CryptoHeaven?

http://www.cryptoheaven.com/

Fact or fantasy?

 

DarkStar,

A little more specific? I know a little about CryptoHeaven (based in Canada) - but not clear what you are asking is fact or fantasy.

Thanks!!

John
Luv2BSecure

 

Well, John - Do they live up to what they're advertising?

Are they reputable and trustworthy?

Do their encryption claims sound state-of-the-art?

Is this something aimed at corporate-only enterprises - or would/will it work equally well for private individuals?

Do they really make it easy on the users?

What're the chances of its' use becoming widespread? (We can't even get people to use freeware PGP).

Conversely, if only a relative handful of people use it, what're the chances of them drawing excessive attention to themselves by doing so?

If they have government contracts, are they forced to provide a listing of all subscribers to whatever government for security reasons?

(I like the fact that they're based in Canada - perhaps less of a chance of them caving in to U.S. government pressure to either back-door or roll-over on their clients?).

 

DarkStar,

I've been using CryptoHeaven for some time now and will try to answer some of your questions.

They certainly advertise something they are offering. Do u mean functionality? Yes. Security? Yes....

I don't know much about encryption, but I heard from others(security professionals) that it's very strong (2048 to 4096 bit asymmetric and 256 bit symmetric key encryption ), Besides, their client source code is released so I don't think they would do that if they were not offering in their code what they advertise.

I am using it privately. They have private and corporate accounts.

Well, PGP is hard to use, CryptoHeaven uses transparent encryption. Basically, your data is encrypted behind the scenes. One can simply use the product (send email, chat...) and not even think that he needs to do something extra for this to be secure.

When I was singing up, I didn't have to provide any personal info for CryptoHeaven.

You can have an option of storing keys on your computer...and keys are encrypted with your password. Data is being encrypted with your keys before it leaves your computer. I don't see a way of back-door.

 

Some thoughts

It appears to work only for sending email to other cyptoheaven users?

Looks like Hushmail. There is another web-based service I forgot the name that works even sending encryped mail has longer has receiver uses PGP




Technical explaination follows..As far as i can make it, it works a little like SSL to create a secure channel to crptoheaven then does the normal PGP like functions for email.

But it doesnt say how we know the server is not being spoofed..The client can be checked for tampering using the hash diget but is that enough?

I'm not an expert though...

==============================

When a new user account is created, the user generates his personal private/public key pair. The public portion of the key is then sent to the server where it can be picked up by others connecting to the system. The private portion of the key is encrypted with user's pass-code and stored on the local computer or sent to the server at user's choice. When the encrypted private key resides on the server, user benefits from ability to access his account from anywhere in the world through the Internet.

The user's software uses the private key portion directly or indirectly to decrypt all of the data stored on the server. Other Clients use the public portion of a user's asymmetric key to send messages - if they are authorized to do so through active contacts.

Secured communication starts with the server sending the client a one-time short-term randomly generated session key encrypted with user’s public key. Client uses his private key to decrypt the session key by applying his pass-code and Rijndael(256) algorithm. From that point on, everything passing through the communication channel is encrypted using that key. The communication layer - sitting between the application and the network, automatically encrypts and decrypts all communications on both, the client and the server. The communication protocol protects data confidentiality, protects against packet dropping, reordering, or any other modification.

Data encryption layer provides second level of security encrypting all of the data content directly or indirectly with recipients’ public keys. This ensures that when the packets are received at the server and stored in our Data Center, nobody can decrypt the contents except for the designated recipients.


Going a little bit deeper into the technical aspect, every folder has its own symmetric encryption key with which all of its content is encrypted. This encryption key is not stored anywhere in its plain form; it is instead encrypted with public portions of asymmetric keys of the individuals who have access to the folder. In this manner only the selected individuals who created the folder, or were granted access to the folder by its creator are able to decrypt folder's content.

All files, messages and contacts, including the names and descriptions, uploaded and stored on the server are encrypted with their own symmetric keys. Their symmetric keys are in turn encrypted with the folder's key. Only the people who possess private keys, which decrypt asymmetrically encrypted folder keys, can gain access to the records.

When a new message is sent to the recipient, the message's symmetric key is encrypted with recipient's public key. Only the designated recipients, using their private keys, can decrypt the message. Message attachments are treated as part of the message and are similarly encry

 

CryptoHeaven is far more than Hushmail. Except for sending email, it can be used to store, and share files with your contacts and for chat.

P.S. You can communicate securely with only other cryptoheaven users. but you have an option of sending unencrypted email outside of cryptoheaven network, too