“IF YOU SPEND MORE ON COFFEE THAN ON IT SECURITY – YOU WILL BE HACKED FOR SURE”Quote: Richard Clarke, US Security Advisor
The FortKnoxster platform is an end-to-end encryption system leveraging on the Blockchain technology to establish secure and trusted communication links between its users.
All files and communications are encrypted in the senders’ browser before they are sent to the servers and stored in a decentralized storage. Decryption of data is only possible in the browser of the intended recipients. All communications and data are encrypted on all devices.
- Based on public key cryptography
- 256-bit AES encryption
- RSA 2048-bit key cryptography
- Elliptic Curve P-521 cryptography
- PBKDF2 key derivation with SHA-256 hashing
- Blockchain technology for decentralized trust of digital identities
- Decentralized p2p distributed storage
- Zero-knowledge architecture
- Only you have access to your private keys
- Confidentiality: Only the intended recipients have access to the data
- Integrity: All messages are verified for message authenticity to avoid tampering
- Digital signature: All messages are digitally signed and the senders’ identity is verified
A blockchain is a decentralized and open distributed ledger, recording financial transactions (or virtually anything of value) between two parties, on a peer-to-peer network. This continuously growing list of records is linked and secured with strong cryptography, making these transactions permanently verifiable and therefore incorruptible. Since the Blockchain is publicly verifiable, it provides such security and transparency that makes it ideal for many types of security applications.
FortKnoxster take advantage of these features which the Blockchain technology provides, by having a decentralized trust of digital identities and maintaining its own Public Key Infrastructure (PKI) which extends to the Ethereum Blockchain, where the user’s Digital Identity gets stored in a registry using Smart Contracts and cannot get compromised by a single entity, not even FortKnoxster.
Decentralised Cloud Storage
FortKnoxster’s entire storage infrastructure will be built in a decentralized distributed storage on a p2p network where users can rent their hard disk(s) and earn FKX tokens on storage usage and bandwidth usage. This is the equivalent of cryptocurrency mining, but instead of using the CPU/GPU to mine blocks, available hard disk storage is used to allocate FortKnoxster storage.
Removing centralized storage servers reduces storage cost and improves access speed and reliability. All encrypted files are spread across multiple nodes and replicated multiple times. No single host holds any significant piece of a file or any complete file. It is a decentralized distributed storage p2p network where all files are end-to-end encrypted using keys that only the uploader holds.
Password & Encryption Keys
Our architecture is based on a number of keys protected by your password, to keep your communications private and secure. It is very important to understand that the plain password is never sent to the servers.
The Account Password is a cryptographic hash of the plain password using the PBKDF2 algorithm with SHA-256 as the hashing algorithm which performs 10.000 rounds of hashing operations (key stretching) and takes the username@domain as a salt. The outcome is 64 characters long and strong password which is sent to the server and stored in the user record as a cryptographic hash using the BCRYPT key derivation function. This password is only used to authenticate the user when logging in, and cannot decrypt any of the users’ data.
The Root Key is computed the exact same way as the Account Password, but takes a different salt, a randomly generated salt, in the hashing function and therefore is a completely different “password” than the Account Password. The 64-character Root Key creates a 32-byte AES key which is used to encrypt/wrap a Key Protector using AES-KW. A Key Protector is a randomly generated 32-byte key used for encrypting/wrapping and decryption/unwrapping private key material in a Key Container using AES 256-bit encryption in GCM mode.
For a full overview of the key management and crypto design, please read our white paper.
FortKnoxster uses strong end-to-end encryption, meaning that nobody can understand or read any of your encrypted data stored on the servers except for the intended recipient(s). This particular design makes sure that nothing is sent from you until it has been encrypted and it is never decrypted until unlocked using your private key (or the intended recipients in case of emails and shared files).
The encryption is done on the client side and ONLY encrypted information is passed to the servers. The data stored on the servers is very secure because it cannot be decrypted by anyone without the encryption key.
The keys to encrypted data are generated in the browser, encrypted using the recipient(s) public key, sent to the server over an encrypted connection and stored on the servers. These keys can only be decrypted in the recipients’ browser using the recipient’s private key which is protected by the recipients’ password.
A common problem in encryption systems, is the secure key exchange of public keys between users, making sure that the obtained key indeed belongs to the intended recipient.
FortKnoxster protects against such potential Man-In-The-Middle (MITM) attacks, by leveraging on the Blockchain technology in conjunction with a self-signed contact list.
Each user keeps a contact list where each contact record is digitally signed with the user’s Private Identity Key and contains all the contact details such as name, user id and the public keys. The contact gets digitally signed during a contact request/accept process. This process involves retrieving the contact’s Digital Identity from the Blockchain and verify it in the client by computing the same Public Key Fingerprint from the contacts public keys and then verify the Signature with the contact’s Public Identity Key.
Once the contact is verified, it is then signed and added to the user’s own contact list. From then on, the user can trust this contact and will verify the contact before using its public keys to exchange messages, files or calls.