Ordinary protection has proven to be unsuitable, so we had to think outside the box, hence you got cryptoBox.
cryptoBox uses the highest levels of privacy and security and is a zero-knowledge provider. This means only YOU have the ability to access your information.
cryptoBox’s software is constantly improved and updated to provide our customers with the latest in technology and protection. This page provides an overview of cryptoBox’s security architecture, encryption methodologies and hosting environment as of the current published version. An overview into the technical details involving our encryption and security methods are described in this document.
ONLY the user has knowledge of and access to their Master Password and key that is used to encrypt and decrypt their information.
cryptoBox protects your information with AES 256-bit encryption and PBKDF2, widely accepted as the strongest encryption available.
cryptoBox offers multi-user architecture meaning you can create multiple account on the same device. Each user’s database, files, and configs are encrypted using completely separate keys from another user on same device. You can create multiple account with no security compromise to your other accounts!
User data is encrypted and decrypted at the device level not on cryptoBox servers or in the cloud.
cryptoBox utilizes Amazon AWS to host and operate the cryptoBox Stealthy Platform and architecture providing customers with the fastest and safest cloud storage. We manage your account access centrally, but even if internet is not available you can still login and browse all your contents securely!
You can import a few GB large video. Even though your video is encrypted using incredibly strong AES256 encryption and stored using the best Defense-in-depth security practices, you can play it back within split second!
cryptoBox is a zero-knowledge security provider. The cryptoBox user is the only person that has full control over the encryption and decryption of their data. With cryptoBox, encryption occurs at the user’s device level throughout the entire transport process of the user’s app to cryptoBox’s Cloud Security Vault. The encryption key that is needed to decrypt the data always resides with the cryptoBox user. cryptoBox cannot decrypt the user’s stored data.
cryptoBox does not have access to a customer’s master password nor does cryptoBox have access to the records stored within the cryptoBox vault. cryptoBox cannot remotely access a customer’s device nor can it decrypt the customer’s vault. The only information that cryptoBox Security has access to is a user’s email address, device type and subscription plan details.
Information that is stored and accessed in cryptoBox is only accessible by the customer because it is instantly encrypted and decrypted on-the-fly on the device that is being used – even when using the cryptoBox Desktop App. The method of encryption that cryptoBox uses is a well-known, trusted algorithm called AES (Advanced Encryption Standard) with a 256-bit key length. Per the Committee on National Security Systems publication CNSSP-15, AES with 256-bit key-length is sufficiently secure to encrypt classified data up to TOP SECRET classification for the U.S. Government.
The cipher keys used to encrypt and decrypt customer records are not stored or transmitted to cloud.
It is highly recommended that customers choose a strong Master Password for their cryptoBox account. This Master Password should not be used anywhere outside of cryptoBox. Users should never share their Master Password with anyone.
Data is encrypted and decrypted on the user’s device, not on the Cloud Security Vault. We call this “Client Encryption” because the client (e.g. iPhone, iPad) is doing all of the encryption work. The Cloud Security Vault stores a raw binary which is essentially useless to an intruder. Even if the data is captured when it’s transmitted between the client device and Cloud Security Vault, it cannot be decrypted or utilized to attack or compromise the user’s private data.
Breaking or hacking a symmetric 256-bit key would require 2128 times the computing power of a 128-bit key. In theory, this would take a device that would require 3×1051 years to exhaust the 256-bit key space.
cryptoBox uses PBKDF2 with HMAC-SHA256 to convert the user’s Master Password to a 256-bit encryption key with a minimum of 1,000 rounds.
All secret keys that must be stored (such as each user’s RSA private key and the Data Key), are all encrypted prior to storage or transmission. The user’s Master Password is required to decrypt any keys. Since cryptoBox’s Cloud Security Vault does NOT have access to the user’s Master Password, we cannot decrypt any of your keys or data.
The Cloud Security Safe refers to cryptoBox’s proprietary software and network architecture that is physically hosted within Amazon Web Services (AWS) infrastructure.
When the user synchronizes their cryptoBox with other devices on their account, the encrypted binary data is sent over an encrypted SSL tunnel and stored in cryptoBox’s Cloud Security Safe in encrypted format.
cryptoBox utilizes Amazon AWS to host and operate the cryptoBox solution and architecture. Utilizing Amazon AWS allows cryptoBox to seamlessly scale resources on-demand and provide customers with the fastest and safest cloud storage environment. cryptoBox operates both multi-zone and multi-region environments to maximize uptime and provide the fastest response time to customers.
To prevent unauthorized vault access, cryptoBox’s Cloud Security Vault must authenticate each user when transmitting data. Authentication is performed by comparing a PBKDF2-generated hash of the Master Password. The user’s device uses PBKDF2 to generate the hash from the Master Password and the server compares the hash to a stored hash.
