Security Functions

Lockbox is engineered to raise the bar on the "status quo" of the secure file-sharing and collaboration industry. We believe that good security and privacy does not need to be "given away" in order to get convenience and ease of use. This section describes how Lockbox has "gone the extra mile" by utilising stronger security and privacy foundations than is common in the industry.

Comparisons

The following table summarises Lockbox's approach compared to other secure file-sharing solutions.

The above principles are further described below.

Authentication

Authentication may be simple, such as using a password, or strong, such as using certificate-based credentials.

• Most secure file-sharing services use simple authentication via a server-side password over a SSL (secure sockets layer) encrypted link. This means that the user password is known by the server and needs to be passed "over the wire" to the server.
• Lockbox uses a stronger method of authentication via mutual SSL (sometimes called client-authenticated SSL or two-way SSL). Mutual SSL provides the same link encryption capability as normal SSL, but additionally provides certificate-based client authentication and non-repudiation using digital signatures.

On registration, client-side certificates are created and stored in a local encrypted keystore. When a user "logs in", a passphrase is used to unlock the local keystore. Inside the keystore are strong keys used for encryption, signing communications and certificate management. Once the keystore is unlocked, the communication keys are used to establish a mutual SSL session. 

The security advantages of this approach include:

• The local keystore effectively gives two factor authentication. That is, what the user "has", being the keystore, and what the user "knows", being the passphrase.
• The mutual SSL connection ensures that both the server and client are strongly authenticated.
• The keystore enables the use of very strong cryptographic keys for the authentication.
• Lockbox servers need not know any user passwords and passwords are not transmitted "over the wire".

Privacy and Confidentiality

Privacy and confidentiality may be based on "trusting" server-side encryption, or it may be "enforced" by using client-side encryption.

• Most secure file-sharing services use (simple) SSL to protect "data in motion" as it is transferred between end-user and the service. Many also use server-side encryption to protect "data at rest" and this necessitates procedures to try to reduce the opportunity for system administrators to access the server-side encryption keys in order to decrypt and access user files.
• Lockbox achieves a stronger level of privacy and confidentiality using client-side encryption. In this case, Lockbox can ensure end-to-end privacy, as information is always encrypted for the entire journey, from end-user to end-user. It also ensures that all encryption keys are controlled by end-users.

Client-side encryption gives much more privacy and confidentiality than server-side encryption for the following reasons: 

• Client-side encryption gives "end-to-end" assurance of privacy as any intermediate server can never have access to unencrypted information.
• Client-side encryption significantly reduces administrator risk, as administrators of the service do not have access to encryption keys.

Authorisation and Access Controls

Authorisation and access controls may be based on ACLs (access control lists) or capabilities, such as possession of keys.

• Most secure file-sharing systems store user files in server-protected storage and allow users to grant access to other users using ACLs. Such services necessarily require procedures to ensure that administrators cannot override or insert themselves into user-defined ACLs.
• A stronger method of access control are ones based on "capabilities". In Lockbox's capability-based system, holding an appropriate encryption key is the only way to access an encrypted file. (This is analogous to giving someone a key to your house, rather than employing a security guard at the door with a list of people allowed into your house). In order for one user to grant another user access to their information, Lockbox provides a way of securely distributing keys to other end-users using a two factor invitation process.

Advantages of using capability based access controls include:

• Client-side encryption significantly reduces administrator risk, as there are no ACLs for administrators to override or change.
• There is much more assurance about is being given access, as the Lockbox owner uses a two-factor invitation process in order to ensure proof of identity.

Lockbox also elegantly handles dynamic groups and deprovisioning. Whenever a user is "uninvited" from a workspace, a new workspace key is generated and only distributed to the remaining users. (The distribution is highly secure as the new workspace key is encrypted with the end user's certificate and passed directly to that user).

Integrity and Authenticity

Unlike nearly all other secure file-sharing services, Lockbox employs client-side digital signatures and signed code in order to ensure document integrity and authenticity.

• All Lockbox documents are digitally signed, compressed and encrypted before being uploaded to a Lockbox. The digital signature provides proof of originator of the document and also that the document has not been tampered with.
• All client code that performs cryptographic operations is code signed to minimize the possibility of a man-in-the-middle attack. 

Administrative Controls

Most secure file-sharing services require considerable procedural controls because their systems do most, if not nearly all, of their processing server-side. As such, there needs to be stringent controls on administrator access and their ability to change passwords, manage encryption keys and interrogate network monitoring tools. This may be relatively difficult, as evidenced by the frequent news items about inadvertent or malicious disclosure of information or external hacking.

While Lockbox also has administrator controls, the opportunity for abuse is significantly less for the following reasons:

• All keys and encryption are managed client-side. So there is effectively no scope for administrators to interfere.
• All keys are duty specific, for example, Lockbox maintains separate keys for signing, encryption, communications, email, certificate management, documents, workspaces and communities.
• All data is strictly compartmentalised and the cryptography ensures that Lockboxes are completely isolated from each other.

Cryptographic Standards

Most secure file-sharing services just support simple SSL for communications and AES-256 (or similar) for server-side encryption.

Because Lockbox has a more expansive privacy and security infrastructure, Lockbox supports the following cryptographic standards:

• Communications - TLS/SSL (both simple and client-authenticated), CMS (RFC 5652)
• Encryption Algorithms - AES-256, RSA 1024 (SSL), RSA 2048 (encryption and signing)
• Certificates – X.509
• Certificate management – OCSP (RFC 2560), CMP (RFC 4210), CRMF (RFC 4211)

Note that other algorithms and key sizes can easily be configured in a custom implementation of Lockbox.