My password is submitted online - is that safe, secure & zero-knowledge?

MrArtist

Hi,

I've recently started a trial of Boxcryptor and I'm concerned that all I needed to encrypt my cloud life is a password that I entered online via the Boxcryptor signup form and also again to login online (and also on devices).

On reading the Technical Overview page (https://www.boxcryptor.com/en/technical-overview/), it says several times things like "A user’s password never leaves his or her device and Boxcryptor never submits the password anywhere.", however, to sign up and login to Boxcryptor site I had to enter the password online which seems to me that it IS therefore leaving my device and submitted somewhere (contrary to what the Technical Overview says), so am I in effect entirely relying on the sign-up/login forms and backend processes being secure? The security of the signup/login forms is not mentioned anywhere that I have found.

I also feel concerned that since Boxcryptor generates and holds my public/private key, then anyone could download them if they have the password (or somehow hack BC) - How do I know someone hasn't got the password if I already entered that password directly online at the site and that, in itself, is the only thing required to decrypt my data?

It doesn't feel secure or zero-knowledge to have entered my password online, a password that also controls the encryption (in effect the password is the master key). If I can then download the encryption keys from the site, then surely that means it can't be 100% safe/zero-knowledge and is a security risk not matter how slight or reliant I am on the signup/login forms being 100% secure?

By contrast, I'm fairly sure when I used to use a well known cloud backup service that encrypted very securely and locally first, I had one separate login password for the site and software activation, but the actual encryption was done by a secondary encryption (private) key that I set myself (for local use in the software) which no one else could ever possibly know.

Is Boxcryptor truly secure/zero-knowledge? Is there any way I can ever certainly know?

I hope I can be shown it's absolutely 100% safe as I'd like to use it

Many thanks.

nahpetsM

this could be extended more generally .. I would wish that all Web-Programmers would be forced to use some kind of "trusted routine" for the password-field (one that could be proofed by the browser) .. so that a visitor can be sure that the password won't be stored uncrypted. I beleive that is the the main reson reason why passwords from Users are known (like this rumor that many uses "password123" as password, it seems nobody asked how (!!)) someone discovered this 😆 )

Christian

Dear MrArtist,

let me quickly guide go through your points, maybe I'm able to put your mind at ease here:

I had to enter the password online which seems to me that it IS therefore leaving my device and submitted somewhere (contrary to what the Technical Overview says)

The password is hashed with an individual salt and the result of that is sent to our server. A hash has the property that you cannot calculate the password back from it. That means that you password is actually not leaving your device. The key calculated from your password is hashed with a different salt. That means that from the hash we receive from you, we cannot calculate the password hash either. This actually is written in detail in our technical description. While this might seem counter intuitive, that's how hashes actually work.
Imagine it like your favorite Indian dish in a restaurant (I'm choosing Indian food here because it has quite many different spices): You can taste if they used the same recipe - it tastes as you're used to. So you can verify they used the right ingredients. But that doesn't mean that just from that taste, you know all the ingredients that went into the dish. What you are sending to our server is the dish. What you need to decrypt your files is a different dish, made from some of the same ingredients. We cannot extract the ingredients from the dish, and we cannot use the dish you sent us to cook the other dish either. We can only verify that you knew what was required for it.

I also feel concerned that since Boxcryptor generates and holds my public/private key, then anyone could download them if they have the password (or somehow hack BC).

There is no substitute for a good password. Boxcryptor can help you to keep your files safe, but it cannot remove all responsibility from you to choose a good password. And if Boxcryptor got hacked, then the attacker would still need to have the password, since your keys are encrypted with your password we do not have access to it at any point. Password-less systems have a higher demand on the end user (e.g. they now have a local key that they have to take care of and bring with them to other devices). This would result in dramatically fewer users choosing to encrypt their files, because the additional work to do so would be too high for them. At the end, you have more users storing files unencrypted, and Boxcryptor seizing to exist because too few people would be using it: A lose-lose situation.

Unfortunately, we cannot do more to prove the security of our product than to make publicly available how Boxcryptor works - and we're doing that in our technical overview. We try to make this overview as understandable as possible to everybody, but cryptography is a complex subject. There are many things possible that seem counter intuitive, as you already noticed. To verify yourself that the procedure is secure and zero knowledge, you do need to have some basic understanding of cryptography... I'm afraid there is no way around that.

So how do you know if Boxcryptor is secure? Well, if you cannot verify it yourself, there are lots and lots of crypto experts out there, and they all can read our technical overview. If our protocol had any obvious flaws in it (and the points you make would be very obvious flaws), then you could be sure that the first thing you notice when typing "Boxcryptor" into Google would be blogs and reports ripping it apart. This is not the case: A clear indicator that crypto experts don't have concerns about Boxcryptor.

Hope that helps,
Best regards,
Christian