How does ‘Pensieve’ protects your data?

Vision

We strongly believe that the only user should have access to his data, and no one else should use it without his knowledge or permission. Hence we choose a zero-knowledge paradigm with widespread end-to-end encryption(E2EE) at the device. i.e., no third party can access your data (including could providers and us). It is all under user control. What happens is — Pensieve application encrypts your sensitive files before sending them to be stored in Dropbox, Google Drive, OneDrive.

Before starting, it will be useful to know E2EE, how it works, and why we should go for it.

What is end-to-end encryption?

End-to-end encryption is a secure and private communication method, where the only people who can access the data are the sender and the intended recipient(s). In proper end-to-end encryption, encryption occurs at the device level. Every message or file is encrypted before it leaves the phone or computer and not decrypted until it reaches its destination. As a result, hackers cannot access data on the server because they do not have private keys to decrypt. With E2EE, user devices store keys, making it much harder to access an individual’s data. More details

Why is end-to-end encryption necessary? What is the problem with existing providers?

There are gaps in existing encryption systems => HTTPS and encryption at-rest (used by almost all the cloud providers), where the plaintext data is still accessible to developers and hackers on frontend and backend servers. Also, governments, ISPs, and telcos can see the data. Even if we trust all these people, if there is a technical mechanism that allows them to access it, that technical mechanism is available to anyone to exploit.

End-to-end encryption is necessary because it provides users and recipients security for their data from when they create the data until the recipient receives it. No third party (not even cloud providers and E2EE platform provider) can read/interpret data by providing users with an end-to-end encrypted platform for file sharing. Services like Gmail, Yahoo, or Microsoft enable the provider to access the content of the user’s data on its servers because these providers hold the decryption keys. As such, these providers can read the user’s email and files. In Google’s case, its possession of decryption keys has enabled them in the past to provide the Google account holder with targeted ads.

Ensures your data is secure from hacks: With end to end encryption, you are the only one who has the private key to unlock your data. Hackers can’t read data on the server because they do not have the private keys to decrypt the information.

Protects your privacy: Providers like Google and Microsoft can read your data. When you use their service, data is decrypted on their servers. If data is decrypted on their servers, then hackers and unwanted third parties can read it, too.

How Pensieve encrypts and decrypts files?

Pensieve implements an encryption system based on asymmetric RSA and symmetric AES encryption. Every file has its own unique random file key (AES) generated during file creation. The file key is used to encrypt and decrypt the contents of the file.

Encryption:

1. Create a secure random file key.
2. Encrypt the plaintext data using the file key.
3. Encrypt the file key with the user’s public key.
4. Store the encrypted file key along with encrypted data in the encrypted file. If multiple users have access to a file, the file key is encrypted multiple times with different public keys, and each result is stored in the encrypted file.

Decryption: Decrypt the encrypted file key using the user’s private key. Decrypt the encrypted data using the file key.

Used Algorithms: AES with a key length of 256 bits, CBC (Cipher Block Chaining) and PKCS7 padding, RSA with a key length of 4096 bits OAEP padding.

Is there any user data stored in Pensieve servers?

No user data is stored. Only the user’s public key is stored and served to people willing to share data. The user’s private-key (encrypted with a password known only to the user) is also stored, used during restoring of the user account in a new device.

What data goes and comes out of Pensieve servers and Why?

User data is always stored in either cloud providers or user devices. The app only contacts the Pensieve server for the below cases:

Setting up a new device: When the user registers or recovers his account in a new device.

Sharing access to file or folder: When sharing a file or folder with another user, Pensieve retrieves the specific user’s public key from the ‘Pensieve key management’ server.

How file sharing works?

At a very high level following interactions takes place:

1. User1 requests User2 public key from ‘Pensieve key management’ server
2. User1 encrypts the file key with User2 public key
3. User1 sends the encrypted key and file to User2
4. User2 uses his private key to decrypt the file key
5. User2 uses the file key to decrypt the file