Module org.refcodes.forwardsecrecy
Package org.refcodes.forwardsecrecy

Interface EncryptionServer

All Known Implementing Classes:
InMemoryEncryptionServer
public interface EncryptionServer
The EncryptionServer takes CipherVersion instances generated by an EncryptionService for a provided namespace. A CipherVersion provided to the encryption server (by an EncryptionService) is persisted so that the DecryptionServer can access this CipherVersion. When persisting, a CipherVersion's cipher UID is verified whether there is already a CipherVersion with the same cipher UID already persisted and where necessary rejected (such collisions can be avoided with good cipher UIDs).

Regarding the implementation of the EncryptionServer, securely persisting can be done with the public key of an asymmetric encryption approach so that only the DecryptionService can get the plain text ciphers from the CipherVersion instances. To avoid transmitting plain text CipherVersion instances from the EncryptionService to the EncryptionServer, the EncryptionService should already encrypt the CipherVersion with the according public key so that the EncryptionServer always receives encrypted CipherVersion instances.

The forward secrecy cryptography infrastructure supports EncryptionServer instances which only need to take care of persisting the CipherVersion instances and retrieving them. Encryption and decryption can be done in the according service layers. E.g. the EncryptionService uses a public key to encrypt the cipher of a CipherVersion instances and passes it to the EncryptionServer just storing the CipherVersion without any additional encryption. A DecryptionService in turn requests the CipherVersion instances with the encrypted ciphers from the DecryptionServer and is decrypting the ciphers with the according private key. Another more complex approach is described regarding the DecryptionServer.

By replacing the implementation of the EncryptionServer, the way CipherVersion instances are persisted can be changed easily.