Introduction to encryption
iCure uses cryptographic algorithms to ensure that only the intended recipients can read sensitive data. The iCure SDKs encrypt and decrypt sensitive data on the client-side (end-to-end), to insure the sensitive data travelling over the internet and stored in our servers cannot be read by any third party. This also includes us: the keys necessary to decrypt the sensitive data are stored only on the client side, therefore we won't be able to read the sensitive data we receive.
Symmetric and asymmetric cryptography: basics
The end-to-end encryption scheme in iCure uses standard symmetric (AES-256) and asymmetric (RSA-2048) cryptography algorithms.
Symmetric cryptography algorithms use a single secret key to encrypt and decrypt the data: if you want to share data with other users using symmetric cryptography, you will first have to agree on this key.
Asymmetric cryptography algorithms instead use pairs of keys. Each pair is composed of a private key, which must be
kept secret, and a public key, which can be safely shared with anyone. Data encrypted using the public key can be
decrypted only by using the corresponding private key. So if Bob wants to share a secret message with Alice he can
encrypt the message using Alice's public key, and only she will be able to read it.
Both approaches have advantages and disadvantages: symmetric encryption is orders of magnitude faster than asymmetric encryption, and it can be used to share data with multiple participants at the same time. However, if the participants don't share the key over a secure channel a malicious third party may be able to intercept it, compromising the confidentiality of the data. For this reason a common pattern is to use asymmetric encryption to share the key used for the symmetric encryption of the confidential data. In iCure we also follow this pattern to ensure that we can keep data confidentiality without sacrificing too much in terms of performance.
iCure encryption scheme: principles
A good way to understand the way encryption works in iCure is to understand what we want to achieve by using e2e encryption for the protection of your data. We designed the iCure encryption model based on the following principles:
Each data owner has a personal asymmetric encryption key-pair. Only the data owner itself has access to the private key.
A data owner can create data, encrypt its sensitive content, and share that piece of data with other data owners.
Only data owners that have been granted access to a piece of data are allowed to retrieve it from the iCure server.
The encrypted content of a piece of data should be decryptable only by the data owners that have been granted access to it.
Third parties should not be able to decrypt the content of a piece of data not shared with them, even if they could retrieve the encrypted data from iCure's server. These third parties include iCure and other legitimate data owners that have been granted access to the data.
The only secret required by a data owner in order to decrypt some sensitive data shared with him should be his own private key. The full decryption process may involve other secrets, but they should all be derived only from the private key and non-secret data retrievable from the iCure server.
It should not be possible to infer sensitive data just by observing the encrypted data. For example, it should not be possible to understand that patient Charlie is having frequent doctor visits, not even if the purpose of the visit can't be inferred.
As previously mentioned in iCure we use a combination of symmetric and asymmetric encryption to achieve these goals.
We will soon update this documentation with more details on how iCure uses these cryptographic algorithms to protect the users' data.