INTRODUCTION

CryptoExpress software provides a fast ('express') provisioning communications suite using the highest-grade cryptography.

This user-friendly system where no third parties, including server administrators have access to a plain text version of any user information. Information is stored in encrypted form on the server as generated by the client, and only the sender and the recipient possess the keys to gain access to the information. Having the entire logs of all transmissions made and all of the data stored on the server, does not give access to the plain text version of information.

Some of the features of the service include secure document storage, secure document sharing and distribution, secure message boards, secure e-mail, and secure instant messaging. All services fully encrypted using the latest technology including an AES symmetric cipher Rijndael with 256 bit encryption keys, SHA-256 message digest function, and asymmetric encryption with keys of 2048-4096 bits in length.

The username and passphrase together create a unique user passcode. This passcode is only known to the user and never shared, stored, or sent anywhere. If a user forgets his username or passphrase, all of his data stored on the server will become inaccessible forever to anyone. We have no ability to recover any portion of the data or the lost passcode.

When a new user account is created, the user generates his personal private/public key pair. The public portion of the key is then sent to the server where it can be picked up by others connecting to the system. The private portion of the key is encrypted with user's passcode and stored on the local computer or sent to the server at user's choice. When the encrypted private key resides on the server, user benefits from ability to access his account from anywhere in the world through the Internet.

The user's software uses the private key portion directly or indirectly to decrypt all of the data stored on the server. Other contacts use the public portion of a user's asymmetric key to send messages - if they are authorized to do so through active contacts.

Secured communication starts with the server sending the client a one-time short-term randomly generated session key encrypted with user's public key. Client uses his private key to decrypt the session key by applying his passcode and Rijndael(256) algorithm. From that point on, everything passing through the communication channel is encrypted using that key. The communication layer - sitting between the application and the network, automatically encrypts and decrypts all communications on both the client and the server. The communication protocol protects data confidentiality, protects against packet dropping, reordering, or any other modification.

Data encryption layer provides a second level of security encrypting all of the data content directly or indirectly with recipients' public keys. This ensures that when the packets are received at the server and stored in our data centre, nobody can decrypt the contents other than the designated recipients.

Every folder has its own symmetric encryption key with which all of its content is encrypted. This encryption key is not stored anywhere in its plain form; it is instead encrypted with public portions of asymmetric keys of the individuals who have access to the folder. In this manner only the selected individuals who created the folder, or were granted access to the folder by its creator are able to decrypt folder's content.

All files, messages and contacts, including the names and descriptions, uploaded and stored on the server are encrypted with their own symmetric keys. Their symmetric keys are in turn encrypted with the folder's key. Only the people who possess private keys, which decrypt asymmetrically encrypted folder keys, can gain access to the records.

When a new message is sent to the recipient, the message's symmetric key is encrypted with recipient's public key. Only the designated recipients, using their private keys, can decrypt the message. Message attachments are treated as part of the message and are similarly encrypted.