Skip to main content

Encryption

image

Understanding Encryption

How Svayy stores your data safe from prying eyes or Svayy itself

Because of the highly personal nature of the data we managa at Svayy, we prioritize the security of your information through advanced encryption methods. This article gives an intro into the relevant cryptographic methods in simpler terms, helping you understand how Svayy keeps your data secure. If you are familiar with the world of hashes, ciphertexts, secret keys, keypairs and the like, you can skip to the "Application at Svayy" section.

Intro to Encryption

The Concept of Hashing: Digital Fingerprints Imagine every piece of data, such as a short text or even a movie file, as having a unique “fingerprint” or hash. This hash is a jumble of characters that represents the data, much like a real fingerprint represents a person. However, you can’t figure out the original data from the hash alone. Using a process called hashing, we can convert any data into a fixed-size hash. For instance, the password password123 might become a string of characters like ef92b778bafe771e..., and no matter the length of the original data, the hash size remains constant.

So anybody who provides the hash ef92... proves that he either knows the password password123 or that he has listened in on prior communication.

Attack surface

Theoretically, you can try out myriads of inputs until you arrive at any given hash you want to crack. Because of this, it is important to build upon a hash of sufficient size or complex enough calculation to grow the proverbial haystack into a size way beyond the reach of physical limitations.

However, it’s crucial to use complex hashing functions, as simpler ones can be cracked with enough effort, unless the hash simply serves the purpose of verifying that a large piece of data was transferred without accidental changes.

Symmetric Encryption: Safes and Keys

Suppose you want to safely store or transfer some data.

Symmetric Encryption works in analogy to a safe with a key which has to be kept away from unauthorised access. You only secure key, but the safe can be transported, displayed and positioned in plain sight.

Here, a secret key scrambles the data, making it unreadable without the key. When you need to read the data again, the same key unscrambles it back to its original form. This method is efficient for storing or transferring data securely.

Asymmetric Encryption: Mailboxes for Data

Asymmetric encryption, on the other hand, uses two keys: a public key and a private key. Think of it as a mailbox. Anyone can drop a letter in (encrypt data using the public key), but only the owner with the private key can open it and read the letters (decrypt the data). This method is especially useful for secure communication over the internet.

  • Encryption: ClearText + PublicKey => CipherText

  • Decryption: CipherText + PrivateKey => ClearText

Application at Svayy

Titles, descriptions, texts

Textual data such as habit titles are encrypted on the client side using AES-GCM, with the key being derived deterministically on the client side from the user's cleartext password.

Passwords

Your passwords never leave the client, either in the web or the app. In order to log in, the client first hashes his password with sha256 in order to prevent the Svayy server, or anyone with access to it, to decrypt the stored data.

In order to safeguard you from losing all your data in the event that you forget your password, we have implemented the recovery kit.

The Recovery Kit: Your Safety Net

The Svayy server generates a RSA-OAEP (with SHA-512) key pair. The client receives the public key in order to generate a recovery kit text file. The client encrypts his cleartext password using the public key, and is reminded to store that file in a safe place.

Your recovery kit should never be communicated to Svayy, or anyone else for that matter, but without the private key stored on the Svayy server the recovery kit alone cannot be used to perform any malicious action.

At any point in time, a user can request a new recovery kit, which wipes the old public/private key from the Svayy servers and forces the client to download the newly generated kit, rendering the old kit useless, as nobody will ever be able to decrypt it from that point on.

Encryption

If you lose your Recovery Kit we can't restore your password and all your data will be lost!

Password reset

Similar to the activation pin at registration, the user's email address is used as "a third party" in order to facilitate the recovery process.

On request, a confirmation pin gets sent to the email address in question, which is used to authenticate a given client as the account's owner. He then receives the private key corresponding to his recovery kit from the Svayy API.

In combination with the recovery kit, he now gets automatically logged in and led through the password change process, ensuring comtimuous protection.

Password change

A user can at any time change his password. Using his old symmetric key, based on his cleartext password, he progressively decrypts all encrpyted data associated to his account. Afterwards he re-encrypts the same data using a symmetric key based on a new password.