Using the group Command Set

The group command set is used to manage recryption groups

In traditional public key encryption, the public key is used to encrypt data and the private key is used to decrypt. In the proxy re-encryption scheme used in the Mesh, the public key is used to encrypt data in the exact same way as for two key cryptography but the decryption key is split into two parts. One half of which is held by the recipient and the other half of which is sent to a recryption service.

Decrypting encrypted data requires the use of both halves of the key. The recryption service cannot decrypt data because it does not have access to the recipient's half of the decryption key and the recipient can't decrypt the data unless the recryption service performs its half of the work and returns the result to the recipient.

This approach has important benefits:

  • Even a total breach of the recryption service does not result in disclosure of the data unless at least one recipient decryption key is also compromised.
  • Recipients may be added to a recryption group at any time and immediately gain access to all data previously encrypted to the group.
  • If a recipient is removed from a recryption group, the recyption service can deny further access to the data encrypted under that group by refusing recryption requests from that recipient.
  • All access to encrypted data must be mediated through the recryption service. The recryption service may therefore enforce audit and accounting controls, detect and prevent suspicious behavior.

From the user's point of view, management of recryption groups is essentially the same as management of groups in traditional access control. The principal difference being that there is no cryptographically enforced means of denying access to a specific group of users as is provided in traditional Access Control List schemes.

To implement access restrictions of the form 'allow access to a file to every member of the red team who is not a member of the blue team', it would be necessary to create and maintain a 'red not blue' group. Fortunately, the need for access control restrictions of this form do not appear to be frequently realized in practice.

Creating a Recryption Group

Recryption groups are created using the `group create` command:

Alice> group create
  "Key": "",
  "Profile": {
    "KeyOfflineSignature": {
      "PublicParameters": {
        "PublicKeyECDH": {
          "crv": "Ed448",
          "Public": "_4bw7qHu4vvDAfQtX-N7mEI84zwmCvqADVbM2XghLfRbMI1rltRx
    "KeyEncryption": {
      "PublicParameters": {
        "PublicKeyECDH": {
          "crv": "X448",
          "Public": "72HkuTKQn3Jc2Afp_kpDGlohhpb2zsSwBl_dRbACmXDrbMkCNmqq

This command creates the group Since Alice created the account she is the administrator.

At this point, the group has no members. Bob can encrypt a file under the group public key but he is unable to read it:

Bob> dare encodeTestFile1.txt /out=TestFile1-group.dare /
ERROR - The command System.Object[] is not known.
Bob> dare decode  TestFile1-group.dare
ERROR - Could not find file 'C:\Users\hallam\Test\WorkingDirectory\TestFile1-group.dare'.

Since Alice is the group administrator, she can decrypt the file using her administrator key:

Alice> dare decode  TestFile1-group.dare
ERROR - Could not find file 'C:\Users\hallam\Test\WorkingDirectory\TestFile1-group.dare'.

Adding users

The `group add` command is used to add users to the group:

Alice adds Bob as a member of the group:

Alice> group add
ERROR - Object reference not set to an instance of an object.

Bob can now decrypt the file.

Alice> dare decode  TestFile1-group.dare
ERROR - Could not find file 'C:\Users\hallam\Test\WorkingDirectory\TestFile1-group.dare'.

Reporting users

The `connect ` command returns a list of group members:

Alice> group list

The group currently has one administrator and one member.

Deleting users

Users may be removed from a recryption group using the `group delete` command:

Alice> group delete
ERROR - The entry could not be found in the store.

Bob is no longer a member of the group and his decryption request now fails:

Alice> dare decode  TestFile1-group.dare
ERROR - Could not find file 'C:\Users\hallam\Test\WorkingDirectory\TestFile1-group.dare'.