Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Why store private key on server?

More
2 years 5 months ago #241871 by r0bis
Please help us help you and fill where relevant:
Your LimeSurvey version: Version 3.28.55+230328
Own server or LimeSurvey hosting: own in a cloud (a2hosting)
Survey theme/template: default-sea-green
==================
I am going to update to V5 and I am very much interested in the possibility of encryption of responses at the question level. 
I analyse data by pulling them via RemoteControl API into R ( github.com/cloudyr/limer ). If I understand correctly, the pulled responses would be encrypted and I would need to write a routine that would decrypt the response(s) before processing them locally on my laptop. That should not be a problem as R already provides bindings to libsodium  but I am a little unclear about the keys.
Do I understand correctly that both the private and the public keys are configured in the relevant config file? /application/config/security.php
So that means if someone were to be able to attack the server that limesurvey runs on, they would get both keys and would be able to read all the responses.
I had imagined that ideally the key pair gets generated during the installation and is given to the installation owner/admin, the public key is stored on the server and is used for encryption, but decryption could only happen when the owner/administrator provides the private key. Is this something that would be possible in the future? In my case the decryption would only happen locally after the encrypted data were pulled off limesurvey. I understand that this would be inconvenient for viewing data in LS interface, but it would be great if this were an option in the future.

r0berts

Please Log in to join the conversation.

More
2 years 5 months ago #241872 by holch
In the Limesurvey backend you can see encrypted answers "unencrypted", so the key needs to be there to show the answers in clear text in the system.

So the encryption feature is implemented differently that you imagined.

Help us to help you!
  • Provide your LS version and where it is installed (own server, uni/employer, SaaS hosting, etc.).
  • Always provide a LSS file (not LSQ or LSG).
Note: I answer at this forum in my spare time, I'm not a LimeSurvey GmbH employee.
The following user(s) said Thank You: r0bis

Please Log in to join the conversation.

More
2 years 5 months ago #241873 by r0bis
Thanks, I understand that it is implemented differently (I think I did try to convey that in my question too - that private key was needed on the server to show the unencrypted responses).

I was wondering rather if this might seem like a good feature to add in the future. For example to encrypt the confidential data that you never want to go astray, such as textual responses by patients, or if the patient is identifiable by a response they submit. For such use cases it would be really good if LS would have an option to encrypt responses AND leave them encrypted, unless key is deliberately supplied (locally). Right now, I understand, the main protection is from database admins or whoever is able to gain access to the database tables. 

But please do not get me wrong, I think LS is fantastic as it is and it is good that there is an encryption option.

r0berts

Please Log in to join the conversation.

More
2 years 5 months ago #241877 by holch
I agree it would be a good thing to encrypt data this way, but I think it is pretty risky for 'normal' users. And I guess it wouldn't work for the SaaS service that Limesurvey GmbH is providing.

I mean you can create a feature request. But I wouldn't get my hopes up too much. Usually for a feature request to get implemented takes a while.

Help us to help you!
  • Provide your LS version and where it is installed (own server, uni/employer, SaaS hosting, etc.).
  • Always provide a LSS file (not LSQ or LSG).
Note: I answer at this forum in my spare time, I'm not a LimeSurvey GmbH employee.
The following user(s) said Thank You: DenisChenu, r0bis

Please Log in to join the conversation.

More
2 years 5 months ago #242004 by DenisChenu

I mean you can create a feature request. But I wouldn't get my hopes up too much. Usually for a feature request to get implemented takes a while.
 
Yes, but here : i really think it's a must have …
 

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. - Professional support - Plugins, theme and development .
I don't answer to private message.
The following user(s) said Thank You: r0bis

Please Log in to join the conversation.

More
2 years 5 months ago #242029 by r0bis
I have created a feature request by the way. Carsten looked at it and said they would consider, it seems sensible. The bugtracker id is bugs.limesurvey.org/view.php?id=18709

r0berts

Please Log in to join the conversation.

More
2 years 5 months ago #242030 by DenisChenu
We need 2 different key, one for "public" encryot (current one) and another one with "private" encryot.

Maybe private encrypt key generation can be done by survey ?

It's a big feature, not in 5.X , unsure for 6.X

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. - Professional support - Plugins, theme and development .
I don't answer to private message.

Please Log in to join the conversation.

More
2 years 5 months ago #242032 by jelo

We need 2 different key, one for "public" encryot (current one) and another one with "private" encryot.
Maybe private encrypt key generation can be done by survey ?
 
You wording is a bit dangerous. The public key encryption has always two keys. The public key and the secret key (which some call private key).
Currently the encryption is also used to save the password of mailaccount settings.

The main goal of the feature request is to prevent the storage of the private key on the server.
The minimum are one keypair for application stuff (participants database, mailserver password, etc.) and one keypair for all surveys.
Some users might want one keypair for all survey, some user might want keys per survey.
You might consider having a key-management section, where you can import/export public/private keys and assign and remove them on surveys and surveygroups.
A way to backup keys might be important for LimeSurvey cloud users as well.
 

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The following user(s) said Thank You: r0bis

Please Log in to join the conversation.

More
2 years 5 months ago #242033 by DenisChenu

You might consider having a key-management section, where you can import/export public/private keys and assign and remove them on surveys and surveygroups.
A way to backup keys might be important for LimeSurvey cloud users as well.

 
Ah right, the private (crypt) key still can be used to generate the public (decrypt) key …
But if you choose a "NoAutomaticDecrypt" system : GUI must not offer to get public (decryt) key after generation. Else any body with GUI access can decrypt …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. - Professional support - Plugins, theme and development .
I don't answer to private message.

Please Log in to join the conversation.

