Security FAQ.
Click on the Question to see the Answer below:
How can I be sure CryptoExpress is secure?
Does anyone have access to my private keys?
How can I be sure the client software I run is authentic?
Do I have to do anything with my public key?
Can my private key remain on my local computer?
Do my Contacts know where I send my messages from?
How can I verify that I am sending messages to my intended recipient?
How does CryptoExpress compare to other web based security systems?
How can I be sure CryptoExpress is secure?
The source code for the CryptoExpress application is available free of charge to everyone. Security experts and other users can test the strength of the cryptographic system. The source code is available for download on request.
Does anyone have access to my private keys?
NO, NO, NO. The private portion of the user's key is encrypted with user's pass code and stored on the local computer or sent to the server at user's discretion. When the encrypted private key resides on the server, user benefits from ability to access his account from anywhere in the world through the Internet.
The transformation algorithm applied to encrypt the private key is Rijndael. The user's pass code is the entropy source for the 256 bit symmetric key which, together with the algorithm, transforms the private portion of the asymmetric key into a cipher text. The strength of the encryption depends on the strength of the user's pass-code. It is believed that all of the energy in the universe is not sufficient to successfully complete a brute force attack on a cipher text generated with an AES symmetric cipher with 256 bit long symmetric encryption keys.
The user-name and passphrase together create a unique user pass code. This pass code is only known to the user and never shared, stored, or sent anywhere. When user forgets his user name or passphrase, all of his data stored on the server becomes inaccessible forever, we have no ability to recover any portion of the data or the lost pass code.
How can I be sure the client software I run is authentic?
To personally verify the authenticity of the downloadeded software archive, you should check the SHA-256 message digest of the downloaded file. The Java command line utility for obtaining SHA-256 digests and expected codes for all released versions is available on request.
Do I have to do anything with my public key?
CryptoExpress manages public keys automatically and securely. User simply allows others to communicate with him through the use of "Contacts" within the CryptoExpress application. The system takes care of the exchange of the public keys automatically.
Can my private key remain on my local computer?
When creating a new account, you have an option to store your encrypted private key on our servers, or to store it locally. The advantage of storing it on the server is that you can access your account from any other computer on the Internet. Regardless of where you decide to store your private key, it is encrypted. See "Does anyone have access to my private keys?" above for more information.
Do my Contacts know where I send my messages from?
NO. Messages and other records do not contain IP or other information which can be used for physical or geographical tracking of the sender or recipient. We never log or associate IP addresses with user accounts.
How can I verify that I am sending messages to my intended recipient?
The following procedure is not necessary for secure communications. However, it can be used to make sure your contact address actually belongs to whom you think it does.
Clink on the outgoing contact name that you want to verify, select "Contact Properties." A dialog box will pop-up. Have a look at the name and number on the "Contact With" line.
Call, talk, or otherwise communicate with the other party to verify that the unique number following your recipient's name matches the unique user number you receive from the other party.
Once you verify your Contact once, you don't need to do it again in the future. The Contact will remain in your account indefinitely and cannot be removed or changed by anyone other then you or the person with whom you have the Contact with. Each user on the system is unique and distinguished by user ID, and although two people can have the same username, their accounts are never confused by the system.
How does CryptoExpress compare to other web based security systems?
CryptoExpress offers a degree of security, non-repudiation and anonymity which far exceeds that of any web based system.
