Concepts
Encryption
How Encryption Is Implemented

How Encryption Is Implemented

As a Gateway of the distributed storage AIOZ dCDN, W3S recognizes the imperative of encrypting data before storage. By incorporating advanced encryption mechanisms, W3S ensures the utmost security and integrity of your data. This proactive approach guarantees that your sensitive information remains confidential and impervious to unauthorized access. With W3S, you can trust that your data's safety is a top priority.

To facilitate a better understanding of the W3S encryption mechanism, grasping some essential concepts is necessary:

  1. Object Key: The object key, also known as the key name, serves as a unique identifier for objects within an S3 bucket.
  2. Encrypted Object Key: This refers to the object key after undergoing encryption. W3S exclusively stores the encrypted key for heightened security.
  3. Root Secret: The root secret is a confidential string generated by the user. It is employed to generate keys for encrypting and decrypting the data stored on W3S.
  4. Random Key: A random key is an unpredictably generated key used for encrypting both object content and metadata.

By familiarizing oneself with these concepts, a clearer grasp of the W3S encryption mechanism can be achieved, enhancing the overall comprehension of its intricate security measures.

Object Key Encryption:

The Object Key is divided into components separated by slash characters. The Root Secret will be used to encrypt the Object Key at each component level. Each component level will be derived from the encryption result of the preceding component.

Let's consider an Object Key, say C1/C2/../Cn. Post encryption, this leads to the creation of the Encrypted Object Key, E1/E2/../En. Utilizing the Root Secret (S0), we derive the root key, K0 = K(S0), while the subsequent secret becomes S1 = hash(S0, C1), leading to the next key, K1 = K(S1). The component E1 is encrypted using K0, resulting in E1 = encrypt(K0, C1), and similarly, En = encrypt(Kn-1, Cn).

Further down the encryption cascade, Sn = hash(Sn-1, Cn), followed by the derivation of Kn = K(Sn), which finally leads to the encryption of En = encrypt(Kn-1, Cn).

By using encryption mechanisms in this manner, we gain an interesting ability. With the Encryption Key of a particular component, we can both encrypt and decrypt subsequent components, yet this ability doesn't extend in reverse to previous components. This feature proves advantageous if users intend to share keys at lower levels without compromising data at higher levels.

Object Content and Metadata Encryption:

Upon uploading an object, its content undergoes fragmentation into numerous segments. Each of these segments is then encrypted with a unique random key, which is generated by the server. However, it's noteworthy that these random keys aren't stored in their original form on the server. Instead, they are subjected to encryption via a derived key. This derived key is the result of the process outlined in the Object Key Encryption section, thus ensuring an additional layer of security for the data.

At present, W3S utilizes AES-GCM for data encryption. Nevertheless, in order to align with each user's specific requirements, we will provide the ability to tailor different encryption algorithms in the future.

PreviousSub-user SystemNextServer Side Encryption and End to End Encryption