By using the PBKDF2 hash instead of the Master Password itself, the Cloud Security Vault authenticates the user without requiring the Master Password. PBKDF2 is also used for generating encryption data keys, but the authentication hash is not used for data encryption.
cryptoBox supports 256-bit and 128-bit SSL to encrypt all data transport between the client application and KSI’s cloud-based storage. This is the same level of encryption trusted by millions of individuals and businesses everyday for web transactions requiring security, such as online banking, online shopping, trading stocks, accessing medical information and filing tax returns.
Touch ID on iOS devices allows you to access your cryptoBox vault on your iOS device using your fingerprint. To provide this convenient feature, an unintelligible version of your Master Password is stored in the iOS Keychain. The iOS Keychain item created for this functionality is not designated to synchronize to the iCloud Keychain and thus will not leave your iOS mobile device.
It is highly recommended that you use a complex Master Password in order to provide maximum security for your encrypted cryptoBox Vault. Using Touch ID makes it more convenient to use a complex Master Password on your iOS mobile device.
The iOS Keychain is used by iOS and apps to securely store credentials. iOS apps use the iOS Keychain to store a variety of sensitive information, including website passwords, keys, credit card numbers and Apple Pay™ information. cryptoBox does not use the iOS Keychain to store your cryptoBox records – all cryptoBox records are protected with 256-bit AES encryption and are securely stored in the cryptoBox Stealthy Platform. The iOS Keychain is also encrypted with 256-bit AES encryption using the device’s passcode. Even if the device is lost or stolen or an attacker obtains physical access to the mobile device, they will be unable to access any stored cryptoBox information. The iOS Keychain cannot be decrypted without the passcode and the cryptoBox Vault cannot be decrypted without the user’s cryptoBox Master Password.
A comprehensive external security scan is conducted regularly. cryptoBox staff periodically initiate on-demand external scans.
cryptoBox is monitored 24x7x365 to ensure that our website and Cloud Security Vault are available worldwide.
If you have any questions regarding this security disclosure, please contact us.
If you receive an email purporting to be sent from cryptoBox and you are unsure if it is legitimate, it may be a “phishing email” where the sender’s email address is forged or “spoofed”. In that case, an e-mail may contain links to a website that looks like cryptoBox Security.com but is not our site. The website may ask you for your cryptoBox Security master password or try to install unwanted software on your computer in an attempt to steal your personal information or access your computer. Other e-mails contain links that may redirect you to other potentially dangerous web sites. The message may also include attachments, which typically contain unwanted software called “malware.” If you are unsure about an email received in your inbox, you should delete it without clicking any links or opening any attachments.
If you wish to report an e-mail purporting to be from cryptoBox that you believe is a forgery or you have other security concerns involving other matters with cryptoBox, please contact us.
The cryptoBox website and cloud storage runs on secure Amazon Web Services (AWS) cloud computing infrastructure. The AWS cloud infrastructure which hosts cryptoBox’s system architecture has been certified to meet the following third-party attestations, reports and certifications:
cryptoBox understands and values the trust our customers place in us. We take security very seriously and investigate all reported vulnerabilities. This page describes our practice for addressing potential vulnerabilities in any aspect of our services.
The information you share with cryptoBox to report a potential vulnerability or security issue is kept confidential. It will not be shared with any third parties outside of KSI without your express, written consent.
If you believe that you have experienced a vulnerability or security issue with cryptoBox software, please email us directly at firstname.lastname@example.org.
If you believe you have discovered a vulnerability in any cryptoBox product, contact cryptoBox as described above. So that we may more rapidly and effectively respond to your report, please provide any supporting material (e.g. proof-of-concept code, security tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.
cryptoBox uses version 2.0 of the Common Vulnerability Scoring System (CVSS) to evaluate potential reported vulnerabilities. The resulting score helps quantify the severity of the vulnerability and to prioritize our response. Additionally, cryptoBox includes CVSS base and temporal scores in our security advisories, helping customers to understand their risk and to prioritize their own responses.
In order to protect our customers, cryptoBox requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to and addressed the reported vulnerability and informed customers if needed. Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.
The unauthorized access to cryptoBox’s systems, software and/or a user’s device which runs cryptoBox is prohibited. Furthermore, the threat of disclosing or actual disclosure of any purported weakness, security flaw or degradation of our software or systems (which are proprietary and property of cryproBox) in a public forum – is prohibited.
If we determine that an entity or individual has attempted to reverse engineer, enter, infiltrate or breach our software, infrastructure and/or a user’s device (which could include a breach or weaknesses in an operating system created by or utilized by one of our strategic OEM partners), we will take swift action – either in the form of a lawsuit and/or a disclosure to appropriate local, state and federal law enforcement agencies.
If, however, your efforts were inadvertent and/or conducted in an internal setting (e.g. on a test device and not that of a cryptoBox user) and such efforts and results were not subject to a contingent threat of public disclosure or actual public disclosure, we will not bring a lawsuit against you or report you to a local, state or federal law enforcement agency.
© 2016 cryptoBox CyberSecurity Inc