Safebox Crypto Architecture



Encryption Architecture and Basics
( Srini Kommoori @srinikom )
View in Google Docs
Source code: Github
It is important to make sure sensitive documents and files are encrypted before uploading to the cloud. This article explains and gives details about how file encryption works in Safebox application.
Objectives
Important things which we wanted to make sure we address in Safebox are:
  1. Ease of use
  2. No passwords to remember
  3. Allow collaboration
How it works
Safebox folder sits outside of your Dropbox folder. All the files you keep in Safebox are going to be encrypted and synced to Dropbox folder. For the encryption and decryption process, keys are used - more about keys in the next section.
Encryption algorithms used:
  1. PBKDF2 for key strengthening. Iteration count 10900 for AES engine and 10500 for HMAC signing.
  2. AES256 with CBC mode and PCKCS7-RFC5652(CMS) padding.
  3. HMAC-SHA256 for file authentication.
  4. Random unit depends on Operating System for generating IV.
Keys
Safebox generates 600+ character base64 encoded keys using RSA private keying engine. Safebox uses these generated keys for symmetric encryption purposes(as passwords) instead of typical public-private asymmetric mode. This  allowed us to reap the benefits of AES symmetric encryption simplicity and keys to manage passwords.
You can also assign your own keys if you prefer. Safebox tries to base64decode the key and if it fails, key text is used as is.
Keys also enable sharing a folder and collaboration possible without lot of complexities. If you want to share a folder, create separate keys for the folder and send those keys to the person you are sharing the folder with.
Trade-offs
Safebox doesn’t do file name encryption. Encrypting file names would have hindered lot of things including losing versions, complexities in collaboration. By trading off encrypting file names, we could able to achieve our objectives.
Encryption Details
Every encrypted file(.enc file) contains three main sections. (1) Header (2) File contents (3) Authentication. Follow the source code for more details about  each algorithm and implementation. Header and Footer are meta data that gets written on top of file contents.