whisply logo

Мы запустили наш новый сервис для отправки файлов со сквозным шифрованием прямо из Вашего браузера.

Попробуйте сейчас

Технический обзор

If you would like to learn more about how Boxcryptor works, you are in the right place here. Read on for deeper information about certain technical aspects of Boxcryptor.


Important terms specific for Boxcryptor

This short list introduces some technical terms that are crucial for understanding how Boxcryptor and its encryption works.

File key
AES encryption key used to encrypt or decrypt a file. Every file has its own unique and random file key.

User keys
Every user has its own pair of RSA-4096 keys (private and public) and additional AES-256 keys.

Password key
An AES encryption key derived from a password using the key stretching and strengthening function PBKDF2 with HMACSHA512, 10.000 iterations and a 24 byte salt.

Group key
Similar to users, every group has also its own pair of RSA-4096 keys (private and public) and additional AES-256 keys. Furthermore every group has its own unique and randomly generated membership key.

Company keys
A company can have its own pair of RSA-4096 keys (private and public) in case the master key policy is used.


How Boxcryptor encrypts and decrypts files

Boxcryptor implements a combined encryption process based on asymmetric RSA and symmetric AES encryption. Every file has its own unique random file key which is generated when the file is being created. The file key is used to encrypt and decrypt the contents of the file as follows:


Encryption:

Create a secure random file key.
Encrypt the plaintext data using the file key.
Encrypt the file key with the user's public key.
Store the encrypted file key next to the encrypted data in the encrypted file.
If multiple users have access to a file, the file key is encrypted multiple times with different user public keys and each result is stored in the encrypted file.


Decryption:

Decrypt the encrypted file key using the user's private key.
Decrypt the encrypted data using the file key.


Used Algorithms:

AES with a key length of 256 bits, CBC (Cipher Block Chaining) and PKCS7 padding.
RSA with a key length of 4096 bits and OAEP padding.


How Boxcryptor's user management works

The Boxcryptor user management has the following concepts:


User, group and company keys

  • Every user, group and company has the same set of keys which is a RSA keypair (private and public) and additional AES keys for specific purposes. Company keys are optional and are only set when the master key policy is used.
  • Boxcryptor uses additional AES keys for specific purposes and keys are not re-used for different purposes. Currently, the following additional AES keys are used in Boxcryptor. If required by new features, this list might grow in the future.
    • Wrapping key: This key is the root AES key which is used to encrypt all other AES keys stored on our servers.
    • Filename key: This key is used to encrypt filenames if filename encryption is enabled.
    • Group key: This key is used to encrypt group membership keys using AES additionally to the RSA public key encryption in order to speed up the sign in process.

User

  • A user is someone who creates a Boxcryptor account and is identifiable by his/her email address and his/her user keys.
  • The user keys are generated on the user's device during the account set-up and creation. Before the keys are submitted to the Boxcryptor Key Server, the sensitive information is encrypted so that only the user has access to it.
    • The private RSA key is encrypted with the user's password key so that knowledge of the password is required to decrypt the private RSA key.
    • The wrapping key is encrypted with the user's password key so that knowledge of the password is required to decrypt the wrapping key.
    • All other AES keys are encrypted with the wrapping key so that access to the wrapping key is required to decrypt any other AES key.

Group

  • A group is a list of users that has group keys. Additionally every group has a membership key which is used to manage group memberships.
  • The group keys are generated on a user's device when a user creates a new group. Before the keys are submitted to the Boxcryptor Key Server, the sensitive information is encrypted so that only the user who created the group has access to it.
    • The private RSA key is encrypted with the membership key so that access to the membership key is required to decrypt the private RSA key.
    • The wrapping key is encrypted with the membership key so that access to the membership key is required to decrypt the wrapping key.
    • All other AES keys are encrypted with the wrapping key so that access to the wrapping key is required to decrypt any other AES key.
    • The membership key is encrypted with the user's public RSA key so that access to the user's private RSA key is required to decrypt the membership key.
    • In order to speed up the sign in process, the membership key will be additionally AES encrypted with the user's group key on the first occasion - e.g. the next user's sign in. When the membership key is also available in AES encrypted form, subsequent sign ins can use AES decryption over RSA decryption which is a lot faster.

