BLOG

Don’t just move the problem, solve it!

Published May 14, 2020

Share sensitive data easily and securely with VoltShare.

How many times have you found yourself emailing a sensitive file to your accountant, lawyer, friend, relative, or co-worker and immediately feeling remorseful? Or perhaps you uploaded the file to some cloud storage provider and emailed or Slacked the link. You have tried some password-based encryption programs only to find that they are buggy, hard to work with, and most importantly, don’t really solve the problem — they just move the problem from securely sharing the file to securely sharing the encryption password. You have been reading about all sorts of privacy and security breaches and your cynical alter ego has almost convinced you to give up on security. Sound familiar?

comic_small_clear

Sharing sensitive/secret information is not a new problem. In fact, the problem not only predates today’s digital age, but also played a major role in shaping how our world looks today. Your compromised secrets may not necessarily make you lose a war, but they may bring you nightmares like identity theft, privacy breach, or blackmail. At work, compromised secrets may mean that your systems are hacked, intellectual property is stolen, customer data is leaked, compliance audit fails, and yes, you get the boot! 

Now you are trapped between your cynical alter ego and the real-world. This is what brings that remorse, the feeling of knowing that you are taking a risk that can come back to bite you…hard! Perhaps you made that choice because you are tired of being on the phone for 15 mins every time you send someone a password-encrypted file and explain to them how to download the right tool and make sure that they jot down the password correctly. Perhaps it is because you can’t seem to forget the time when you had to send that one sensitive file to the whole team and you spent your lunch hour encrypting it 20 times — once per each recipient’s PGP key. Or you have just given up on PGP and similar solutions because you can’t possibly explain the technology to your non-Ph.D. friends — and you can’t keep your keyring sane either.

As you try to shake off that remorse hoping nothing bad happens, you can’t help but wonder, “Why do I have to choose between security and usability? Why do I have to trust any third party with my data? Why do I have to use these geeky tools? How come there is not a better way to do this?”

Enter VoltShare

No passwords, no keys, no geeky tools, no trusting a third party with your data…no remorse. Just email address — yes, all you need to know is the email addresses of the people you want to share your sensitive information with, that’s it! The best part — it’s for free, forever!

VoltShare gives you a simple GUI-based app to pick your file/text, enter the recipients’ email addresses, click Encrypt — and out comes an encrypted file/text that you can email, Slack, WhatsApp, DropBox, or even snail mail to the recipients. No matter how many recipients you have, you only do this once and you share the exact same encrypted file with all recipients simultaneously. You can even specify the expiry time before which recipients have to decrypt the data.

voltshare_encryption

On the decryption side, things are even simpler. Simply pick the encrypted file/text in the VoltShare GUI app, click Decrypt and out comes the original file/text if the person decrypting is one of the allowed recipients in the list.

voltshare-decryption

VoltShare simply needs users to log in using one of the supported identity providers — Google, FaceBook, or GitHub. Users can also sign up directly with VoltShare (coming soon) using their email address if they don’t want to use any of the identity providers. In the entire experience of using VoltShare, users are never required to choose any passwords, upload or sync any public or private keys, or even trust VoltShare’s SaaS platform with any data.

In fact, the sensitive data — clear or encrypted — never leaves the users’ machines during encryption or decryption. Voltshare also chunks the data securely to minimize the RAM usage during the encryption/decryption operations and that allows VoltShare to handle large files — even in GBs.

The Enterprise version of VoltShare adds governance capabilities like company single sign-on (SSO) integration, policy override, dashboards and alerts that can help you monitor and control secret sharing within your company if you are the administrator.

If you are a developer, VoltShare’s SDK and APIs are available to integrate this functionality directly in your applications. You can now deliver end-to-end encryption with policy-based controls without worrying about the details of implementing data security, privacy, and key management.

With this introduction, you can jump to VoltShare webpage to download and start using the VoltShare app to experience this simplicity yourself. You can also find more information and FAQs on the webpage. If you are interested in the geeky security details of the system, read on…

What the Crypto!

Since you decided to stick around, you deserve full transparency and details.

Let’s start by stating that VoltShare uses state-of-the-art cryptography like 256-bit AES-GCM and 2048-bit RSA as the foundation. However, there are 2 main design aspects that set VoltShare apart from all other solutions and enable VoltShare to offer passwordless group-sharing without trusting any third party with the data:

  1. Ability to include multiple identities (in case of users — email addresses) in the encryption math sans keyring
  2. VoltShare’s SaaS backend performs blind decryption, which ensures that VoltShare never requires the shared data or its encryption key, in clear or encrypted format, to leave the users’ machines.
woltshare-feature-1

Encryption Operation

Every encryption operation creates a random 256-bit key and a random 96-bit encryption nonce for AES-GCM encryption of the sensitive data. VoltShare smartly uses the AEAD capability of AES-GCM and cryptographically ties the secret’s metadata to the encryption of the sensitive data. This way, if the integrity of the encrypted data is compromised, the decryption fails. The data is also chunked and chained to securely process large files.

Once the data is encrypted, VoltShare uses public-key cryptography operations in conjunction with the policy information and secret metadata to encrypt the AES-GCM key and nonce — locally on the user’s machine. Finally, everything is put together to produce the output file.

At this point, the encrypted file is completely protected and can be transported to the recipients by any means without worrying about the security of the underlying systems.

Decryption Operation

Decryption process is where VoltShare shines the most. The reason for this is the unique ability of VoltShare to get the AES-GCM key and nonce of the encrypted file decrypted from VoltShare’s SaaS backend without the backend ever knowing a single bit of information about the key or nonce. In cryptography, this is known as blinding.

When the receiver of the encrypted file attempts decryption, it first authenticates with the VoltShare SaaS backend and then adds a random number (blinding factor) in the mix before sending the AES-GCM key and the nonce to the VoltShare SaaS backend. The SaaS backend which holds the decryption key can only see the user’s identity, policy information, and some random-looking bytes. If the policy allows the decryption, the backend performs decryption resulting in another set of random-looking bytes (and not the original AES-GCM key and nonce). Once the receiver receives the response, it is able to recover the AES-GCM key and nonce by reversing the blinding factor computation.

Once the AES-GCM key is recovered, the original data can be recovered locally using the secret metadata along with the key and nonce.

There, you have it. All the protection you need for your sensitive data without trusting a third-party. Remember, the data never leaves your machine and never seen by VoltShare SaaS!

Feel free to download, experience, use, promote, and even try to break the VoltShare encryption. If you think you have identified something clever, send us a note on security@ves.io.