Storing encryption secrets for each user

Hi,

I was wondering if it would be possible to store encryption secrets for each user, such that these secrets can not be viewed by people with access to the Auth0 dashboard.

The intended use case of this is to generate an encryption key in a deterministic way for each user, without actually allowing malicious administrators to obtain the encryption key for a particular user (which would render the encryption scheme useless). Without Auth0, I would simply generate an encryption key from a hash of the user’s password (slightly different from the usual password hash stored for authentication). Therefore, a malicious DBA who only had access to the hashed authentication password would be unable to construct the encryption key for that user, and only the user would be able to do so.

I would like to implement something similar to that using Auth0, but allowing users to sign up via Social Sign-In rather than via username/passwords. Unfortunately, it appears that the only places where we can add custom data to an Auth0 user is in app_metadata and user_metadata, both of which are visible in plaintext to the administrators of the Auth0 tenant.

Is there any way I can achieve this?

Thanks in advance!

bump

(20 char minimum)

Hi @arjvik,

I took a look at this topic initially, but was unable to find any examples or insight. I think this is likely because dashboard admin typically have full control over all user data. In this scenario the user would be the only party that could access the data right?

@dan.woda Yes, the user should be the only party with access to that data.

I’m pretty sure there is no way to do this. Dashboard admins are superusers and have access to everything. You’d need to encrypt the encryption secrets before storing them in Auth0 if you wanted to keep them secret!

That said, more granular access control to user data and the dashboard itself would be super useful. I highly recommend submitting such feature requests to https://auth0.com/feedback.

1 Like

@dan.woda @markd

Let me elaborate a bit more on the use case. Maybe I’m approaching this from the wrong standpoint.

I am a high school student, and I (along with my friends) am developing an app for use in our school. The app will handle sensitive information from teachers about student grades. We (the students) are hosting the app because the school is not able to.

However, it is crucial we can not find out about other students grades (as this violates several rules/laws). Our plan is to encrypt the data with the teacher’s private key, and store it in a way that we (the students) can not access.

Is there any other way we’re overlooking?

Hopefully someone else can prove me wrong, but I think the only way to make this work and have it be secure is if the teachers hold the encryption keys, and no one else every sees them. Whether it is Auth0 or some other system, someone is going to have superuser access somewhere and will be able to access the data.

Secure app design like this is not my forte so take this with a hefty grain of salt: Perhaps if you had a phone app, with the enc key stored securely on the phone. Teacher logs in & accesses the system, system pushes to their phone, teacher unlocks phone and approves transfer of the enc key, system can decrypt that teachers data. Key is destroyed on the app/API end when done.

Even better, phone app + api / app automatically rotates enc key and re-encrypts everything with the new key at the end of every session. Phone app maybe keeps the last 3 enc keys and your back end fully versions the data, retaining last 3 versions, so they can roll back in case something goes boom.

IMO, this is both super interesting and pretty complex!

(waiting for someone from Auth0 to come along and say ‘actually this is super easy and fully supported’!)

@markd Thanks for the response!

Making a phone app seems like it would work, but it’s also incredibly complex. In this case the phone is simply acting as a storage mechanism which we can not access. I’m wondering if there are other SaaS services which will do the same thing: provide a storage which we (developers) can not access, but each user can. Unfortunately I think it would have to be connected to authentication, because otherwise the app would just send a user ID to get the private key, and this can be faked by us easily.

The other option I’m considering is simply giving the Auth0 account to the school IT department (grossly incompetent), and hoping they don’t decide to play around with the dashboard and screw things up. I might even give it to a teacher I trust instead if that satisfies the administration, as teachers are much more trustworthy than the IT dept :grinning:. According to the school administration, once I graduate (in a few years) there will be no restrictions on being able to view grades of other students, so I can take over hosting it again. I’d rather not do this unless absolutely necessary though.

Thanks for the help anyway!

1 Like

@markd Oh and if you’re interested, you can check out our app at https://profilr.org/about

2 Likes

@arjvik first, congratulation on your project!

Seconds, I have the same problem you have and I am still trying to solve it. I found this resource:

But I did not tested yet.

That is not what you need but maybe works. What I plan to do to mitigate the lack of this functionality is the following:

  1. Every time that a new user registered on my site, I create an encryption key.
  2. I store the private key on the user profile on auth0 as a metadata
  3. When a user login I store in the user web session the key.

So, if your database is compromised, the sensitive data is protected. If your admin user in auth0 is compromised the intruder would not be able to see any data, just the private keys. If both, your database and the admin user in auth0 is compromised, you lost :frowning:

Thank you!

Unfortunately, the issue that the school administration has is that we (the students who wrote and are hosting the app) have access to student data. As we would be managing the Auth0 tenant as well as the database, we would be able to use the access key from Auth0 to decrypt the data stored in the database and recover student grades. So we wanted a way to store data for each user such that people with access to the Auth0 tenant do not have access to that information.

Thanks for the suggestion though!