Encryption algorithms are broadly divided into two groups, each with its advantages and disadvantages: Symmetrical and asymmetrical encryption. The former is achieved by coding a stream of data (e.g. a file) with a certain encryption key, which is then also used to decrypt the files. The latter utilizes a pair of keys, where one is used for encryption and the other for decryption. These are inextricably linked together, so that one key will not function without the other.
Ensafer uses both symmetrical and asymmetrical equipment to achieve maximum security. When a file is about to be saved in Ensafer, a symmetric key for the file is automatically created (we use ASE 256). This key is used to encrypt the file contents, making them unreadable for anyone but those with access to the key. It is important to note that we encrypt locally on the user’s PC, i.e. before the data is stored on the Internet. In this way, the Internet service provider does not have access to keys or data content, and neither does anyone else. This is a very important principle, that many other solutions don’t follow.
This raises two important questions: How is encryption and decryption done, and how can data be shared with others in a secure way?
This is where the asymmetrical pair of keys comes in. Asymmetrical encryption, also known as Public Key Infrastructure (PKI) means that a pair of keys is generated for each user, where one key is private whereas the other may be publicly known (we use RSA 2048). In Ensafer, this is done when a user registers with their email, password and answer to a secret question. The private key is encrypted with the password and saved locally on the PC, and the public key is saved in the Ensafer Internet server data base (it doesn’t need to be encrypted, since it’s publicly available).
The point of using the asymmetrical key is to encrypt the symmetrical key that we used, rather than encrypting the file content itself. We encrypt it using our own public key, and it is therefore save to send it over the Internet and store it in Ensafer’s database, since it can only be decrypted using our private key (which stored encrypted locally on the user’s PC). When we want to open our encrypted file, Ensafer downloads both the file and the encrypted symmetrical key associated with the file. Then, Ensafer uses the user’s private key to decrypt the key associated with the file – and finally, this key can be used to decrypt the file itself. All this is done without involving the user at all, and the user will never notice any of these activities as we have hidden all complexity.
Here, the same exact procedure is used: When you ask Ensafer to share a file with John, Ensafer retrieves John’s public key from the database and uses it to save and encrypt an extra copy of the symmetrical key for the file. This key can only be encrypted by John’s private key, and thus only John is able to read the file. In this way, we make sure that the contents of a file are only accessible to the person with whom you’ve selected to share it, i.e. only this person can decrypt the file. Note that many other solutions don’t offer this, which means that the data is shared with others in an unsecured manner. Fine with some, unacceptable to others. Our task is to offer you complete security.
Your password is used to decrypt your private key, stored locally on your PC. This is where the answer to your secret question comes in: When a new user is installed and an pair of asymmetrical keys is created, it is not only the public key which is saved on the server. The private key is encrypted based on the answer to the secret question, and is also uploaded to the server. Note that neither the password nor the answer to the secret question is saved or sent anywhere. Only you know them and have to remember them.
If you forget your password, click “Forgot password” on Ensafer’s login screen. Then, your private key (which is encrypted with the answer to the secret question), among other things, is downloaded to your PC. If you provide the correct answer to the question, the key can be decrypted, encrypted with your new password, and re-saved to your PC. The same procedure is used to install Ensafer on a new PC. We also have some security measures to make it difficult for outsiders to get access to your files, even if they are able to guess the answer to the secret question. Note that it is very important that you provide the correct answer to the control question (exactly as you entered it)! Without it, you cannot gain access to your files. Annoying perhaps, but remember that everything is encrypted with a private key which only you can unlock. We don’t have it, which is a benefit to you. Services that can provide you with a new password sound practical – but this means that they don’t encrypt or know you private key. We find both to be unacceptable.
In addition to the content of the file itself, a lot of other information is sent to and from the server to your local PC, including file names, folder names, contact requests and sharing requests with comments, as well as events related to files owned by or shared with you. All this information is also encrypted, so that unauthorized people are unable to access this additional information. This is called metadata (data about data), and could give unwanted information to others, e.g. by giving them the name of a file. Therefore we also encrypt this information. To be safe.
Many of our competitors highlight the fact that they safeguard data by encrypting it, but this is often only half the truth, since only the data transfer to and from the Internet is encrypted by SSL or HTTPS. This is not complete end-to-end encryption, since the data must be decrypted form SSL to plain text on the server before it can be encrypted and saved again. This means that the contents can be extracted from the server, or read by employees of the service provider. It is hard to imagine that files can be encrypted on the server without going through this process, certainly if they are to be shared with others.
At Ensafer, we don’t only use SSL-encryption; we also provide real and strong end-to-end encryption of the contents from the PC to the server, and back. All data is encrypted and decrypted locally at the user’s site, which means that all data is encrypted, no matter where on the net it is located, and whether it is located with users who aren’t authorized to open them (i.e. who have not been given access to the relevant encryption keys).
We could have written a lot more on this topic, as Ensafer is founded on a solid and extensive security model. However, the purpose of this text was only to give a glance at Ensafer “behind the scenes”, a product solely developed to encrypt and secure data in different contexts. We do it all the time – to be on the safe side.