Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Encryption Security Your Rights Online

Encrypted Email and Online File Storage - Cryptoheaven 33

Adam: Kurzawa writes: "CryptoHeaven is a new online service offering secure services: secure free mail, secure file sharing, distribution and storage secure instant messaging, secure discussion lists, automatic key and contact management, no third party key holder, all services integrated into one user interface, accessible anywhere, anytime CryptoHeaven uses the AES symmetric cipher Rijndael with 256 bit symmetric key, public-key cryptography with 2048-4096 bit asymmetric keys (user selectable) and SHA-256 message digest function. Free and premium accounts are available. Source code is available for download free of charge."
This discussion has been archived. No new comments can be posted.

Encrypted Email and Online File Storage - Cryptoheaven

Comments Filter:
  • by pwagland ( 472537 ) on Tuesday November 27, 2001 @08:05AM (#2618575) Journal
    I am not sure at what market this is aimed.

    It has all of the facilities to do "access from anywhere" computing, except to do that, you have to store your private key on the server (or at least be able to get access to it from anywhere).

    If the private key is on the server, then the system is potentially compromisable, and it would appear to lose the it's main selling point.

    OK, fine, then don't store your private key on the server. But that means that you are restricted as to where you view the data from, or you must have some means of transporting the private key. But if you are going to restrict yourself to this, then why not just store the secure data on this secure machine? So that appears to be another class of people eliminated...

    OK, so then, who is left. I can see how people would like to use this as an anomyous service, but to do that, you have to leave the private keys on the server, otherwise they can pin the account to you. But, this seems inherently dangerous, since one can sniff the password from the server, decrypt your private key, and use/abus your account.

    So again I ask, what are the target demographics here? As far as I can tell it is not the security conscious, and it is not the truly paranoid. So who?

    • It has all of the facilities to do "access from anywhere" computing, except to do that, you have to store your private key on the server (or at least be able to get access to it from anywhere).

      I dont think so. The key is created on the client side using Java crypto. Uploading the private key to the server is optional. The only thing you need to access the service thereafter is the jarfiles which make the UI, and a JDK 1.3 RT. You can carry your key around with you on a self-destructable (10 seconds, Jim...) floppy, if you're really concerned about access from anywhere.

    • The base model seems to be the same as Hushmails (with the one exception of an option to store the key locally; hushmail doesn't have that)

      at least at first glance, it looks good - actual encryption model is very pgplike, with public keys protecting session keys protecting messages via symmetric encryption; however, even Hushmail has realised that OpenPGP compatability is the way to go, and has set up a site [hushtools.com] to allow PGP users to import their DH public keys to Hushmail (for use by hushmail users) and export their hushmail keys for upload to keyservers.

      With the inclusion of file storage into the pot, it looks like an attempt to take the Hushmail business model and run with it - but unless they move towards OpenPGP compatiability, they will almost certainly lose the interoperability war, and with it a lot of potential users.

    • Can't the private key be encrypted with a passphrase before storing it on the server?

      Then, when you wish to log in, the encrypted private key is downloaded into the client and decrypted with the passphrase. Thus the folks that run the server never see the private key.

      I'm not sure if that's the way Cryptohaven works, but many other services use this model.

    • or you must have some means of transporting the private key.
      I keep a copy of my PGP key rings on the MMC card that I use in my portable MP3 player. Alternatively I could store it on my Palm/TRGpro. For a while the Swatch Access watches with their RF contactless smartcard technology looked promising, but I don't think the reader/writer mousepad was ever released. There are many ways to transport tiny amounts of digital data.
  • A subscription service, so, you mean, an opensource company... making money? Blasphemy!
  • by ehikory ( 323540 )
    "...no third party key holder..."

    Actually, according to the web page, they do offer to act as the third party keyholder:

    "The private portion of the key is encrypted with user's pass-code and stored on the local computer or sent to the server at user's choice."

    If the private key is not sent to the server, then what is the benefit over any other service that allows remote email & storage (assuming others actually send emcrypted email and the user stores encrypted files)?

    Now, because their service agreement requires users not to store any illegal material, users cannot really store anything that is dangerous to governments. I don't know the details of Canadian law enough, but I would suspect that the RCMP (or other appropriate agency) would be able to collect
    the secret key and therefore decrypted data if they really wanted. Can someone tell me otherwise?
  • by imrdkl ( 302224 ) on Tuesday November 27, 2001 @09:08AM (#2618744) Homepage Journal
    The service and the product seem to be located and developed in Canada. I note that Canada is not a party to the CyberCrime Treaty [coe.int] which was discussed earlier [slashdot.org].

