Security

Secure Sharing of Secrets


Zoho Vault enables you to securely share secrets among the trusted members of your organization. The sharing process has also been designed to follow the highest levels of information security and privacy standards.

The sharing process leverages both host-proof-hosting and RSA encryption. RSA public and private keys are generated for each user of your organization. The organization administrator and users 'shake hands' to initiate sharing process. During handshake, which is a one-time process, the keys are shared between the administrator and users. All the key generation and sharing processes happen in the background , without the need for any manual intervention. If you are curious to know how we do the sharing process, just read on:


Step 1:


When the org administrator signs up with Zoho Vault, RSA public-private key pair is generated for him. In addition, a new key named 'Org Key' is created. The 'org Key' is an AES 32-bit key, which is unique to every organization. Org Admin's private key is encrypted using org admin's passphrase and stored in Zoho Vault's database. Similarly, the 'Org Key' is also encrypted using org admin RSA public key and stored in the database. So, Zoho Vault only stores the encrypted keys of "Org Admin's Private Key" and "Org Key". As per the host-proof-hosting model, the org admin's passphrase is not stored anywhere in the server. It just lingers in the memory of the org administrator.


Step 2:


When users of your organization sign up with Zoho Vault, RSA public-private key pair is generated for each of them. User's private key is encrypted using his passphrase and stored in Zoho Vault's database.


Step 3:


When the org admin 'shakes hands' with the org user, the 'encrypted org key' stored in the database is retrieved and it is first decrypted using org admin's private key. Then, the 'Org Key' is encrypted using "User's RSA public key" and this new 'Encrypted Org Key' is shared to the user and stored in his space in the database. This process is done for each user of Zoho Vault.


Step 4:


When the user tries to share a secret, first, the user's private key, which is stored in encrypted form in the database is retrieved and it is decrypted using user's passphrase. Then, the 'Encrypted Org Key' shared to the user by the administrator is retrieved. The encrypted org key is decrypted using user's private key. The password to be shared is now encrypted using the 'Org Key'.


Password Sharing - Flow of Events


Assume a user 'ABC' is the admin in the organization and he wants to share one of his existing passwords with, say, five other org users, say A1, A2, A3, A4, A5.

  • As the password being shared is owned by 'ABC', it is stored in Zoho Vault encrypted using user ABC's passphrase
  • When sharing is initiated, the password is decrypted using ABC's passphrase
  • Now, the password is encrypted using Org Key
  • The password encrypted as above is stored in the database
  • ABC now shares the above password with A1, A2, A3, A4 & A5. Internally, the above password, which was encrypted using Org key is mapped to A1, A2, A3, A4 & A5.

How do A1, A2, A3, A4 A5 retrieve passwords?

  • Users A1, A2, A3, A4 A5 decrypt their respective RSA private key using their respective passphrases
  • Users A1, A2, A3, A4 A5 decrypt the 'Encrypted Org Key' using their respective RSA private keys (obtained in the step detailed above)
  • Using the 'Org Key', the user retrieves the password

What happens when a shared password is changed?

Assume user A1 changes the password.

  • The shared password is decrypted using Org key and shown
  • The new password is encrypted using Org key and updated in the database

Important Note:

As you would have observed in the above flow, the 'Org Key', which is used for encrypting/decrypting shared secrets resides in the browser when sharing is used in the organization. Technically speaking, it is possible for a tech-savvy person to retrieve the 'Org Key' when he is logged in to Zoho Vault. However, the key can be exploited only when the holder gets access to Zoho Vault’s database. Since, Zoho's datacenters follow state-of-the-art security norms, this is nearly an impossibility. Since Zoho Vault follows the host-proof-hosting technology, it is impossible even for Zoho to access the 'Org Key'.

Enterprise-Grade Security, Complete Data Privacy, Easy-to-Use Start your 15-day free trial; Credit card not required

Sign Up Now!