A closer look at end-to-end encryption

We send millions of files each single day - what about security?


We send millions of files each single day. Based on SimilarWeb data the most used platforms to share and host files are:

  1. Imgur
  2. Dropbox
  3. Mega.nz
  4. Mediafire.com
  5. Savefrom.net
  6. Box.com

But what about security of these services?
Who has access to your data?

For a closer look we need to break down the transfer of our files into different phases.

Phase 1: Data-transfer encryption

In this example we analyzed Box.com. Each single file that is sent to Box.com is encrypted by a secure channel established by the use o TLS.
When we download a file from Box.com the transfer is encrypted by the use of TLS as well - this is called Security for data in transit.

Box TLS

As you can see above the connection to Box.com is encrypted by the use of a valid certificate. More information about TLS, security of data in transit and more can be found here.

Phase 2: Data at rest

Sending our files is encrypted. Great!
But what about the files stored in the cloud?
Who has access to our files? How can we grant access (or restrict it)?

Well to be honest: This is WAY MORE complicated.
Most providers claim that they encrypt the files stored on their servers. But as it is very hard - or nearly impossible - to proof that Box.com, Dropbox.com, Imgur and other services are encrypting our files before storing them on their servers.

To be on the safe side a plethora of services has been developed to ensure privacy for our confidential files:

  1. Cryptomator
  2. BoxCryptor
  3. VeraCrypt
  4. and more...

All of these services work the same way: The encrypt our files locally and send the encrypted files afterwards to the cloud service.

Whereas this approach is safe, it is not very handy to use. These services need to be installed locally on any device (smartphone and laptop) and need to be connected to your personal cloud storage account.

Can we do better?

Yes, we can!
With a simple yet clever trick we can take file sharing security to the next level:
Let's split the original file into different data chunks!

Send files securely with SecureBeam: Step 1

Let's see how we can make use of this simple yet clever trick right here in the browser.

The most secure way to share files with SecureBeam

Click on SecureBeam add files to send
by clicking the button Add files.

Send files securely with SecureBeam: Step 1

Choose your local files from your Mac or PC to send securely to your friends or colleagues.

We choose Confidential.pdf in this example.

Send files securely with SecureBeam: Step 2

After choosing all files click on the button Beam to kick off the magic.

SecureBeam now encrypts each single file by the use of your browsers internal (and standardized) Web Crypto API.
After the encryption is finished - usually it takes only a few milliseconds - SecureBeam splits Confidential.pdf in three different data chunks.
Each single data chunk is then transferred to a different Cloud-Storage Service.

Currently SecureBeam supports the following Cloud Storage Services:

We are working on the integration of further Cloud-Storage Services. If you miss your favorite Cloud-Storage Service drop us a line on Twitter. We are here to help!

But let's get back to our Confidential.pdf file.
This file is now encrypted, split up into three different data chunks and each single data chunk is transferred to a different Cloud-Storage Service.

And the important part. The file is NOT ACCESSIBLE for all these parties:

  • The Cloud-Storage Service Providers: They just store a single data chunk of the original file. And even this single data chunk is encrypted.
  • Even we as developers are not able to access the file contents of Confidential.pdf

SecureBeam generated a link after beaming Confidential.pdf:

Why is this link secure?

Pretty simple:
The link stores the key as Link Fragment.
Link Fragments are never transmitted to the server, they will only be interpreted locally by the browser. More information to Link Fragments can be found in the RFC 1808 (Section 2.4.1) of the IETF.

With this simple yet clever trick we guarantee secure key exchange - a crucial aspect in secure data management.

But what's inside of the generated link?
The link contains a JWT (JSON Web Token, more information can be found here) which encodes the following information:

  • The AES key used to encrypt the files
  • The links to the splits where the data chunks are stored
  • Some more meta-information (filenames, sizes, etc.)

You can take a look for yourself easily by posting the JWT on JWT - transparency is an important aspect of good security design.

And now the most important part:
Everybody who has access to this link has access to the shared files.
BUT:
ONLY users who have access to this link are able to open the files.
Nobody else. Not even we as developers. And no Cloud-Storage Service provider.

Only you.
And the person you send this link to.
And that's how it should be ;)

Do you have any question or feedback for SecureBeam? Reach out to us on Twitter! We are here to help!