This question is a followup question to Storing plaintext passwords for cameras - Security concerns?. In that question, I posed what I thought was a simple question, which actually turned out to have various security holes. Thanks to the answers, I've been able to fix most issues, except this last one...
We're developing new cameras for use in monitoring and security of private homes.
One of the features of the service we're offering is the online recording service.
Where previously, one would be screwed if their camera was stolen (since the camera contained the storage medium upon which the footage was stored), with our online recording service, the footage is stored in the cloud and retrievable at a later moment.
The current security plan for the cameras and this online recording service is as follows:
- There are 4 pieces of hardware involved: the camera, the client device (phone with app), our database and our recording service.
- A camera requires (camera unique) default password for configuring the camera. This is only possible after a factory-reset (or when the camera is new). This default password is stored plaintext in our online database for support.
- During initial configuration of the camera, camera adds public SSH key of the configuring device to its keystore.
- Camera keeps a list of public SSH keys of authenticated devices. To register, a new device has to connect to the camera and request to be added. It provides its public key and perhaps some string for the admin to recognize the device. We will allow disabling of registration to prevent internet-scanners from making registration attempts to each camera (and thereby annoying each customer).
- It's possible that we relocate the registration of public keys to the online platform instead, so that we can build upon this to make registrations for multiple cameras in one go easier. This however introduces an attack vector where an employee can add their own key into the list. Customers will have to pay good attention to who they allow to see their camera.
- When an authenticated device reconnects to the camera, it checks for any new registrations, and may choose to add them. It's also allowed to revoke access. If a customer accidentally adds a bad device (like their ex's phone?) and has their access revoked, they can always factory-reset the camera with their physical access to the camera and reconfigure the camera.
- For the online recording service, an authenticated device can ask the online recording service for its public key. The public key is then added as "view-only" in the camera. Like this, the recording service can be registered only by permission of the customer.
This brings a security hole:
It's possible for employees to view the camera feeds from any camera subscribed to the recording service.
A possible plan posted by one of the answerers on my previous question consisted of the following:
- Encrypt the video stream with a session key.
- Renew the session key every few minutes.
- Encrypt the session key with each of the public keys stored on the camera.
- Send encrypted session keys and encrypted stream to the recording service.
But this solution is not perfect: In the event that you set up an indoor camera, and a break-in happens, and both the camera and the single, only authenticated device are stolen, the video stream from the recording service is not decryptable. In this event, the only thing you have left is the encrypted session keys, the public key (if we store these on our servers) and the encrypted video stream data. The private key is lost, as is the SD card on which an unencrypted copy of the video stream could be kept.
Additionally, it's not possible for a device to view yesterday's footage if it was added today. This is also an undesired feature.
Is there any way to allow encryption of the video stream that is decryptable even if both camera and authenticated device is lost forever (and with it, the local recording on SD card as well as the private key on the authenticated device)?
Thus my question,
How to securely encrypt data with a public-private key encryption scheme, but also allow decryption if the private key is lost?
I realize this might be impossible to do - in that case, is it possible to allow recreation of the private key by remembering a secret (basically, something like using a key derived from the customer's plaintext password to encrypt a session key... of which we only store the salted, hashed value)?