Beyond Encryption: Block Labs’ OCC Tech Pioneers Next-Level Email, Messaging & Data File Transfer Communication Security

Dr. Tali Režun & Denis Jazbec, Block Labs Luxembourg

Context

Digital communication has become most relevant in the past decade as digital data has become extremely valuable. Communication in the form of emailing, messaging and data file transfers form the foundation behind most business transactions. Humankind in general has grown a dependency on digital communication as it relies on and depends on it to be robust, confidential, private and secure. Sadly the communication that we use every day is not robust or secure and it is far from private and confidential. Digital legacy communication like emailing, for example, is wide open to Phishing, Spoofing, Spam and the theft of digital identity and data while being vulnerable to brute force, Malware, Ransomware, Man-in-the-middle, Dos, Credential stuffing or other sorts of cyber attacks.

To simplify, let’s divide digital communication technology into custodial and self-custodial, meaning custodial is communication that is in the custody of an intermediary platform and self-custodial is in the custody, managed by you or your organisation. Today most people use “free” custodial communication platforms. Offered by tech giants such as Google, Microsoft, Facebook or Yahoo, their Web2 communication platforms changed the way we interact and communicate, but came with a price. People knowingly or unknowingly trade the ease of access for their communication data. This is called data mining. While people don’t mind sharing their communication data in exchange for “free” services, these communication platforms are far from usable for business interactions where data confidentiality is a prerequisite. To achieve more control over our communication, we can always set up a self-custodial digital communication solution. Usually set up within bigger organisation structures, custom email servers can offer better protection, but sadly can not keep up with ever-growing cyber security threats.

Solution

The superiority of blockchain technology and its unique tamper-proof features was confirmed long ago and it is no longer considered a tech hype. Blockchains ensure tamper-proof digital transactions through the use of cryptographic technology and automated consensus. Blockchain is made from a trail of validated facts. These facts can be anything from money, information or communication. As part of this digital record-keeping system, each transaction and its details are validated and recorded across a computer network. Everyone who has access to the distributed ledger receives this information and the parties agree on the accuracy before the block is replicated, shared and synchronized among the entities. A blockchain is virtually impossible to tamper with since each block of information references the block before it. In an age when trust is elusive and held at a high premium, blockchain presents a way to confirm, validate and authenticate values, events, information and communication. Blockchain is not an upgrade of the existing internet, it’s a new iteration also called Web3 which does not inherit current internet flaws and broken models. It’s a clean slate, designed around online trust and transparency where decentralized systems execute peer-to-peer transactions and services without centralized custodial gatekeepers. Smart contracts run on blockchains. They are codes or rules written into a digital program, which in Block Labs’ case determine what happens when digital communication runs on-chain. Putting communication on-chain makes all the difference because on-chain communication automatically inherits blockchain core fundamental features (i.e. immutability, transparency, security). Combined with smart contracts a new world of features opens that were just not imaginable before. Just like that the majority of known cyber attacks are not possible any more.

OCC infrastructure

Block Labs spent the last six years developing foundations for Web3’s first OCC (i.e. on-chain communication) infrastructure. It manifested in the form of an EVM (i.e. Ethereum virtual machine) OCC Protocol, TypeScript-based OCC SDK (i.e. software development kit) and the blockchain mail and messaging white-labels supporting multi-level and multi-chain integrations. The technology utilises blockchain networks, smart contacts and encryption to enable data ownership retention, security and robustness within decentralized on-chain communication. The majority of the OCC infrastructure is open-source, reflecting code transparency and inviting code reviews. Thousands of tests were made to ensure code robustness. The OCC framework harnesses its security from the underlying blockchain networks and AES-256 encryption. Powering by two main fundamentals; (1) 1 email/message or data file transfer = in one L1/L2/L3 transaction, and; (2) not your keys = in not your email, message or data, the OCC technology natively prevents Phishing, Spoofing, Spam, identity and data theft, Web2 data tracking, or data mining, while it is impervious to invasive ad/surveillance campaigns. Its modular design maintains integrator or users’ self-custodial access and data control while AES-256 encryption ensures unparalleled security;

1. Decentralized on-chain communication: True peer-to-peer (i.e. wallet-to-wallet) communication transactions executed on the rails of underlying blockchain networks with decentralization coefficient equal to supporting L1, L2 or L3.

2. Blockchain features: Due to the unique on-chain model, emails, messages or data file transfers are immutable, and time-stamped while their checksum hash (SHA-256) is recorded on the blockchain permanently proving their validity.

