Methodology

CommonKey's cryptography was developed to secure sensitive data and enable our users to share account credentials with trusted individuals.

To support the distribution of shared account information to trusted individuals, we implement a combination of 256-bit AES and 2048-bit RSA encryption, paired with TLS 1.2 cryptographic protocols for data transport, 5000 round PBKDF2 for symmetric key generation, and SHA cryptographic hash functions for message hashing.

When our users create a CommonKey account, a unique "key" is created that serves as the only means to decrypt their data. The data at rest on our cloud server, in transit, and at rest on their local machine stays encrypted at all times (host proof hosting). Data is decrypted on the local machine only when requested by the user through either the dashboard or browser extension interface. Once the user's call for data is complete, it returns to its fully encrypted state.

Sharing of data (e.g. accounts) is accomplished by establishing secure "relationships" between two users through an invitation process. The construct of these "relationships" enables our users to only share a specific set of data. Once the user who controls the data no longer desires to share with the other user, terminating the relationship removes the ability to access the specific data.

Anyone (including the CommonKey team) does not have access to a user's encrypted data as we believe our user's private information should be just that, private. This methodology has proven to be the optimal approach in ensuring our users and their companies are protected with the highest level of security possible, while still being able to share private information with trusted individuals.

Our cryptography approach protects our users' sensitive information from brute force attacks and intractability of mathematical problems (e.g. integer factorization), while still allowing for sharing with trusted individuals and access from multiple locations and machines.

Have more questions? Contact us at info@commonkey.com.

Known Vectors

We built CommonKey to provide a critical missing solution for small businesses, team password sharing and management. We've gone through extensive measures to verify our security protocols to ensure your data is secure when it's transmitted and stored with us. However, in the security world, there will always be known vectors intruders could use to capture your sensitive information. The following list are some of the known vectors that could lead to a compromise for individual CommonKey accounts and countermeasure recommendations to help you safeguard against such attacks.

• BruteForce Attack: Brute-force attacks try every possible combinations of numbers, letters and special characters until it matches the password. Brute-force attacks can take a very long time depending upon the complexity of the password. The time required to brute-force attack a password is determined by the speed of computer and complexity of the password. Countermeasure: Use long and complex (strong) passwords. Use a combination of upper and lowercase letters along with numbers along with special characters and non-dictionary sourced letter combinations.
• Rats and Keyloggers: In keylogging or RATing the hacker sends a keylogger or rat to the victim, which is installed on a user's local machine. This allows hacker to monitor every thing the victim does on his computer. Every keystroke is logged including passwords. In some cases, hackers can even control the victims computer. Countermeasure: Never login to your bank account from cyber cafes or someone elses computer. If its important, use on-screen or a virtual keyboard while typing the login. Use the latest anti-virus software and keep them updated.
• Man in the Middle: The attacker puts himself between the target and some resource that she is trying to reach. The attacker’s presence must remain unknown to both the victim and the legitimate resource he is impersonating in order for the attack to be successful. The most common MITM attack involves an attacker using a WiFi router as the mechanism with which to intercept user communications. Countermeasures: Users can protect themselves against some kinds of MITM attacks by never connecting to open WiFi routers or by employing a browser plug-in such as HTTPS Everywhere or ForceTLS that always establishes a secure connection whenever the option is available. However, these defenses have limitations and there have been demonstrations of practical attacks such as SSLStrip or SSLSniff that can negate the security of SSL connections.

We also feel it's important to share the Microsoft TechNet Essay, "Ten Immutable Laws of Security" by Scott Culp (link), regarding some generalities with regards to online security and anticipated vulnerabilities based on user's computer uesage and interactions.

• Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
• Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
• Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
• Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
• Law #5: Weak passwords trump strong security.
• Law #6: A computer is only as secure as the administrator is trustworthy.
• Law #7: Encrypted data is only as secure as its decryption key.
• Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
• Law #9: Absolute anonymity isn't practically achievable, online or offline.
• Law #10: Technology is not a panacea.

Additional Information

Based on the Rijndael cipher, Advanced Encryption Standard (AES) was announced by the United States National Institute of Standards and Technology (NIST) in 2001 as US Federal Information Processing Standard Publication (FIPS PUB) 197, and has been validated through FIPS PUB 140-2. It currently serves as a federal government standard (approved by the Secretary of Commerce) and is included in the ISO/IEC 18033-3 standard. It is used by the National Security Agency (NSA) for top secret information. AES currently holds AES winner, CRYPTREC, NESSIE, and NSA certifications.

RSA (named after Ron Rivest, Adi Shamir, and Leonard Adleman) is where a user creates and then publishes the product of two large prime numbers, along with an auxiliary value, as their public key. The prime numbers are kept secret. Messages can be encrypted with the public key, only decrypted with knowledge of the two prime factors. RSA currently holds PKCS#1, ANSI X9.31, and IEEE 1363 certifications.

Transport Layer Security (TLS) is the predecessor to Secure Sockets Layer (SSL) that provides communication security over the Internet through the use of asymmetric cryptography for authentication of key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity. TLS protocol allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tampering.

Password-Based Key Derivation Function 2 (PBKDF2) is a key derivation function that is part of RSA Labs' Public-Key Cryptography Standards (PKCS) series, which applies a pseudorandom function to the input password along with a salt value and runs iterations to produce a derived key.

Secure Hash Algorithm 2 (SHA-2) is a set of cryptographic hash functions designed by the US NSA and published by NIST as a US FIPS.