Using Microsoft Trust Services to protect a shared resource

Microsoft Codename “Trust Services” lets several parties to encrypt/decrypt data over shared resources according to policies determined by an Administrator, where none of the parties have direct knowledge of the encryption key which is managed by a Trust Server. The Administrator, via an X509 certificate uploaded while provisioning a Trust Server, is the only one that can determine the ‘trusted’ partners and the authorization policies over resources. For detailed information about how all this is done you can check here.

In this post I’ll show you with just a few steps how you can use it to secure a resource and shared only with a couple of partners. First at all you need to get the X509 certificates for the actors that are going to be involved. You should have both: the .CER format having only the public part of the RSA key and the .PFX format having the complete RSA key. To be used with the Trust Services SDK these certificates should have a key length of 1024 bits and should be able to encrypt and sign data.

You can use the MakeCert tool for create the certificates you’re going to need, for example:

By executing these commands you will create three new self-signed certificates which are valid to be used with the Trust Services SDK. You can then export the .PFX files needed from the certificate store (LocalMachine/My).

Next step is to provision a Trust Server. You can do this by going to the Trust Services site and click on the ‘Use the Service’ link, sign in with your Live ID and create a new Trust Server establishing as TSPA’s certificate the Admin.cer created before.

The main scenario for using this service is when you upload sensitive data to the Cloud and want to protect it. Nevertheless, lets going to suppose that you have a shared repository in the file system where you store sensitive data and want only to be seen by authorized partners (but letting access to the resource to everyone). So first at all you have to define and ID for the resource or set of resources you want to protect. This is a simple task as you only need to define a resource Uri like the following one:

The next step is to use the management API via the SDK to authorize Partner1 and Partner2 to access the resources:

By doing this you are establishing an encryption policy for the Resource Uri and allow accessing it to both partners only. Now let’s suppose that Partner1 wants to update data and store it (protected) in the shared repository, it can easily do that by using the SDK as shown below:

By executing the code shown above Partner1 is storing the PlainData.txt file at a shared repository but encrypted. Performing this operation through the Trust Server ensures that: the data will no be accessed by unauthorized parties and no one has the key to decrypt it. So, if the Administrator decides to exclude a partner from the list of authorized people at the Trust Server then that partner will not be able to read the file content anymore.

When the authorized Partner2 wants to read the data stored in that shared resource he can do that by performing the following operations:

Partner2 is able to read the original data (decrypted) while he belongs to the authorized partners list at the Trust Server, if the Administrator revokes its priviledges then he will not be able to decrypt CipherData.enc anymore as it does not know the encryption key.

To understand which is the mechanism that secures the data and how the keys are managed in a way that no one knows them I recommend you to see the videos at the web site mentioned before.

Tags: C#, Encryption, PKI, Security, Symmetric key, Windows Azure