Example: If Alice adds Bob to her group, the group's membership key is encrypted with Bob's public RSA key. Now Bob is able to decrypt the membership key and thus the groups' private RSA key.


Company

  • Users can belong to a company which has company keys.
  • The company keys are generated on a user's device during the company account creation process. Before the keys are submitted to the Boxcryptor Key Server, the sensitive information is encrypted so that only the company administrator has access to it.
    • The company's private RSA key is encrypted a special company administration password key so that knowledge of this password is required to decrypt the company's private RSA key.
    • A company does not have any additional AES key.
  • A company can define a set of policies (rules) which apply to all users and groups belonging to the specific company (e.g. minimum password length).

NOTE: The additional AES keys have been introduced after the initial release of Boxcryptor and existing accounts are upgraded on an ongoing basis. Due to legacy reasons, the filename key is additionally encrypted with the public RSA key - referred to as "AES key" in previous versions of this documentation.


How file access sharing works

Example 1: If Alice shares access to a file with Bob, Boxcryptor executes the following steps:

  1. Alice requests Bob's public key from the Boxcryptor Key Server.
  2. Alice encrypts the file key with Bob's public key.
  3. Alice writes the new encrypted file key to the encrypted file.
  4. The cloud storage provider syncs the modified encrypted file.
  5. Bob uses his private key to decrypt the file key.
  6. Bob uses the file key to decrypt the file.

Example 2: If Alice shares access to a file with a group where Bob is member, Boxcryptor executes the following steps:

  1. Alice requests the group's public key from the Boxcryptor Key Server.
  2. Alice encrypts the file key with the group's public key.
  3. Alice writes the new encrypted file key to the encrypted file.
  4. The cloud storage provider syncs the modified encrypted file.
  5. Bob uses his private key to decrypt the group's membership key.
  6. Bob uses the group's membership key to decrypt the group's private key.
  7. Bob uses the group's private key to decrypt the file key.
  8. Bob uses the file key to decrypt the file.

Embedded content: https://www.youtube.com/watch?v=EQwZPH-j2IQ


How Boxcryptor is Zero Knowledge

Boxcryptor is a zero-knowledge service provider because any private and sensitive information that we receive from the users will always be in the encrypted form protected by the user’s password - which is never transferred to us or anyone. Only public keys are in plain text.

This is how it works:

Passwords, password keys and file keys never leave the users' devices and are never transferred anywhere or to anyone. On the other hand, user keys, group keys, and company keys are stored on the Boxcryptor Key Server in encrypted form. As we are a zero-knowledge service provider, prior to submission, all sensitive information (e.g. private RSA keys or wrapping keys) is encrypted using keys which are never submitted to the Boxcryptor Key Server (such as personal passwords) or require access to keys which are never available in plaintext to the Boxcryptor Key Server (like membership keys or wrapping keys).

The starting point for every decryption process is the user's password key as this one is required to unlock the private key and the wrapping key which are then required to unlock all other keys in the system (AES keys, file keys, membership keys, group keys, etc.). The password key however never leaves the user's device. So even though the Boxcryptor Key Server stores keys for all users, Boxcryptor is a zero-knowledge service provider because the sensitive keys are already received from the users in encrypted form. The only types of keys stored in plaintext on the Boxcryptor Key Server are public keys which do not contain any sensitive information and, as these are public, do not need to be kept confidential.


How the Company Package Master Key Works

Boxcryptor offers a special company account with additional features especially designed for companies: E.g. password reset, policy management, and a master key. The master key feature gives companies the power to decrypt every file which is accessible by the users of the specific company - without having to know the passwords of its users. When using a master key, companies can ensure that the company does not lose access to its property (files) even in complicated situations such as when a user forgets his/her password or leaves the company. The following is an example if the master key is enabled:


User Alice belongs to the company and sets or changes her password

  1. A password key is derived from the user’s password.
  2. The user's private and wrapping keys are encrypted with the password key.
  3. The password key is encrypted with the company's public key.
  4. The encrypted user's private and wrapping keys and the encrypted password key are submitted to the Boxcryptor Key Server.

