Results 1 to 5 of 5

Thread: Viivo Security

  1. #1
    Viivo Development Alex's Avatar
    Join Date
    Jan 2013
    Location
    Milwaukee
    Posts
    68

    Viivo Security

    Here is some information on what security we use in the Viivo Application:

    Viivo uses a combination of symmetric encryption (AES-256) for the data and asymmetric encryption (RSA-2048) for the key material.

    Symmetric encryption uses less computational resources than asymmetric encryption, so it is more efficient and, therefore, attractive particularly for large volumes of data. Symmetric encryption uses a single key (the same key for encryption and decryption), which makes sharing challenging.

    Asymmetric encryption uses a public and a private key pair that have a unique relationship based on factoring the product of two large prime numbers. Data that is encrypted with one can only be decrypted using the other, and the complexity of the prime factor mathematical relationship is such that the work effort required to reverse-engineer one from the other makes it effectively impossible. Use of asymmetric keys for encryption is considered more secure but also is more computationally-intensive, which presents performance issues when processing large amounts of data. Asymmetric encryption facilitates sharing.

    Viivo incorporates a hybrid crypto solution that offers a blend of the two different encryption key approaches, gaining the best benefits of each without the disadvantages of either.

    On desktop, Viivo will encrypt any files (with the exception of certain temporary files) you place in your Viivo folder to your Viivo-Encrypted Dropbox folder to automatically sync them to the cloud. When securing your files, add unencrypted files to your Viivo folder (e.g. C:\Users\John_Doe\Viivo on Windows or /Users/John_Doe/Viivo on Mac OS X) where they will be safely encrypted and copied to Dropbox. Unencrypted files directly added to Viivo-Encrypted in Dropbox will be pulled out Dropbox and encrypted. There is a chance Dropbox will have already sent a plain text version of your data to their servers.

    When you create your account, a Viivo identity is created for you and represented as an RSA key pair. This key pair is encrypted and protected by your master password, so it’s critical that you remember your password or have Viivo remember it for you. However, Viivo does not provide a way for you to extract your password it simply uses it to log you in if you elect to have Viivo remember it. Your password is stored directly on your device and not in any files that are transmitted through the cloud so it is never out of your possession. Files that are yours alone (not shared) will be encrypted with keys for your use only. When you create a share or share with others, keys specific to that share are generated and used to secure the data files in that share only.

    On Mobile, files are decrypted on the fly. The files are only stored in their form from Dropbox (encrypted).
    Last edited by Alex; 09-03-2013 at 09:52 PM.
    Alex Robertson
    Software Engineer

    PKWARE, Inc.
    www.PKWARE.com

  2. #2

    Can you provide more details on keys for shared files?

    In particular, you mention this :
    Files that are yours alone (not shared) will be encrypted with keys for your use only. When you create a share or share with others, keys specific to that share are generated and used to secure the data files in that share only.

    On Mobile, files are decrypted on the fly. The files are only stored in their form from Dropbox (encrypted).[/QUOTE]

    Do you have any more details on 1) how the keys are generated for shared files, and how those keys are secured. and 2. How are the keys managed for mobile devices ?

    Thanks in advance.



    Quote Originally Posted by Alex View Post
    Here is some information on what security we use in the Viivo Application:

    Viivo uses a combination of symmetric encryption (AES-256) for the data and asymmetric encryption (RSA-2048) for the key material.

    Symmetric encryption uses less computational resources than asymmetric encryption, so it is more efficient and, therefore, attractive particularly for large volumes of data. Symmetric encryption uses a single key (the same key for encryption and decryption), which makes sharing challenging.

    Asymmetric encryption uses a public and a private key pair that have a unique relationship based on factoring the product of two large prime numbers. Data that is encrypted with one can only be decrypted using the other, and the complexity of the prime factor mathematical relationship is such that the work effort required to reverse-engineer one from the other makes it effectively impossible. Use of asymmetric keys for encryption is considered more secure but also is more computationally-intensive, which presents performance issues when processing large amounts of data. Asymmetric encryption facilitates sharing.

    Viivo incorporates a hybrid crypto solution that offers a blend of the two different encryption key approaches, gaining the best benefits of each without the disadvantages of either.

    On desktop, Viivo will encrypt any files (with the exception of certain temporary files) you place in your Viivo folder to your viivo_encrypted dropbox folder to automatically sync them to the cloud. When securing your files, add unencrypted files to your Viivo folder (e.g. C:\Users\John_Doe\VIIVO on Windows or /Users/John_Doe/VIIVO on Mac OS X) where they will be safely encrypted and copied to Dropbox. Unencrypted files directly added to viivo_encrypted in Dropbox will NOT be encrypted.

    When you create your account, a Viivo identity is created for you and represented as an RSA key pair. This key pair is encrypted and protected by your master password, so itís critical that you remember your password or have Viivo remember it for you. However, Viivo does not provide a way for you to extract your password it simply uses it to log you in if you elect to have Viivo remember it. Your password is stored directly on your device and not in any files that are transmitted through the cloud so it is never out of your possession. Files that are yours alone (not shared) will be encrypted with keys for your use only. When you create a share or share with others, keys specific to that share are generated and used to secure the data files in that share only.

    On Mobile, files are decrypted on the fly. The files are only stored in their form from Dropbox (encrypted).

  3. #3
    Viivo Staff matt's Avatar
    Join Date
    Jan 2013
    Location
    Milwaukee
    Posts
    207
    The person/account that initiates Viivo encryption for a Dropbox share is responsible for issuing decryption keys to that share. From a UI perspective, you will see this as an incoming notification that requires you make an "Allow/Deny" decision. This is an important step in protecting your data from the cloud/storage providers or from other Dropbox collaborators that invite others to your Dropbox share.

  4. #4
    My concern with this application is that I am handing you access to my drop box. I do not see it stated anywhere that you will not have any access to my files. You are directly added via an application as well as the files themselves. I know I will be breaking out charles and inspect what data you are uploading to where when I get home..

  5. #5
    Viivo Support
    Join Date
    Jan 2013
    Posts
    159
    @Starwind0,

    We understand your concerns, but rest assured - you are not handing over access of your Drop Box account over to us, and only you have copies of your private key that can be used to decrypt your data.

    If you have a synced locker, VIIVO will encrypt a copy of the file prior to placing it into the encrypted folder. If this folder happens to be a sub-folder of Drop Box, then DB will take things from there.

    If you have a non-syncing folder that is a sub-folder of DB, VIIVO will immediately encrypt a file before DB processes it.

    And once again regarding encryption - we do not have access to your private key - only you do.

    Let us know if there are any questions!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •