Is it possible using encryption keys to encrypt a file so for example some one will full access can read it all but some one with little access can only read say the top paragraph
Asked
Active
Viewed 202 times
-1
-
Do you want to find out whether that is possible in principle (of course it is) or whether there are stable implementations (I have no idea)? – mkl Dec 06 '12 at 12:51
-
Please provide more details so we can understand the use case. – JZeolla Dec 06 '12 at 15:42
3 Answers
2
The quick answer is no, there isn't anything out there that does that with a single key, that's not how encryption works, at least with current software.
You could accomplish this using two keys though. One key (inner key) would encrypt the most sensitive data, which could then be put into another document as ciphertext and then encrypted with a second key (outer key). Those with the outer key would be able to see the less sensitive data while those with both keys could read all the data.
That is a clunky way to do it though. What would make more sense would be to authenticate users based on public/private keypairs and then give them access to data based on their privilege level. There's many ways to accomplish that.
GdD
- 17,291
- 2
- 41
- 63
-
how would i go about authenticating users based on public / private keypairs, what is the principle behind this – test1245 Dec 06 '12 at 13:06
-
5This is a huge subject @test1245, and I'm not going to attempt to explain the whole thing as there's entire libraries of books on the subject. I suggest you start learning the basics by searching on public key cryptography, and public key infrastructure. – GdD Dec 06 '12 at 13:17
2
Encryption is based on authorized persons knowing a secret (a key); anyone knowing that secret can decrypt any message that is encrypted with that key. If Alice is authorized to decrypt the whole file and Bob is only allowed to decrypt the first paragraph, then Alice must know a secret that Bob doesn't know.
So one way to proceed is to encrypt the first paragraph and the rest of the document with two different keys. Give Alice both keys, and give Bob only the key for the first paragraph.
A variant is to encrypt the whole document except the first paragraph with a key KA, then encrypt the first paragraph and the encrypted document-except-first-paragraph with another key KB. Again, give Alice both keys, and give Bob only KB.
Another variant is to separately encrypt the whole document with a key KA, and the first paragraph with another key KB. Give Alice KA and Bob KB.
The last of these three is the simplest approach. It's easy to implement with any encryption infrastructure, since the distribution is fully separate from the cryptography. Do this unless you have a really good reason to do otherwise.
A different approach is to encrypt the whole document with a key, but not to give that key to anyone (or at least not to Bob, Alice may have it in this scenario). Instead of giving Bob a decryption key, give him some other means to decrypt only the part that he is authorized to decrypt.
Relying on access control to restrict access to data is called digital rights management. If Bob obtains the encrypted content and the means of decryption separately, this is difficult to achieve, because the means of decryption must contain the decryption key inside, yet Bob must not be able to exctract it. The means of decryption (DRM software) must also be able to authenticate Bob: if Bob can bypass or mislay the authentication step, he might be able to pass off as Alice.
An easier approach to access control is to make it online. Leave the content on a server (encryption is optional). Provide Alice and Bob with authentication methods on the server (passwords or otherwise). Configure the server to serve only the first paragraph to Alice, and the whole document to Bob.
If Alice willingly transmits the whole document to Bob, that's a completely different problem, and unsolvable outside of very specific situations. The best you can hope (for some kinds of documents) is to be able to know later that Bob obtained the document through Alice.
Gilles 'SO- stop being evil'
- 50,912
- 13
- 120
- 179
-
wow thank you very much for this ! this has made things very clear in what i am trying to achieve, thank you very much for this !, would it be possible using keys to write to a document and not see it ? – test1245 Dec 06 '12 at 18:37
-
@test1245 You mean that for example some could append to a document, but not read what's already there? Kind of. With asymmetric cryptography, someone who has the public key but not the private key can encrypt data but not read it back. Asymmetric cryptography is very slow, so it's mostly only used to encrypt symmetric keys that are generated for each item to be encrypted (file, network session, …). In practice, what would happen is that you'd write separate documents. Further reading: http://security.stackexchange.com/q/22824, http://security.stackexchange.com/q/6218 – Gilles 'SO- stop being evil' Dec 06 '12 at 18:55
-
thats exactly what i mean ! thank you very much for the information, looks like what i shall be reading tonight ! – test1245 Dec 06 '12 at 19:01
-
-
Would it be possible for a user say the boss of the company, to be able to read the data from a user below him but not edit it in any way – test1245 Dec 08 '12 at 21:21
0
It seems like you are confusing encryption with access control. Either you can decrypt the entire file or you can't.
With access control and certain pieces of software you can restrict files in the manner which you are talking about. For instance you can allow someone preview only, and someone else preview and read-only.
In order to make a more precise suggestion, however, we need more details about the intended use case where this solution will be provided.
JZeolla
- 2,936
- 1
- 18
- 25