3. Data portability: Compared to siloed Web2 communication applications, the emails, messages and accompanying data within the OCC infrastructure are portable. Client application acts only as a conduit enabling communication interaction.

4. Storage self-custody: Integrators manage their storage of data. The OCC SDK supports any user storage choices.

5. E2E Encryption: Communication encryption is managed by users, as they control and own the private encryption keys.

We identify the most common scenarios currently threatening digital communication while proposing a solution. All relevant, especially business communication travels via email. Usually unencrypted, the emails and their content are an easy target for cyber attacks. Payments are usually confirmed via email, payment orders signed, and payrolls approved. There is practically no process being done without an email interaction. Block Labs OCC technology protects communication from the majority of well-known cyber attacks.

Phishing with a combination of BEC (i.e. Business Email Compromise) is the practice of sending fraudulent emails that resemble emails from reputable sources. The goal is to steal or mimic the communication with the intent to intercept and influence the end action (e.g. pretending to be one of the executives confirming the money transfer). Because Block Labs OCC infrastructure is blockchain-based, it can protect its users against all types of Phishing and BEC attacks. Specialised smart contracts enable whitelisting of sender addresses. Smart contract rules prevent receiving emails from unidentified parties, while the underlying blockchain decentralized security ensures process validity.

Email spoofing involves the creation of email messages with a forged sender address, which is used to mislead the recipient about the origin of the message. Blockchain prevents email-spoofing attacks because emails and messages can be sent only with the private key or the particular user. If you don’t own the private key of an address, you can not send the email or message from that address.

Malware and ransomware can be distributed via email or message, by encrypting the victim’s files and demanding a ransom for the decryption key. Emails may contain malicious attachments or links that, when opened, launch the ransomware. If we deduct that communication between known parties is trusted, then Block Labs OCC technology offers bulletproof protection against malware and ransomware attacks by enabling communication address whitelisting.

Encryption

Digital communication encryption has slowly been applied also to more accessible commercial applications, but in most cases, encryption keys are being managed by the communication platform. Users don’t hold the communication private keys. Block Labs solution enables end-to-end encryption by user-owned private keys. The secret key is produced by ECDH (i.e. Elliptic Curve Diffie Hellman) secret key exchange. The sender needs the wallet client B (i.e. receiver) public key to be recorded on the blockchain, while the secret key is calculated based on the private and public keys. Natively AES-256-GCM is used for the email and messaging communication encryption algorithm.

The safety of AES (Advanced Encryption Standard) algorithms primarily depends on the key length used in the encryption process. AES is a symmetric key encryption algorithm that can encrypt and decrypt information. The U.S. government has adopted AES and is now used worldwide. It supersedes the Data Encryption Standard (DES).

AES supports three key lengths:

• AES-128 uses a 128-bit key length.
• AES-192 uses a 192-bit key length.
• AES-256 uses a 256-bit key length.

The safety or security of AES increases with key length. Therefore, AES-256 is considered the safest or most secure AES algorithm because it has the longest key length, making it the most difficult to crack through brute force or cryptographic attacks. The choice among AES-128, AES-192, and AES-256 depends on the level of security required and the performance implications for the system in use.

However, AES-256 offers the highest level of security. It is often recommended for situations where the information needs to remain secure for a long period or against adversaries with significant computational resources. It’s also worth noting that an encryption scheme’s security depends not only on the algorithm itself but also on how it’s implemented and used, including factors like key management, the security of the encryption mode (e.g., CBC, GCM), and resistance to side-channel attacks.

Block Labs OCC technology uses GCM (Galois/Counter Mode), which is often considered the safest among all AES modes due to its combination of confidentiality, integrity, and authenticity protections. AES-256 GCM is among the top choices for secure encryption, offering a robust combination of confidentiality, integrity, and authenticity. It’s widely adopted in various security protocols and standards due to its high level of security and efficiency, especially for applications that require both encryption and authentication. When choosing the right encryption algorithm we have to consider specific use cases, threat models, and performance requirements:

(1) Performance and Security Needs: For most practical purposes, AES-256 GCM provides an excellent balance of security and performance. If you have specific needs or constraints (e.g., extremely high throughput or low latency requirements, or hardware support limitations), exploring alternatives or additional optimizations might be warranted.

