Key sharing Slack discussion

chase [9:35 AM]
@jude @aaronb @larry, i think this is kind of a general encryption question but looking for advice. Let’s say I have a need to share a private key via a query parameter so that another application can use it as a key encryption key. I definitely want to avoid passing around the appPrivateKey, but I’m wondering if a derived key that I can deterministically regenerate will do the trick (for instance, if I encrypted the app url with the user’s private key and sent that)… is that a safe practice?

aaronb [9:38 AM]
it’s safe to pass a derived key which is a hardened child

aaronb [9:38 AM]
but you still want to pass it encrypted if its in the query parameter

chase [9:42 AM]
@aaronb “pass it encrypted” meaning appPrivateKey + URL already run through the algorithm ?

aaronb [2 hours ago]
there’s 2 things here: 1. the application private key should not itself be shared with another party. you can share a derived key so long as it is a hardened child

  1. the derived key itself must be encrypted before it is added to the query string

this is because query strings are pretty non-secure
like, any user that walks by your browser can usually read past query strings by just typing the beginning of a url into the browser

chase [9:50 AM]
Does it need to be encrypted with a secondary key, or can it be reencrypted with the appprivatekey?

aaronb [9:51 AM]
it will need to be encrypted with a key that the recipient can decrypt

chase [9:51 AM]
So what if I’m sharing data between two apps and I’m logged into both. With blockstack, do we get a common key that both apps can reference?

aaronb [9:53 AM]
no, there’s no shared private key between the two apps
both apps do have an appPrivateKey, which they can write the public key of to a well-known location
like /appPublicKey.json
and then from App A, I can getFile('appPublicKey.json', {app: 'appB'})

chase [9:57 AM]
Is that problematic, lets say Facebook 2.0 is built on Blockstack and someone discovers that the query param key is just encrypted with another app’s public key

aaronb [2 hours ago]
I’m not sure what’s getting used where in this hypothetical. However, if you encrypt something with a given public key, only the owner of the private key would be able to decrypt it.