Client data is never exposed to DekkoSecure as the service provider when it is shared, delivering true data ownership. Public key infrastructure is used to establish secure collaboration between users, and all content is shared explicitly. This also means that client administrators do not have access to end-user data.
Security summary
- Every user that uploads, shares and access data has an account, and all accounts have a private and public key which are generated during account creation.
- Key generation (ECC-384) happens client-side in the DekkoSecure web application, which is done automatically for every user.
- Private keys are encrypted by the user’s password before they are stored on DekkoSecure cloud infrastructure. User’s passwords are hashed and salted before they are stored on DekkoSecure cloud infrastructure. Public keys are also stored on DekkoSecure cloud infrastructure.
- When a user logs in their encrypted private key is retrieved from DekkoSecure cloud infrastructure and decrypted by the user’s password.
- User’s private keys are used to decrypt content that is shared with them.
- A new key is generated for every file and message sent (AES-256), which is exchanged with recipients using Public Key Infrastructure.
- File and message sharing is signed using the author’s private key, and signature checking is handled automatically during every exchange.
Encryption strength
The encryption algorithms used by DekkoSecure are proven through decades of cyber industry testing, and also deemed appropriate by standards such as NIST and FIPS. AES-256 is the key length for the unique keys that are generated for every file, message, approval and video conference (symmetric encryption).
AES-256 encryption is currently considered to be unbreakable with current technology, as it would take an impractical amount of time and resources to brute-force the key. DekkoSecure also uses Elliptic Curve Cryptography (ECC) for the user-based key exchange which happens during sharing (pubic key infrastructure, asymmetric encryption). TLS1.3 secures all traffic on top of content encryption.
Key generation
The encryption key generation and exchange process that takes place when users register and share/sign/collaborate/conference is completely transparent to users - the DekkoSecure app handles all security events automatically, meaning users can never make a mistake in securing their account or data.
Alternate services that offer encryption with “bring your own key”, enterprise certificates, or file-level passwords are highly error prone, because the security of a sharing process relies on a human (the end user or an administrator). By removing this human reliance, Dekko become even more secure beyond just the encryption itself.
File sharing
Files are encrypted by the DekkoSecure app and then uploaded to the DekkoSecure cloud. The only users that can ever access the data are those given sharing access, meaning DekkoSecure as the service provider can never see what is being shared or discussed between users.
File content and file names are protected by a multi-layered approach; documents are encrypted using the uploader's private key and an additional key that is unique to the file. As well as this, the file is signed using the uploader's private key when it is shared. Elliptic curve cryptography is used for asymmetric key management and AES256 is used for symmetric key management.
Document signing
Approval files are encrypted by the DekkoSecure app and then uploaded to the DekkoSecure cloud. All elements added to signed documents (text, watermarks, signature, etc.) are encrypted too. The only users that can ever access the data (file and markup) are the file owner, approver, and any others given sharing access, meaning DekkoSecure as the service provider can never see what is being shared or discussed between users.
Built on top of DekkoSecure's file sharing capability, the document approval feature lets users request approval from one or many users without the file itself being processed in an unencrypted form by DekkoSecure’s infrastructure. Approvers can add a signature, text, images and notes to documents, all of which are cryptographically secured and verified on-client. Approved documents can be checked externally using DekkoSecure's document validator, which is done by a hash-check which does not expose any content from the Document to the DekkoSecure system.
Messages
End-to-end encryption ensures that the messages sent and received by users cannot be intercepted, read, or tampered with by unauthorised parties, including the messaging service provider itself. This helps to protect sensitive information and conversations from being compromised or leaked.
Similarly to file sharing, mail and chat messages are protected by a multi-layered approach. Message subject, contents and attachments are encrypted using the sender's private key and an additional key that is unique to the message. As well as this, the message is signed using the uploader's private key. Elliptic curve cryptography is used for asymmetric key management and AES256 is used for symmetric key management.
DekkoSecure’s mail inbox is a suitable alternative for email because it functions in the same way, with extra features such as no attachment size limit, read receipts, and revoke.
Video conferences
End-to-end encryption ensures that the video conference cannot be intercepted, monitored, or tampered with by unauthorised parties, including the video conferencing service provider itself. This helps to protect sensitive information and conversations from being compromised or leaked. DekkoSecure also ensures that all participants in a conference are authenticated, so unauthorised access is not possible.
DekkoSecure's meetings feature uses symmetric key encryption, based on a unique key that is generated when a user schedules a video conference. This key is passed to invitees via public key infrastructure, and is persistent until the meeting ends, or, rotated if an invitee is removed. This means that it is impossible for anyone who is not invited to join a meeting. DekkoSecure Meetings is proudly the only video conferencing tool to feature both end-to-end encryption and with recording capability. Recording is performed on the host's device and saved in their file management for later review or sharing.
DekkoSecure encrypted video conferences is the only conferencing solution that supports E2EE in an exclusive web-based platform.
Example security flow
Below is a look in to how the DekkoSecure platform secures a file sharing interaction.
1- Registration
When a DekkoSecure user creates their account, an encryption key pair (public and private key) is generated on the client (the web app). The public key and a secured version of private key (encrypted using the user's password) are stored on DekkoSecure's sovereign cloud.
2 - Authentication
DekkoSecure users are identified uniquely by their registered email address. Successful authentication requires a registered email, the correct password and (optionally) two-factor authentication. A correct password will retrieve and decrypt the user's private key which is kept in the user's browser storage until they log out.
3 - File upload
4 - File storage
Files uploaded to DekkoSecure are signed and encrypted using the uploader's private key (AES-256). An additional encryption layer is also added using a unique key that is generated at the time of upload (ECC-384). TLS1.3 secures all traffic on top of file encryption.
Files are stored with zero knowledge, meaning there is no way DekkoSecure can access the user's files. This is made possible be the fact that we do not have access to the private key(s) which are used to encrypt them. Even if we walked in to our cloud data centre and took a hard drive out, we still couldn't read a user's files!
5 - File sharing
6 - File receipt
Files shared with existing DekkoSecure users are secured using end-to-end encryption by way of an asymmetric key exchange. File sharing with existing users is enforced by default, but customers are able to disable this policy. If files are shared with an unregistered address, the file key is stored securely and then passed to the user when they complete registration - after this point, all future interactions are end-to-end encrypted.
File sharing recipients are notified via email and must log in to their DekkoSecure account to view or download anything that is shared with them. The recipient's private key is used to access file and the sender's public key is used to verify the file's integrity.
7 - File deletion
When data (or accounts) are deleted, the keys for all data subject to deletion are erased. Following this, the encrypted data is overwritten with garbage data which is then deleted again.