45

I am using the email/password sign in method for Firebase. I would like to encrypt the data users save into the realtime database before sending it to the database. Firebase already handle the user password, but can I somehow use it to encrypt data which can't be decrypted by me only the client? It would be nice if I could achieve it with the client sdk.

So my flow would be something like this:

  1. User sign in with it's credentials (which is handled by firebase itself)
  2. User encrypt some data with some unique key, which can be generated only from the credentials or from some data available only for the user, but not me. (this key needs to be persistent between sessions, or after the user changed his password.)
  3. Data is saved into the database (I cant read it since its encrypted with the user credentials)
  4. User log in on a different device (the decryption key can be generated right away and data can be decrypted.)
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
NoNameProvided
  • 8,608
  • 9
  • 40
  • 68
  • You'll need to store the decryption key somewhere. If it's in the database, you can use it. If it's in the client device, you can't migrate it to a different device. Unless the user has some part to play in remembering or transferring this key, i don't see how you can do this without involving the user – Rohit Navarathna Jul 11 '16 at 11:14
  • Yeah, but if the key could be generated form some unique value of the user auth object which is loaded only after the user is logged in with his credentials then it would work. Sadly I don't know about such a property on the auth object. – NoNameProvided Jul 11 '16 at 12:17
  • 1
    It is such a basic requirements tho, I am wondering how others tackled this problem. – NoNameProvided Jul 11 '16 at 12:18
  • I am thinking about using some third party log in such google of fb, because their user id is unique, and accessible only after the user logged in, and it cant be checked in the console because there I only can see the uuid generated by firebase. This approach worth a try. – NoNameProvided Jul 11 '16 at 12:20
  • 2
    security.stackexchange.com probably has an answer to your question. Maybe this question http://security.stackexchange.com/questions/91704/which-strategy-to-encrypt-data-accessed-by-multiple-users – Rohit Navarathna Jul 11 '16 at 12:42
  • 2
    If you do encrypt the database, you can't do any search queries on it – Rohit Navarathna Jul 13 '16 at 03:49
  • I dont need to query – NoNameProvided Jul 14 '16 at 09:36
  • 4
    If it helps, I wrote a blog post about how I solved this: http://www.geero.net/2017/05/how-to-encrypt-a-google-firebase-realtime-database/ – andygeers Jun 16 '17 at 14:24

1 Answers1

37

You can easily do that the following way:

  1. After user A logs in a random public private key pair is generated on his phone. eg.: use Ecc Curve25519
  2. The private key from A is stored securely on his phone
  3. The public key from A is stored in firebase and is accessible to anybody that chats with A.
  4. If X sends a message to A he fetches the public key from A from firebase encrypts the message for A locally and stores the encrypted message on firebase in the inbox from A
  5. A downloads the encrypted message from firebase and decrypts it with his private key stored on his phone

(vice versa for A to X)

If A want's to move to another phone or wants to use multiple phones you can do this that way:

  1. Ask A to define a strong password to encrypt his locally stored private key. (or create a random passphrase and use QR codes for key exchange)
  2. Encrypt the private key locally (eg.: use AES256) on his phone with the password from step 1 and upload it to firebase. (optional sign it with his private key)
  3. Download the encrypted private key from the second device from A
  4. Ask for the passphrase on the second device from A and store the private key securely (optional check the signature with the public key from A)
  5. Delete the encrypted private key from firebase if no backup is wanted
Hollerweger
  • 975
  • 1
  • 13
  • 32
  • Criteria #4 was that user could log in with a different phone and be able to access her data. So this does not work. However, it could work if a user password or some other user supplied secret was used in key generation. When you go to the new phone, user would need to re-add in their secret to unlock their data. – Aftermathew Apr 04 '17 at 17:51
  • 2
    it's described in the second part of the answer – Hollerweger Apr 04 '17 at 20:04
  • Ahh yes. Indeed it is. Sorry I missed that. – Aftermathew Apr 26 '17 at 23:10
  • @Hollerweger Hi, I'm new to encryption and I'm not sure I understood this system correctly . If an attacker gets access to the db, he would have all the users public keys available as in Step 3 we save them in Firebase and will be able to decrypt the entire db right? With the suggested schema A public key can be used by the attacker to decrypt A inbox. And so forth for the rest of the DB. Am I missing something? If I'm correct this will only slow down the app and give users the risk of not be able to retrieve their own data, right? Can you please clarify on this? Many thanks. Cheers. – Vincenzo Nov 03 '20 at 14:54
  • 2
    No, the public key can only be used for encryption not for decryption. Private key for decryption is not stored on firebase, – Hollerweger Nov 04 '20 at 08:00
  • @Hollerweger thanks.. I actually read a bit more about public key cryptography and I understand it better now.. – Vincenzo Nov 04 '20 at 08:44
  • What if the user uninstalls the app or clear's app data? The private key is forever lost and the decryption can never be done!! – Shrijan Regmi Mar 31 '23 at 15:35
  • @ShrijanRegmi Same as second part 1 of the answer. You need to store the private key encrypted securely somewhere where the use can retrieve it again and then decrypt it again with his password. – Hollerweger Apr 19 '23 at 15:14