I wish to distribute a file from A to an automated system B.
The requirements are:
- Contents are encrypted
- Contents are tamper proof
- Contents origin is verified
To do this I have devised the following system A key pair is created, where A (origin) has the private key and B (destination) has the public key. Note: I say public and private here for sake of simplicity, none of the keys are actually publicized.
Steps at A:
- Generate a random 256bit symmetric key (AES) and a 96bit nonce
- Encrypt {contents} using AES-GCM using the 256bit key and 96bit nonce to produce the ciphertext and a MAC
- Encrypt {key, nonce, mac} using the private key and append it to the ciphertext
- Send the ciphertext + encrypted key, nonce and MAC from step 3 to the destination B
Steps at B:
- Decrypt the encrypted key, nonce and MAC using the public key
- Use the decrypted key, nonce and MAC to decrypt and verify the contents
It seems to me that this would both verify authenticity (since the key+MAC is effectively signed using the private key) as well as provide given the prerequisite that the automated system B has not already been tampered with.
In theory, if an attacker would obtain the public key (from some other attack on B), non-tampered with systems would still be able to securely receive files from the origin. Although the attacker that obtained the public key would be able to read the contents, but not tamper with them.
Am I missing something?
