Crpyto system with master key and derived keys - Is this possible?

0
votes

I've been doing some searching and still do not know if this is possible. What I want is for a message to by encrypted by our system and decrypted by a "master key" and also a 3rd party.

This encrypted message needs to be decrypted by 2 entities

-A 3rd party (which we want the control to shut off their ability to decrypt)

-Our system (which we want to always be able to decrypt no matter what, master key?)

From some research I was doing there is a concept of master key and derived keys

Does this following system exist?:

Master Key - can decrypt anything encrypted by derived keys DerivedKey1 -> Encrypt data with this key and be able to decrypt with Master Key OR DerivedKey1 DerivedKey2 -> Encrypt data with this key and be able to decrypt with Master Key OR DerivedKey2 but NOT derivedKey1

Any terminology I should be using to search for answers would be helpful, also any crypto systems that do this already would be great to know.

1
encryptioncryptography
What about the previous documents that 3rd party accessed? Isn't this a simple access control mechanism? They prove themself, the system encrypt on behalf of them if they are granted!.kelalaka
@kelalaka the ciphertext in this case is always going to be shown to both parties and decrypted by both parties. I want a way to encrypt where party1 can always decrypt no matter what, but a way so that party2 then cannot decrypt anymoreChris M
You can use a similar idea to Veracrypt. Encrypt the encryption key with their password derived key and store in a file also another file for the master key. Use this file for them to access but never let them get this file otherwise they can decrypt again. Once you ban the party two delete the file. The requires access control to the file.kelalaka
we want the control to shut off their ability to decrypt - meaning you want to deny ability to decrypt when someone is already possessing a decryption key and could already decrypt the content? Or do you mean to deny decrypting of new (not yet decrypted) messages?gusto2
@gusto2 Yes, I mean deny any new messages sent from our system to be decryptedChris M

1 Answers

0
votes

Yes, I mean deny any new messages sent from our system to be decrypted

You can encrypt the content with a random key (data key).

Then you can encrypt the data key for each intended recipient (master key and any 3rd party) using its shared or public key.