The meaning of protecting something is always incomplete until we define against whom. We may protect content from one user against the unauthorised access of other users, except by ourselves, auto proclaimed the protectors of the content. Or, we can do much better than that by allowing the users themselves to protect themselves even against our own unauthorised access. So far, the only known way for achieving that is by employing client side encryption in a zero knowledge proof schema and by the usage of asymmetric encryption keys. This, however, poses some challenges to the day-to-day operations. The first I had to face when creating the Protected Content module was the classical problem of the private key transportation. If the system has to work, the private key can not be communicated though the system. This causes two very important problems. I could ask the user to copy to himself the key, and use it whenever he had to decrypt something, bringing it with himself having had it copied somewhere else. But this approach would force users to do something that is a big burden and I wanted something that was as easy as any other conventional authentication method. Also, copying the private key somewhere else could pose even bigger security problems than storing it in the server. An hybrid approach is possible for overcomming these problems. The symmetric encryption of the asymmetric key. In other words, this allows a type of compressing of the private key in a way that it becomes at the same time defined at the client side and therefore never communicated to the server in its original form, and small enough to be remembered as a password, leaving to the attacker only a brute force option.

In this session I would like to demonstrate these concepts by showing how Protected Content integrated Drupal with OpenPGPjs in order to achieve real protection of content.