Company requires access to one of Alice's files

  1. The company administrator decrypts the company's private key with the company administration password.
  2. The encrypted password key of Alice is decrypted with the company's private key.
  3. The user's private and wrapping keys are decrypted with the password key.
  4. The file key is decrypted with the user's private key.

How the Password Reset feature works

Due to Boxcryptor's zero-knowledge nature, if a user forgets or loses his/her password the user loses access to his files. Without the password, it is not possible to decrypt the user's private key and thus it's not possible to decrypt the files. However, if a company has enabled the master key feature, the company can also make use of the password reset feature. The master key feature gives administrators of the company the power to decrypt private keys of all users which belong to the specific company. This also gives the company the possibility to set a new user password by simply re-encrypting the user's private key with a new password:


Example: User Alice belongs to the company and lost her password

  1. The company administrator decrypts the company's private key with the company administration password.
  2. The encrypted password key of Alice is decrypted with the company's private key.
  3. Alice's private and wrapping keys are decrypted with the password key.
  4. A new random password is generated and a new password key is derived from it.
  5. The user's private and wrapping keys are encrypted with the new password key.
  6. The new password key is encrypted with the company's public key.
  7. The new encrypted user's private and wrapping keys and the new encrypted password key are submitted to the Boxcryptor Key Server.

How Boxcryptor handles passwords

A user's password never leaves his/her device and Boxcryptor never submits the password anywhere. The user's password is used for two purposes: User authentication and decryption of the user's private key. In both cases, Boxcryptor does not use the password itself, but derivates of the password which are called the password key and password hash. These are explained as follows


Password key

Boxcryptor uses the key stretching and strengthening standard PBKDF2 with HMACSHA512, 10.000 iterations and a random 24 byte salt to derive a strong encryption key from the password. The password key is used to decrypt the user's private RSA key.


Password hash

PBKDF2 with HMACSHA512 and 5000 iterations is also used to derive the password hash from the password but a different salt is used. To derive the password hash, a salt is used which is the combination of the user's email address and an application specific salt. The password hash is used to authenticate the user.


How the user is authenticated

When a user creates a Boxcryptor account, Boxcryptor derives the password hash from the user's password. This password hash is used for all subsequent authentication operations. Only a hash of the password hash is stored on the Boxcryptor Key Server - the password hash itself is never stored. This is how it works:


A user creates a Boxcryptor account

  1. The password hash is derived from the password.
  2. The password hash (and not the password itself) is sent to the Boxcryptor Key Server
  3. On the server, the password hash is hashed again using PBKDF2 with HMACSHA512, 10.000 iterations and the user's random 24 byte salt.
  4. On the server, this hashed password hash is then stored in encrypted form in the database.

A user logs in and authenticates himself

  1. The password hash is derived from the provided password.
  2. The email address and password hash are sent to the Boxcryptor Key Server
  3. On the server, the password hash is hashed using PBKDF2 with HMACSHA512, 10.000 iterations and the user's random 24 byte salt.
  4. On the server, this hashed password hash is compared with the value stored in the database. If it matches, the user provided the correct password and is successfully authenticated. If not, the password was wrong.

Note: This process is only required to authenticate the user against the Boxcryptor Key Server - not to get access to the encrypted files. Access to the encrypted files always relies on the correct decryption of the user's private key which requires the knowledge of the correct password. Even if an attacker would be able to fake authentication (e.g. by hacking the Boxcryptor Key Server) he would not be able to decrypt a single file without knowing the correct password only known by the users.


Which data is stored on the Boxcryptor Key Server

In order to provide a seamless user experience over a number of different devices and with core features such as file access sharing, Boxcryptor needs to store user data on the Boxcryptor Key Server. This data includes:


User information

  • General information (email, first name, last name, country, etc.)
  • Private RSA key (encrypted with the user's password)
  • Public RSA key
  • AES keys (encrypted with the user's password / wrapping key)
  • Hash of the password hash
  • Number of KDF iterations used in the key derivation functions
  • Salt
  • If a company uses the master key: Password Key (encrypted with the company's public RSA key)

Group information

  • General information (name, etc.)
  • Private RSA key (encrypted with the membership key)
  • Public RSA key
  • AES keys (encrypted with the membership key / wrapping key)
  • Membership key (encrypted with every member's public RSA key)
  • Membership key (optional - AES encrypted with every member's group key)

