Using Private Blockchain Network for End-to-End Encryption of Documents in ONLYOFFICE

The existing documen security measures are not perfectly sufficient. ONLYOFFICE created the solution to this problem that combines end-to-end encryption with blockchain technology. Read this article to learn more, and take part in the testing of the developer preview.

Why Basic Encryption Won’t Ever Succeed

The existing encryption technologies feature minor yet considerable gaps when it comes to possible accidents at the point of cloud security, namely leakages, insider access to the storage, or data transfer interventions. This happens for reasons related to both the solution and the users.

What’s the User’s Fault?

when encrypting documents with own passwords, users tend to set weak ones or repeat them, because remembering many complex passwords is impossible. Later, to give access to someone else, these passwords are sent via unprotected channels, such as messaging apps or email.

What’s the Provider’s Fault?

On the other hand, when data is encrypted in the cloud, it happens on the server side, which exposes the information to service providers. In most cases, it is stored in the encrypted form only at rest (when it is not used) and is then decrypted before any operation with this data is performed.

It comes to the acknowledgment that companies and security-conscious individuals need a technology that would protect the data end-to-end and keep it encrypted throughout its whole existence, while remaining understandable and user-friendly. Here the new idea is born, pioneered by ONLYOFFICE.

ONLYOFFICE’s New Know-How

The key value of end-to-end encryption technology created by ONLYOFFICE lays in the use of private blockchain network, which plays the role of incorruptible data guardian. While the documents are encrypted with AES-256 algorithm, the keys are safely stored and transferred, driving out the need to sacrifice cloud sharing and collaboration in the name of safety.

Let’s see how it works to understand how such a level of document security became reachable.

How it Works

First, let’s have a look at the anatomy of the solution:

1. Parity and Ethereum blockchain as a base for the test network.
2. ONLYOFFICE Desktop editors as a primary interface.
3. AES-256 symmetric encryption algorithm for document encryption.
4. Asymmetric encryption for secure transfer of the encryption data.
5. ONLYOFFICE cloud as a collaborative environment.

Building the Test Network

Parity was chosen as an Ethereum client for the test network, for it is an actively developing project with fully documented library API. Feature-wise, Parity supports the Proof-of-Authority consensus mechanism, which is, in this case, vital for controlling the network and validating the stored encryption data.

Parity shows both high reliability and cost-effectiveness:

1. Thanks to the consensus mechanism, the authorities do not have enough power to make individual impacts, hence the resistance from network overwhelming and any intervention with the data.

2. Blocks are issued at steady intervals, making the network behavior extremely predictable.

3. Parity is also much less computationally extensive: minimal memory and storage footprint guarantee lower costs than most of the alternatives.

The existing test network is built on three smart contracts: one for defining and removing authorities, one for storing the passwords for the encrypted documents, and one for managing access rights for the authorities (here, only ONLYOFFICE can create new smart contracts, for instance).

Technically, one authority is enough for validating operations, which is in this case ONLYOFFICE. However, for the complete, field-ready product, the more authorities take part, the more secure and reliable is the blockchain.

For the developer preview of end-to-end document encryption, ONLYOFFICE used two nodes on DigitalOcean with minimal configuration enough for establishing the operational network. Each node has 1 GB RAM, 1 GHz CPU, 25 GB SSD disk and 1000 GB for transfer.

The Client

For reducing the risk of information leakage, the documents are encrypted locally, using the ONLYOFFICE Desktop Editors. When working in a browser, the flow of information cannot be fully controlled, while the user desktop is technically a combination of a client and an independent server, which helps limit the data travel.

The editor’s UI in ONLYOFFICE desktop client is similar to one of the online suite, thanks to the same source code. The suite is cross-platform, which was reached with Chromium V8 engine and also used, for instance, in ONLYOFFICE server solutions for file building.

For interacting with the nodes in the Ethereum network, ONLYOFFICE Desktop Editors suite uses the integrated web3.js library.

The Encryption Algorithm

Advanced Encryption Standard (AES) is used for encrypting documents in ONLYOFFICE. Here, not only the documents themselves are encrypted, but also all the temporary files and individual changes that are sent to the server while editing online.

The application automatically generates 256-bit passwords that are neither shown nor locally stored. You can try AES-256 encryption yourself with any text using the special web tool.

Protecting the Passwords

The passwords are encrypted too, with an asymmetric encryption algorithm, and stored in the blockchain.

A pair of keys is generated at the moment of registration in the blockchain network: one public, for encrypting the document, and one private, for decrypting it. The public key is saved to the user database in ONLYOFFICE, while the private key stays in the user account.

When the document is encrypted, the password is sent to the network in the encrypted form, together with the document’s UUID and the information about its author. To decrypt the document, the private key is used.

This approach allows us to not only encrypt the personal documents but also take advantage of encrypted sharing and even collaborative editing.

Sharing and Co-Editing

When user A shares the document with user B, the password for the document is encrypted with B’s public key taken from the above-mentioned database. When B’s machine receives the message with the password and the document info, the password is decrypted with their private key on the client side.

This technically works just like email: you need user’s email address to send the message while receiving and reading the mail requires knowing the password. But what happens if you make a ‘mailing’?

Let’s assume this time A shares their document with C and D for co-editing. Just like described earlier, the document’s password is encrypted using the public keys. however, it is done independently for each user: it is encrypted for user C using C’s public key, and for D - using D’s public key.

When A makes an input in the document, it is encrypted separately and sent to each user via the server to be then decrypted on their local machines, where they see this input in real time. Basically, in the user experience, there’s no difference if they are editing with or without the encrypted mode.

Note: each user must have the encrypted mode on and must be logged in the ONLYOFFICE cloud. Obviously, encrypted co-editing is only possible via ONLYOFFICE Desktop Editors.

To try end-to-end document encryption in ONLYOFFICE right away, follow the short instruction below.

Testing End-to-End Encryption in ONLYOFFICE

1. Install the latest version of ONLYOFFICE Desktop Editors.
2. Open the application and connect to ONLYOFFICE cloud in the Connect to cloud section (not necessary for individual document encryption).
3. Go to Settings and enable end-to-end encryption. You will now see the End-to-end encryption section on the left panel.
4. Enable the end-to-end encryption mode and register your account in ONLYOFFICE blockchain network.

ONLYOFFICE team is looking forward to creating a community of enthusiasts that are ready to test the new technology and share their feedback. This is very important for the initial polishing of the solution and going into the Beta release.

If you are interested in taking part or have any specific questions, please visit the dedicated page on GitHub.