If they (proton) have the keys, doesn’t matter if they encrypted your data. They must have the keys because I can log into mail from different clients and read all emails without having to insert my key.
Proton stores your encrypted private key . An encrypted private key does not allow them to read your email or files.
When you log into a new device:
Proton sends the encrypted private key to your device.
You type your password.
** Your device** (not Proton’s server) uses the password to decrypt the private key locally in your browser or app memory.
That decrypted key is then used to decrypt your emails on your device. Proton mail sends you just the encrypted text.
There is one potential security issue:
Since Proton serves the website code (HTML/JavaScript) that performs the encryption, you have to trust that they serve you honest code. Proton could theoretically alter their website code to capture your password the next time you log in, which theoretically a government can force them to do.
However, this is a different threat than “they have the keys.” Currently, they possess the keys only in a form they mathematically cannot unlock.
If the key is the same password you use to login, then they already have the key. They may not store it unhashed, but you transmit it to them every time you login. If law enforcement forces Proton, or if Proton turns evil (or gets infiltrated by a three letter agency), they can use it from the auth to decrypt your key and your data.
Plus, a bad actor having access to the encrypted key is free to brute force it. It may be hard but not guaranteed to stay hard forever.
Edit: didn’t realize I was in a Proton fanboy community where you can’t criticize or ponder the service security…
You don’t send them the password. The password never leaves your device. The password is the decryption key to decrypt your encrypted private key, which is what they send to your device. This is why, for Proton Mail, and others that use this technique, it is imperative to have a strong password to protect your private key.
How do they authenticate* you? They just send the encrypted key and if you can decrypt it then it’s you?
If so I can request any account encrypted key and try to brute force it offline
I can request any account encrypted key and try to brute force it offline
This is likely wrong, any password would allow you to produce a valid key from an encrypted key, it will not be a correct key, so you will fail during decryption, but it will take a lot of time to check and may not be easy to automate.
Regarding the auth, they may provide you with a challenge that is encrypted with your public key, and if you have decrypted it correctly, authenticate you, but I don’t know how it’s done or should be done.
it will not be a correct key, so you will fail during decryption, but it will take a lot of time to check and may not be easy to automate.
If you have any way to check the key validity offline (for example, you subpoena the encrypted data) then it’s trivial to check and automate.
Of course not everybody is capable of this, but it’s becoming less and less difficult to brute force it, and renting a few hours of GPU time to do it is within the means of small bad actors.
If you have any way to check the key validity offline (for example, you subpoena the encrypted data) then it’s trivial to check and automate.
Trivial to automate, yes. The rest is a question of how long it takes to compute, that’s the basic rules of cryptography:
good algorithms are computationally more expensive to solve in one direction than the other
the hardware of tomorrow will more easily solve the cryptography of today, making it important to rotate your bits into new algorithms as old ones become more solvable
big business and big government have more power to throw at the problem, but not infinitely so; where will you fall on their wait list?
Lack of physical access to your files protects you against casual inquiries by businesses and local governments. If you’re a person of interest, they are breaking down your door and getting your bits unless they self destruct or are in a country they can’t bully.
In summary:
Don’t be a person of interest if you can avoid it.
If you live somewhere that hurting a politician’s feelings (or having the wrong demographic) will make you a person of interest, assume they will get physical access to your bits unless those bits are in an unfriendly country. What country do you want them in?
Assume they will get their hands on your bits anyway. How easy are they to decrypt, and will the juice be worth the squeeze?
Still, the idea is that Proton has everything they need to access your data (your encrypted bits, your encrypted key, and your password you send them every time you login). You have no guarantee that they don’t have something (intentionally or not) that can catch this and extract data about you.
You also (and more importantly) have no guarantee that the Swiss government can’t or won’t force them to implement such systems, and hand over your data.
They already lied about not storing your IP until a judge ordered Proton to produce it for a French national. They have since redacted their privacy policy to say they may store such data about you if requested. They can do the same to get your key.
No matter how, if they possess the keys, it’s not your crypto not secure.
Renting a few hours of GPU may not cut it, depending on how long the key is, but you’re right, getting some data offline would help in breaking the encryption
It may not cut it now, but we can’t guarantee it will stay the same within a few years (either faster compute, or other techniques that speed up the brute force)
If they (proton) have the keys, doesn’t matter if they encrypted your data. They must have the keys because I can log into mail from different clients and read all emails without having to insert my key.
Proton stores your encrypted private key . An encrypted private key does not allow them to read your email or files.
When you log into a new device:
Proton sends the encrypted private key to your device.
You type your password.
** Your device** (not Proton’s server) uses the password to decrypt the private key locally in your browser or app memory.
That decrypted key is then used to decrypt your emails on your device. Proton mail sends you just the encrypted text.
There is one potential security issue:
Since Proton serves the website code (HTML/JavaScript) that performs the encryption, you have to trust that they serve you honest code. Proton could theoretically alter their website code to capture your password the next time you log in, which theoretically a government can force them to do.
However, this is a different threat than “they have the keys.” Currently, they possess the keys only in a form they mathematically cannot unlock.
If the key is the same password you use to login, then they already have the key. They may not store it unhashed, but you transmit it to them every time you login. If law enforcement forces Proton, or if Proton turns evil (or gets infiltrated by a three letter agency), they can use it from the auth to decrypt your key and your data.
Plus, a bad actor having access to the encrypted key is free to brute force it. It may be hard but not guaranteed to stay hard forever.
Edit: didn’t realize I was in a Proton fanboy community where you can’t criticize or ponder the service security…
You don’t send them the password. The password never leaves your device. The password is the decryption key to decrypt your encrypted private key, which is what they send to your device. This is why, for Proton Mail, and others that use this technique, it is imperative to have a strong password to protect your private key.
How do they authenticate* you? They just send the encrypted key and if you can decrypt it then it’s you?
If so I can request any account encrypted key and try to brute force it offline
I’m also interested in that, but
This is likely wrong, any password would allow you to produce a valid key from an encrypted key, it will not be a correct key, so you will fail during decryption, but it will take a lot of time to check and may not be easy to automate.
Regarding the auth, they may provide you with a challenge that is encrypted with your public key, and if you have decrypted it correctly, authenticate you, but I don’t know how it’s done or should be done.
If you have any way to check the key validity offline (for example, you subpoena the encrypted data) then it’s trivial to check and automate.
Of course not everybody is capable of this, but it’s becoming less and less difficult to brute force it, and renting a few hours of GPU time to do it is within the means of small bad actors.
Trivial to automate, yes. The rest is a question of how long it takes to compute, that’s the basic rules of cryptography:
Lack of physical access to your files protects you against casual inquiries by businesses and local governments. If you’re a person of interest, they are breaking down your door and getting your bits unless they self destruct or are in a country they can’t bully.
In summary:
Still, the idea is that Proton has everything they need to access your data (your encrypted bits, your encrypted key, and your password you send them every time you login). You have no guarantee that they don’t have something (intentionally or not) that can catch this and extract data about you.
You also (and more importantly) have no guarantee that the Swiss government can’t or won’t force them to implement such systems, and hand over your data.
They already lied about not storing your IP until a judge ordered Proton to produce it for a French national. They have since redacted their privacy policy to say they may store such data about you if requested. They can do the same to get your key.
No matter how, if they possess the keys, it’s
not your cryptonot secure.Renting a few hours of GPU may not cut it, depending on how long the key is, but you’re right, getting some data offline would help in breaking the encryption
It may not cut it now, but we can’t guarantee it will stay the same within a few years (either faster compute, or other techniques that speed up the brute force)
Yeah, that’s a bit of a weird thing to claim by them.