blockstack-browser icon indicating copy to clipboard operation
blockstack-browser copied to clipboard

Published 20 hours ago verified publisher icon stacks-archive

Collections: Key generation

Open yknl opened this issue 6 years ago • 0 comments

Browser should perform key generation for collections

Collection data would be stored in separate Gaia buckets not related to any apps.

Collections data buckets in profile.json:

"collections.contacts": "https://gaia.blockstack.org/hub/143tnkzivFVgPqerPKUoKLdyvgyYNPjM9/

The app data bucket address is generated by deriving from the appsNodeKey in each identity address using a hash of the app domain as the index. We can similarly generate collections data bucket addresses using a collectionsNodeKey and the collection name as the index.

    // Key derivation for app buckets
    var appDomain = 'https://www.graphitedocs.com'
    var hashAppIndex = sha256(appDomain + salt)
    var appNode = this.hdNode.deriveHardened(hashAppIndex)
    
    // Key derivation for collections bucket
    var collectionsPrefix = 'collections'
    var collectionName = collectionsPrefix + 'contacts'
    var hashCollectionIndex = sha256(collectionName + salt)
    var appNode = this.hdNode.deriveHardened(hashCollectionIndex)

We prefix collection index with collections to avoid collisions between app and collection indices.

Encryption Key Generation We can derive encryption keys for collections similar to how we derive the bucket keys. In this case the index we’re using contains a hash of the list of apps authorized to the collection. This way we can revoke encryption keys by removing the app from the authorized list.

    // Encryption key derivation for collections bucket
    var collectionName = 'collections.contacts'
    var authorizedApps = ['https://myApp.com', 'https://otherApp.com']
    var authorizedAppsHash = sha256(authorizedApps.toString())
    var hashCollectionIndex = sha256(collectionName + authorizedAppsHash + salt)
    var appNode = this.hdNode.deriveHardened(hashCollectionIndex)

The user’s profile.json should keep track of the list of apps that has been authorized for each collection. This data should be encrypted.

Example profile.json

    ...
    // User apps
    apps: {
      "https://MyApp.com": "https://gaia.blockstack.org/hub/1CDUqlkjQgYNt342kjeD4fd83aiNGQ22a/",
      "https://OtherApp.com": "https://gaia.blockstack.org/hub/1JL1fjQrh238S9aMn3skS3aiNGLN32g23ab/",
    },
    // User collections
    collections: {
      "documents": {
        "location": "https://gaia.blockstack.org/hub/1Lsdf83isMHFsfse223hrbEynNR63vn2A/",
        "authorizedApps": 
        // Encrypted section
        [
          "https://MyApp.com",
          "https://OtherApp.com"
        ]
        // End encrypted section
      }
    }
    ...

yknl avatar Mar 27 '19 13:03 yknl