January 8, 2018
Warning – this is a rather technical post ;-) It’s only for those really interested in some of the inner workings of AxCrypt.
We use the concept of an AxCrypt ID rather loosely in many cases to refer to an account with us, so you can sign in using your email-address and password to our web site etc.
Actually, it’s more than that. Technically, an AxCrypt ID is a RSA-4096 key pair.
A key pair is a concept used in public key, or asymmetric, cryptography. In this type of cryptography there are two, related keys with the following properties:
- A public key – this key is non-secret and can be used by anyone to encrypt data. But it can’t be used to decrypt anything! We sometimes call this a sharing key.
- A private key – this key must be secret and is required in order to decrypt any data encrypted using the public key. We sometimes call this a secret key.
- Knowing the public key, it is computationally infeasible (i.e. impossible in layman terms) to derive the private key.
When we encrypt any file using AxCrypt, we do so using AES-128/-256. This is a symmetrical strong encrypting algorithm, with a single key used for both encryption and decryption.
The process in principle when AxCrypt encrypts a file is as follows:
- A random 128- or 256-bit session key is generated for each time a file is encrypted.
- The file data is encrypted using AES and the session key.
- The session key is encrypted with your password, using a special key wrap algorithm, with AES at the core. This encrypted session key is added to the encrypted file.
- The session key is encrypted with your AxCrypt ID public key, using RSA-4096. This encrypted session key is addded to the encrypted file.
- The session key is encrypted with the AxCrypt ID public key of any other AxCrypt users you’ve chosen to key share the file with. These encrypted session keys are addded to the encrypted file.
To decrypt a file, AxCrypt in principle does the following:
- Take your password, find the session key encrypted with a password above, and try to decrypt it. If successful, the decrypted session key is used to decrypt the file.
- Take your private AxCrypt ID key, find all session keys encrypted with an AxCrypt ID public key, and try to decrypt each. If anyone is successful, the decrypted session key is used to decrypt the file.
So where does this key pair come from, and how is the private key protected?
The key pair is typically generated on our server when an account is created. The private key is temporarily encrypted using our local system key. Once you sign on and set your password, we re-encrypt it using your password.
The private key, when encrypted, is actually encrypted as an AxCrypt file of course – but only using your password to encrypt the session key as above. We don’t use any public keys for this encryption.
Normally, then, the process is:
- You sign up for an account. We generate and create a key pair on our server, and encrypt the private key temporarily.
- You set your password. We re-encrypt the private key with your password. At this point no-one can recover your private key without knowing your password. Not we, not anyone else.
- You sign in with an AxCrypt app. The app contacts our server, and downloads the key pair – both private and public keys from the server. The private key is kept encrypted.
- Whenever opening a file using your sign in password fails, AxCrypt will decrypt the private key, and attempt to decrypt the session key as described above. This will enable you to open files key shared with you, as well as older files encrypted with an earlier password if you have changed the password since then (note: changed – not reset).
Changing your AxCrypt ID password in effect means that we take your private key, decrypt it using the old password and then re-encrypt it using the new password. This is how a password change will enable you to open old AxCrypt-encrypted files. Note that they will still in fact open using the old password as well! This is also why you are never dependent on our servers. If you know the original password, you can always open the file. If you have a synchronized copy of the encrypted private key available, you can open any file as long as you have the current password.
All of this key management is done automatically and behind the scenes by AxCrypt, entirely transparently as long as you allow AxCrypt to access our servers.
For advanced users who fully understand the above mechanisms, it is possible to do all of this without our servers. It’s possible to generate AxCrypt ID key pairs, export them, import them etc. We do not recommend anyone to actually do this, since a mistake or misunderstanding easily can lead to data loss or inability to use AxCrypt.
All of the above is simplified version of the process. Many additional details are actually included to ensure security, and to handle various synchronization scenarios, password reset events etc. For full details read the technical documentation.