End-to-end email encryption with no central point of attack
A seamless, easy-to-use, and secure end-to-end encrypted business collaboration tool with no central point of attack is a holy grail for every business, and Boston-based security company PreVeil believes they have the right solution on hand.
“The idea of PreVeil came from realizing that, even though end-to-end encryption provides many benefits and this concept existed for many years, it is still largely not used in common collaboration tools, and a good business solution still does not exist,” Raluca Ada Popa, Founder and CTO at PreVeil, tells me.
“The main reason is that existing solutions are hard to use or integrate poorly with the tools users use already, so users naturally tend not to use them. Moreover, providing a solution for document sharing is much more challenging than for messaging or email, because users modify documents and can change who can access a document.”
Popa is an assistant professor of computer science at UC Berkeley with a specialization in computer security, and she earned her PhD from MIT doing research very much related to PreVeil.
Her research group at Berkeley focuses on building more secure systems with the help of cryptography. The idea is to keep the data encrypted for as long as possible, and end-to-end encryption is a common theme that permeates her work.
“I also worked on making such encryption easy to use or functional, such as by allowing computation to happen on encrypted data. We designed a set of different systems for this purpose, such as CryptDB, Mylar, or Opaque, some of which already had industry adoption.
Key safety
“The main challenge is the tension between end-to-end encryption and ease of use, which manifests itself in many ways,” she says.
“Just to give one example, consider what happens if a user loses their decryption key. Since with end-to-end encryption, the servers should never receive this key (not even to back it up), the user might lose access to their data. Many companies and individual users would not want to use such a system. Hence, some existing tools compromise on the ‘end-to-end’ property and backup the key at the server. This is dangerous because a server attacker can simply steal the encrypted data together with the decryption key, and decrypt the data!”
This is why they had to come up with new techniques that permit key recovery, but do not sacrifice end-to-end encryption. This is how PreVeil’s Approval Groups feature was born.
“Approval Groups enable a user, say Alice, to recover or change her private key when she loses this key or one of her devices gets stolen,” Popa explains.
“Alice designates a set of users she trusts, called the approval group, to help her with this process. Each user will receive a ‘piece’ of the key from Alice, but cannot reconstruct Alice’s key or access her data using this piece. Alice can designate that a certain number of these users need to approve the recovery of Alice’s key. When Alice loses her key she contacts them, to obtain the pieces from them, which enables her to reconstruct and change her key.”
The reconstruction algorithm is based on Shamir secret sharing, a famous algorithm in cryptography. Of course, all this happens within the PreVeil client software and what they expose to the user is a friendly and simple interface.
They have put much work into making this algorithm easy to use and to integrate it safely within all kinds of situations that might arise, e.g., when a member of the approval group itself loses their key.
But is there a scenario in which the user can lose the key and permanently lose access to the emails and files she exchanged using the solution?
“Within a proper use, we think that the likelihood of such a situation is very small. As soon as a user joins PreVeil, PreVeil emails the user to setup an approval group. If the user does not setup such a group and does not backup her private key, the user risks losing access to her data. If the user sets up an approval group as she should, even if she loses access to her key, the approval group will help the user reconstruct her key,” she explains.
“If the stars align to that the user loses her key and a bunch of her approval group members also lose access their keys in the same time period, the user can lose access to her account. But we believe this to be a very rare occurrence if a user chooses their approval group carefully. Especially since as soon as any user indicates loss of their key, PreVeil helps them recover it. In a corporate setting where approval groups are chosen with care, this should virtually not happen.”
And if a device gets stolen, the Approval Groups feature again comes in hand when the user must change their private key (as the copy on the stolen device is considered compromised). The user can declare which devices were lost and the PreVeil server will disallow data access from these devices.
Integration with existing, widely used software
PreVeil, which currently exists as an offering for Windows, Mac, and iOS, offers end-to-end encrypted email, but works in conjunction with mail applications like Outlook and Apple Mail, or can be used when you access your email from a web browser. When you use Outlook or Apple Mail, it automatically adds a new inbox for your encrypted messages.
“The idea is that the PreVeil local client on a user’s machine also has a local IMAP and SMTP process that behave as a server for the PreVeil email account,” Popa explains.
“Outlook and Apple Mail get configured to send encrypted traffic to these local services instead of the remote service. These services encrypt all the emails before sending them out of the user’s machine, thus providing end-to-end encryption. It’s a fun systems trick, and it makes a big difference in the user’s experience with PreVeil because they can still use their everyday applications.”
The emails are stored, in encrypted form, on PreVeil’s servers hosted by Amazon, and the company does not have the keys needed to decrypt them. Each document or message is encrypted with its own unique key, using the XSalsa20 stream cipher, and even file names and email subjects are encrypted. They keys are stored only on the users’ devices.
At the moment, though, only the email service for individuals is available.
PreVeil users can invite other users to create an account for free and, thus, exchange encrypted communications and files, but Popa believes the thing that will make this solution successful and widespread is the fact that it integrates with existing mail clients and file systems (Mac Finder and Windows File Explorer) for document sharing.
“In a few months, we are rolling out the document sharing for everyone as well as our business interfaces to all these tools. What we can say so far, though, is that the public beta of our email and the private beta of our doc sharing are being used (or tried respectively) by many users and companies we have been in touch with, and we are getting very encouraging feedback,” she tells me.
“We expect to continue to offer a free version of our product for the foreseeable future. After beta, there will be paid versions providing additional storage and enterprise features. And the development pipeline is full with additional collaboration services (like chat), APIs for developers to use PreVeil encryption and key management, and additional features for enterprise management.”