More
2 years 5 months ago #242034 by DenisChenu

The main goal of the feature request is to prevent the storage of the private key on the server.

 
But you need the crypt key … then private key must be on server.
 

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. - Professional support - Plugins, theme and development .
I don't answer to private message.

Please Log in to join the conversation.

More
2 years 5 months ago #242037 by jelo

But you need the crypt key … then private key must be on server.
 
The public key is to encrypt data. The private key is to decrypt data which was encrypted with the public key.

The key pair is currently created via LimeSurvey on the server. Advanced users might be offered a way to not only remove the private key from the server but also allow to upload a public key (which is created by the advanced user on a local system). That way the private key never need to be on the webserver.

Slightly off-topic:
That scenario is the only one really offering a security.  With an private key on the webspace I don't see much protection. The main attack vector is via the webserver and not via the database server. The credentials to access the database would be available to an attacker of the webspace.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The following user(s) said Thank You: DenisChenu, r0bis

Please Log in to join the conversation.

More
2 years 5 months ago - 2 years 5 months ago #242045 by DenisChenu

The public key is to encrypt data. The private key is to decrypt data which was encrypted with the public key.

 
You're sure of this ?
With SSL and PGP : private key crypt data and public key decrypt data.

It's cool if we can keep only public key to crypt.

(else about Off Topic : fully agree)

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. - Professional support - Plugins, theme and development .
I don't answer to private message.
Last edit: 2 years 5 months ago by DenisChenu.
The following user(s) said Thank You: r0bis

Please Log in to join the conversation.

More
2 years 5 months ago #242063 by r0bis
Many thanks for discussing this. 

Just to note about keys. Sodium supports both symmetric cryptography - i.e. one key is used to encrypt and decrypt. It must be stored somewhere on the server/database so that LS would be able to encrypt. It is not what is used. If server were to be compromised data can be decrypted using the said key. Instead asymmetric encryption is used on LS with two keys private and public. They are generated at the same time by a program (similar to ssh-keygen); the private key _can_ be password protected, but does not have to. The essential bit here is that the private key should be kept in a very safe place (e.g. your own computer, memory stick, etc).  The public key may be kept wherever (even on public keyservers). The data you encrypt with the public key can be only decrypted by the private key. If both keys (pub&priv) are on the server and the server is compromised, the situation is as good as with the symmetric encryption key.

> You might consider having a key-management section, where you can import/export public/private keys and assign and remove them on surveys and surveygroups.
> A way to backup keys might be important for LimeSurvey cloud users as well.

Yes indeed. Absolutely - something like a key management for gitea or github. In gitea scenario you are responsible for making the pub&priv key pair and then you have to upload the public key (which is easy - it is just a string of text). That might be actually the better way to implement the second encryption scenario. If that is done, I would volunteer to write the manpage in English for this. That would be encryption "method-two" (the more secure one) and would require the user to generate the keys, which is not too difficult actually. The benefit is - LS does not have to temporarily store the private key - even in server memory (if LS is to generate the key pair, then it should be reasonably sure the user has got the private key - which is doable, but may be cumbersome). What should be there - a mechanism for the user to verify that the key pair works, before they start data collection. It should not be too difficult - the user could be given some string encrypted by the public key and should be given clear instructions how to decrypt it and paste back to LS for verification. Something like that. Or it maybe just as simple as asking the user to submit some test data to survey and decrypting on the local computer, using their private key. Which does bring up some complication - but there are open source solutions for that such as opencsv  and on basis of that there could be some local application to do that. The problem is that the csv arrives with the csv structure (commas and line breaks) unencrypted, in plain text so to speak, but the values between commas are encrypted. Processing it in R would be fairly trivial, but I am sure there could be some solutions, however, I think, they do not need to be provided by Limesurvey. Only something to make sure the public key that LS sees on the server works with the private key that the user has.

I understand - it would make things a little bit more complex, but not everyone needs to care about survey data encryption. People in healthcare have to, though.  

> Slightly off-topic:
> That scenario is the only one really offering a security.  With an private key on the webspace I don't see much protection. The main attack vector is via the webserver > and not via the database server. The credentials to access the database would be available to an attacker of the webspace.

Thanks; yes, exactly, this is why I started this topic and raised the feature request.

r0berts
The following user(s) said Thank You: DenisChenu

Please Log in to join the conversation.

More
2 years 5 months ago #242064 by r0bis
In a public-key encryption system, anyone with a public key can encrypt a message, yielding a ciphertext, but only those who know the corresponding private key can decrypt the ciphertext to obtain the original message. [wpedia]

r0berts
The following user(s) said Thank You: DenisChenu

Please Log in to join the conversation.

More
2 years 5 months ago #242068 by DenisChenu
Great thanks !

Then we can have something like

- Keep the current Global key
- Key management page : list of public key
- Create a new key : allow to get the private key, but not saved on server.
- In survey settings : list of key : «Key used to encrypt data» (Default to Global one)
- Survey activation disable update of the key (what for Token ?)
- If key is not global : no decrypt : some warning
     - Response can not be reloaded for crypted question
     - When export get data crypted (specific format ?)
     - Statistics are disable for crypted question

About the way to decrypt : we need to offer some tools ?

Maybe create a Plugin near limesurvey-encrypt but with sodium is more easy.

When user submit : whole response line was deleted and saved crypted in another table (way to save before cryot ? CSV ? JSON ?)
A new button to get whole crypted data : all file was crypted.
 

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. - Professional support - Plugins, theme and development .
I don't answer to private message.
The following user(s) said Thank You: r0bis

Please Log in to join the conversation.

Moderators: tpartnerholch

Lime-years ahead

Online-surveys for every purse and purpose