Re-Encrypt AES part if session key already used

[silverdaz]

We would like to ensure that each vault file has a unique session key to open it.

If a user uses a separate method to produce the crypt4gh file format (for example), which reuses a session key that can open multiple files, we need to re-encrypt the files in the vault.

Procedure to check if the key is unique We store the session key's SHA-2 hash in the database. If the hash is unique, so is the session key, (but not vice-versa).

• If already there, we raise a User Error exception for the moment. Later, we can re-encrypt the file with a newly-generated random key (and repeat the check procedure).
• If not there, we proceed with the ingestion.

This check is included at the verification step, since it is when the header gets decrypted and the session key used.

[silverdaz]

After discussions (with Jordi and Oscar), we could provide the users with a tool to check if a session key is reused more than once in a given set of files (say, a listing from some directory).

It seems to be a User Error to re-use the same session key to encrypt multiple files.

We reject these files (but the first one) and keep therefore the following predicate over the vault:

The session key opening a vault file can not open another vault file

[dtitov]

Will this check be included in lega-cryptor?