(2) Post-Quantum Cryptography: If your threat model includes future attacks by quantum computers, you might be interested in post-quantum cryptography algorithms currently being developed and standardized by organizations such as NIST (National Institute of Standards and Technology). These algorithms are designed to be secure against quantum attacks, but they are mostly in the research and standardization phase and might not be widely supported yet.

(3) ChaCha20-Poly1305: For environments where AES hardware acceleration is not available, and performance is a concern, ChaCha20-Poly1305 is an alternative that provides comparable security to AES-256 GCM and is often faster in software implementations. It’s used in various applications and protocols, including TLS and VPNs.

(4) Additional Security Layers: Instead of looking for a single “better” algorithm, enhancing security often involves employing multiple layers and mechanisms, such as rotating keys more frequently, ensuring proper key management practices, and implementing additional security controls and monitoring.

(5) Algorithm Agility: It’s also important to design systems to be algorithm agile, meaning they can easily switch to different algorithms as needed without extensive overhaul. This is crucial for adapting to future cryptographic advances and potential vulnerabilities discovered in current algorithms.

Brute-forcing AES-256 GCM (or any AES-256 variant) involves trying every possible key until the correct one is found. The security of AES-256 is fundamentally based on the size of its key: 256 bits. This means there are 2^ 256 possible keys.

To understand how long it would take to brute-force AES-256, consider the following:

• Number of Possible Keys: 2^ 256 is an astronomically large number. Specifically, it is about 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936 possible keys.
• Computational Power: Even with the most powerful supercomputers or distributed networks available today, the time required to brute-force AES-256 is impractical. For instance, even if you could check a billion (109) billion (109) keys per second (far beyond current capabilities), it would still take many billions of years.

The age of the universe is estimated to be about 13.8 billion years. Therefore, brute-forcing AES-256 would take much longer than the current age of the universe, making it practically impossible with current and foreseeable technology.

Quantum Computing Consideration: Quantum computers promise significant speedups for certain types of computations. For encryption, Shor’s algorithm could theoretically break RSA and ECC encryption much faster than classical computers. However, for symmetric ciphers like AES, the best-known speedup is provided by Grover’s algorithm, which would square root the brute force search time, requiring 2128 operations to break AES-256. Even this reduced requirement remains well beyond practical computational means with foreseeable technology.

Conclusion

We are changing the core concept and perspective of digital communication, from custodial to non-custodial, from centralized to decentralized, from unencrypted to encrypted, and from “free” but mined to payable but yours.

With the help of advanced blockchain protocols as an underlying infrastructure and high-end encryption algorithms, Block Labs leads the way in R&D towards truly secure digital communication. Its AES-256 GCM-based encryption is highly secure and a perfect fit for truly secure communication use cases. It is considered secure against brute-force attacks with any existing or soon-to-exist technology. The design and strength of AES-256 mean that other attack vectors (such as side-channel attacks or weaknesses in implementation) are far more likely to be the focus of attackers than brute-force attempts. As secure communication is one of the most significant use cases that need to be solved by Web3, other projects are trying to solve the same challenge, but more or less with simpler Web 2.5 solutions. Block Labs‘s “1 blockchain mail/message or data file exchange = 1 L1/L2/L3 transaction” approach is unique, but also the most challenging to develop.

Again, let me close with a thought; Electronic communication is too valuable to be entrusted to an intermediary. The time for permissionless on-chain communication protocols is now.

Disclaimer

All content provided herein, including but not limited to text, graphics, logos, and images (the “Content”), is the property of Block Labs Luxembourg S.a r.l., a legal entity established under the laws of the Grand Duchy of Luxembourg, registered with R.C.S. Luxembourg under N B263508 at the following address: 41, rue du Puits Romain, z.a. Bourmicht (Atrium Business Park), L-8070 Bertrange, Luxembourg (the “Company” or “we”). It is protected by copyright and other laws that protect intellectual property and proprietary rights. You are granted a non-exclusive, non-transferable, revocable license to access and use the Content for the sole purpose of obtaining information about the 4thTech technology and other educational purposes. We have done our best to ensure that the Content is accurate, updated, complete, and provides valuable information, but neither do we guarantee nor take any responsibility for its accuracy and/or completeness. The Content is not intended as, and shall not be understood or construed as legal, financial, tax, or any other professional advice, sale or offer for sale of any securities, and/or crypto-assets. The Company is not engaged in rending of and/or is not licensed to render any of the crypto-asset services and/or financial services, such as investment or brokerage services, capital raising, fund management, or investment advice.