees should have access to encryption keys as part of their work.
To prevent such risk of rogue employees misusing sensitive data, CloudFlare has released an open source encryption software "Red October," with "two-man rule" style file encryption and decryption.

"Two-man rule", a control mechanism designed to achieve a high level of security for especially critical information i.e. Military based technique, where decryption of the data will only work when two or more people provide keys.
"It comes from military history, where a nuclear missile couldn’t be launched unless two people agreed and turned their launch keys simultaneously. This requirement was introduced in order to prevent one individual from accidentally (or intentionally) starting World War III."
All communication with Red October is encrypted with TLS, ensuring that passwords are not sent in the clear.

Each user is assigned a unique, randomly-generated RSA key pair. The user's private key is then encrypted with a password key derived from the user’s password and salt using scrypt. To Encrypt data, Red October server generates a random 128-bit AES key.

To decrypt a file, the requesting user should be an administrator with the correct password. If two requesting users are in the list of valid users, having delegated their keys, only then decryption will occur.

To prevent unauthorized access to decrypting data, The Red October server will not decrypt user keys without their password.

The software is freely available as an open source application on GitHub.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.