Hello, I was wondering how organisations are secured from a cryptographic perspective.
If Admin uses master password X, then creates 10 passwords, then adds a user with master password Y, how does this user get access to the passwords ? Are the passwords re-encrypted with master password Y ? If yes, where and when does that happen ?
Is it mathematically true to say that, as the number of users in an organisation increases, the security of the shared passwords (slightly) decreases ?
Thanks in advance.
When you create an Organization, an Organization Symmetric key is generated which is then encrypted using the public key from your Generated RSA Key Pair. The private key from your Generated RSA Key Pair is encrypted with your Generated Symmetric Key. Your Generated Symmetric Key is encrypted with your Stretched Master Key which is derived from your Master Password.
So shared items are encrypted with the Organization Symmetric key and a copy of that key is encrypted with your public key. When you add someone to an organisation the server sends you a copy of the Organization Symmetric key encrypted with your public key AND their public key. You apply your private key which leaves it encrypted solely with their public key and return this to the server. The server forwards this to them and they can use their private key to obtain the unencrypted Organization Symmetric key.
This avoids the need for the server to store unencrypted vault keys. But note that you still need to trust the server to send you the Organization Symmetric key encrypted with your public key AND the other persons public key. If its only encrypted with your public key then the server will receive the unencrypted Organization Symmetric key when you respond.
Thank you for the thorough answer !