Company information

  • General information (name, etc.)
  • Private RSA key (encrypted with the company administration password)
  • Public RSA key
  • List of users
  • Policies

How the information on the Boxcryptor Key Server is secured

Due to Boxcryptor's zero-knowledge nature, all sensitive information received by the Boxcryptor Key Server is already encrypted (e.g. private RSA keys) or otherwise non-retrievable (e.g. password hash) and thus secured. In order to further increase security, all sensitive (e.g. key data) and also personal information (e.g. email addresses) is additionally encrypted before persisted to the database. The database encryption key is only available to the application during runtime. In case of a database breach an attacker would only be able to get access to encrypted data. See table below with some examples of how the information is saved on the server:

Email
The email address "user(at)example.org" is stored in the database as the string "SLMIL5crw/YIWDoZLU5ehifcoOsTsyg"

Private RSA key
The user's private key is already encrypted with the user's password on the client (user device). The encrypted private key is then encrypted again with the database encryption key

Password
The password is hashed already on the client (users device). The password hash is hashed again on the server and the hash of the password hash is then encrypted with the database encryption key


Why and when Boxcryptor requires an internet connection

Boxcryptor requires an internet connection to send and receive data to and from the Boxcryptor Key Server as explained in "Which data is stored on the Boxcryptor Key Server". Specifically, the following use cases require an internet connection:


Creating a Boxcryptor account

After completing the sign-up form and creating the user keys locally on the device, Boxcryptor sends the (encrypted) user information as outlined above to the Boxcryptor Key Server to create the account.


Setting up a new device

When logging in with the existing Boxcryptor account on a new device, Boxcryptor authenticates the user based on his credentials (email, password hash) and retrieves all information about the user (e.g. first name, groups, etc.) and all key data for the user (e.g. user keys, group keys of user's groups, etc.) and stores this information locally on the device.


Sharing access to a file or folder

When sharing a file or folder with another user, Boxcryptor retrieves the public key of the sepcific user from the Boxcryptor Key Server.


Managing groups

Creating, editing, or deleting a group or its group members requires access to the Boxcryptor Key Server.


Syncing cached information

While Boxcryptor is running, tries to continuously sync all user information and key data for the currently logged in user if an internet connection is available.


Usability of Boxcryptor without an internet connection or when the Key Server is unavailable?

Besides the use cases described in "Why and when Boxcryptor requires an internet connection", Boxcryptor does not need an internet connection - especially the encryption and decryption processes do not require an internet connection. Once a user has installed Boxcryptor in his/her computer and has successfully logged-in - the user's keys are transferred to the device and Boxcryptor will be fully functional to encrypt and decrypt files regardless of the internet connection. Only the use cases listed on the above mentioned section cannot be executed without a connection to the Boxcryptor Key Server.


Differences between local and Boxcryptor account

Users that are required to keep physical control over their user information and keys can choose to use Boxcryptor with a local account instead of a Boxcryptor account stored at the Boxcryptor Key Server. When using a local account, all user information and key data is stored in a key file on the local device instead of being transmitted to the Boxcryptor Key Server. Local accounts can be converted to Boxcryptor accounts (and vice versa) at any time.

Important:

Sharing access to files and folders is not available when using a local account because it requires Boxcryptor accounts and access to the Key Server. Additionally, it's the user's responsibility to take care of the key file - copying it to other devices, creating backups, etc. If the key file is lost, access to all encrypted files will be lost! (Tip: As the sensitive information in the key file (e.g. private keys) is encrypted, users can store the key file in their cloud storage.)


Which cryptographic libraries are used in Boxcryptor

In order to perform the actual "low level" encryption and random number generation, Boxcryptor relies on established and proven third-party libraries. Depending on the platform and purpose, Boxcryptor uses either popular open source libraries or libraries which are part of the underlying operating system. The following libraries are used:


Получите больше от Boxcryptor

Узнайте, кто использует Boxcryptor

Boxcryptor Company Package уже помогает людям из самых разных отраслей защитить свою ценную информацию. Посмотрите наши истории о клиентах, чтобы узнать, как они успешно используют Boxcryptor.