    Perhaps this is worth further investigation...

    The user interface is written in Java, and requires a 1.3 or higher runtime installed. The Windows installer has an optional 1.3 runtime included. By virtue of the Java client-side implementation, your private key is never sent, or seen by the server unless you choose to upload it in encrypted form. If you do decide to upload your private key, thereafter you rely only on SSL, presumably, to protect the password for your encrypted private key stored remotely.

    It's been awhile since I looked at Java's crypto. The 1.2 stuff was pretty lame, especially the keystore. But this implementation does at least seem to use RSA keys for Java, which means that the container may be better too.

    I dunno if I'd ever advise anyone to allow their keys to be stored on the server, no matter how many reassurances they get. However, for someone who simply wishes to share private mail with someone else, it might be nice.

    Things that remain unclear to me are:
    1. Can encrypted mail be sent to someone who does not have an account, using a ordinary PGP public key, for example?
    2. What protocol does the service use? Is it standard SMTP? (possibly with verification)
    3. Where does the encryption/signing of the delivered email actually occur? Presumably always on the client. 4. The Service Agreement [cryptoheaven.com] seems pretty, uh, tight. If you displease them in any way, all your rights, including access to your existing mail, is cutoff.

    Anyone actually using this service?

    • I dunno if I'd ever advise anyone to allow their keys to be stored on the server, no matter how many reassurances they get. However, for someone who simply wishes to share private mail with someone else, it might be nice.
      not entirely a bad thing - the security of the PGP secret keyring does not require secrecy of the file - if you really want it, I will mail you a copy - but *does* require that the key be encrypted and that a good, unguessable passphrase be used.
    • by leto ( 8058 )
      Wrong: reread the cybercrime URL you posted:

      Canada, Japan, South Africa and the United States, who took part in the drafting, also signed the treaty today.

      So, this means they (or at least their goverment) promises to help do key escrow etc. So the government will ask the key from cryptoheaven if they have it. There is no point in giving them they key at all. They cannot secure it. In fact, they should refuse all keys for this very reason.
      • Thanks for pointing that out.

        I shoulda used grep(1). Funny thing is, there was a thread in the discussion about the treaty, which give me the impression that Canada wasn't going along with it (the treaty). Something about pirating DirectTV signal, if I remember. Anyways, a good point was also made that, as long as the private key is encrypted, it's maybe ok to upload. But then you gotta trust SSL and the server-side actions. Better to keep your keys in your pocket, imho.

  • What's going on? Did the ./ editors just pick up a copy of Cryptonomicon today? First a story on Van Eck Phreaking, now the Crypt?
  • Why are these people offering encrypted email? You can easily do it yourself with PGP. Just get PGP For windows or unix [ipgp.com] here or look for the C-KT build for windows only (but with a nice GUI).

    Register your address on a keyserver, get a good email client, and off you go!

  • from the License Agreement:

    "You hereby agree to not use the Service to:

    1. transmit or store any Content that is unlawful, harmful, threatening, abusive, harassing, tortious, defamatory, vulgar, obscene, libelous, invasive of another's privacy, hateful, or racially, ethnically or otherwise objectionable
    2. defame, abuse, harass, stalk, threaten or otherwise violate the legal rights of others;
    3. harm minors in any way;
    4. impersonate any person or entity, or falsely state or otherwise misrepresent your affiliation with a person or entity;
    5. email or otherwise transmit any Content that you do not have a right to transmit under any applicable law or under contractual or fiduciary relationships (such as inside information, proprietary and confidential information learned or disclosed as part of employment relationships or under nondisclosure agreements);
    6. post, email or otherwise transmit any Content that infringes any patent, trademark, trade secret, copyright or other proprietary rights of any party;
    7. upload, post, email or otherwise transmit any unsolicited or unauthorized advertising, promotional materials, "junk mail," "spam," "chain letters," "pyramid schemes," or any other form of solicitation;
    8. upload, post, email or otherwise transmit any material that contains software viruses, trojan horses, worms, time bombs, or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer software or hardware or telecommunications equipment;
    9. interfere with or disrupt the Service or servers or networks connected to the Service, or disobey any requirements, procedures, policies or regulations of networks connected to the Service;
    10. intentionally or unintentionally violate any applicable local, state, national or international law;
    11. harvest or otherwise collect information about others, including email addresses, without their consent"

    ...how would they know what I'm sending, if it's encrypted? Or was that just for law purposes?
  • It would have been wise to mention "Windows only" in the piece.

    ZipLip [ziplip.com] meets my needs quite well for now.

The best defense against logic is ignorance.

Working...