Forums Community Some questions Reply To: Some questions

#4901 Reply

Svante
Keymaster

Hello Stephen,

Well – I can’t say you didn’t do your homework ;-) I’ll try to respond, but to be honest, it’s a little hard to determine exactly what the questions are. But I’ll try. All answers assume that AxCrypt is used in online mode. (There are some variations to the theme in offline mode.) For followups, can you perhaps be careful to distinguish background info and assertions, from the actual questions? I try to answer, but it’s easy to miss something when the questions are not clearly separated and stated.

Q: Is the encryption password the same as the web sign in password?

A: Yes, when signed in to AxCrypt, all *encryption* is done using that password which is also the same as the web sign in. See below for details.

Q: What does password reset do?

A: It creates a new key pair, and encrypts the private key with the new password. The old key pair is kept around, should you ever change back to the original password.

Q: Can a hacker change the password to your files?

A: No. A hacker with control over your email can *reset* the password to the server (see above). This does not change anything or let the hacker open your encrypted files. Once you have regained control over your email, you can reset the password back to the original.

Q: Can a trial user open/encrypt/modify files key shared with them after the trial expires?

A: Yes. New encryption operations will use AES-128, but otherwise it all keeps on working.

Q: Can you change your password and also invalidate the old one for all old files?

A: No, not really. It’s complicated. See below for a technical explanation of how file encryption works.

How does file encryption with AxCrypt 2 and AxCrypt ID work?

An AxCrypt ID is a public key pair, using RSA-4096. The public key is used for encryption, and is non-secret. The private key is used for decryption, and is kept encrypted using your sign in / web password.

When a file is encrypted, the following operations take place:

1) A random 128 or 256-bit key is generated. We call this the file master key (or session key).

2) The file content is encrypted using this master key, and the encrypted data is stored in the .axx file.

3) The file master key is ‘wrapped’, i.e. iteratively encrypted using AES and a key derived from your sign in password. This wrapped file master key is also stored in the .axx file, as headers and trailers.

4) The file master key is also encrypted using your AxCrypt ID public key. This encrypted file master key is also stored in the .axx file, as headers and trailers.

5) (optional) The file master key is also encrypted using key sharing recipients’ AxCrypt ID public keys. These encrypted file master keys are also stored in the .axx file, as headers and trailers.

When you change your password, your private key is decrypted using the old password, and then encrypted again using your new password.

When you sign in, the password is verified by attempting to decrypt your private key.

When you decrypt a file, we first try to decrypt the file master key using your private key (decrypted since you’re signed in). If this works, we decrypt the file contents using the now decrypted file master key.

If that does not work, we try to use the sign in password to decrypt the iteratively wrapped encrypted file master key as described above. If this works, we decrypt the file contents using the now decrypted file master key.

If this does not work – we prompt you for a different password.