Boxcryptor is a software developed by Secomba GmbH which focuses on protecting files stored on external cloud providers by over-encrypting the files and even the file names to prevent the cloud provider from accessing the data within the said files, while still allowing synchronisation with multiple devices. Usage of Boxcryptor gives their customers the peace of mind that their data is private while being stored on a cloud provider’s systems.
In this short post we’ll talk specifically about the work we performed. For a more in-depth overview as well as motivations and benefits from the perspective of the Boxcryptor team, you can read about it on the Boxcryptor blog.
Videos and Screen Captures. Other Useful Business Software. Ticketing and Remote Support in One Place. Automate and simplify your help desk and IT remote support tasks. Secure Remote Maintenance - Your industrial IoT solution to cover all aspects from remote access to cloud analytics.
Sacombank Vietnam Swift Code
Kudelski Security was hired to perform a security audit of the Windows Boxcryptor application. We focused on the cryptographic functionalities of the code and implementation of security best practices.
- 100000 iterations. Secomba has increased the iteration count for the password hash, PasswordKdfIterations to 10000 as well, to have equal security properties. However this iteration count is no longer ˝xed in the.NET codebase, but delivered by an endpoint on Secomba’s servers. This has also been updated in the documentation in https.
- Secomba GmbH Write a review. Overview Reviews. Boxcryptor provides a user-friendly, additional layer of security for cloud storages by encrypting files locally on your device. Use Azure AD to manage user access, provision user accounts, and enable single sign-on with Boxcryptor. Requires an existing Boxcryptor subscription.
We analysed the provided code, which uses standard library functions and standardized methods as often as possible and we notably covered the following main components among others:
- Secomba.Common: contains most notably the cryptographic operations
- Secomba.Common.Net45: which is mostly a proxy to the crypto provider
- Boxcryptor.Core: contains actual encryption logic, has high level APIs and does the PKI management
- Boxcryptor.Desktop: contains the file operations, including bulk ones and read/write operations.
We notably looked for
- General code safety and susceptibility to known vulnerabilities
- Poor coding practices and unsafe behaviour
- Leakage of secrets or other sensitive data through memory mismanagement
- Susceptibility to misuse and system errors
- Error management and logging
- Security levels of the cryptographic primitives and their parameters
- Proper implementation of the documented protocol phases
We reported the following in our public report:
- 1 security issues of medium severity
- 2 security issue of low severity
- 6 observations related to general code safety
Download the full report here:
As a result of our audit, we did not find any critical shortcomings in the reviewed components.
Secomba quickly patched all the problems we identified and let us review their changes in order to confirm their effectiveness. They will also monitor the state of the art in term of ORAM setups, and are planning to add effective integrity checks in the future.
Notice that we did not find any evidence of malicious intent, flawed logic or potential backdoors in the codebase.
We would like to thank Secomba GmbH for trusting us, for their availability and the pleasant collaboration throughout the audit!
To find out more about our cryptography services, visit kudelskisecurity.com, or for blockchain services, visit kudelski-blockchain.com.
About 10 years ago, Andrea Pfundmeier, founded Secomba GmbH with her colleague Robert Freudenreich. The small German company develops Boxcryptor, a cloud-optimized encryption solution for businesses as well as private users.
How did you come up with the idea for the company?
While we were developing an initial idea, we noticed an uneasiness in both of us about the security of the cloud we were using to save our files. We could not be sure that our ideas and concepts stored in the cloud would not fall into the wrong hands.
Without further ado, Robert developed an encryption software for the cloud storage we used, which was quite elementary at the time, but already very secure. After we had shown this encryption to other cloud users and received very good feedback, we realized that this would be an even better idea for our startup. So, we founded Secomba GmbH to further develop our encryption software Boxcryptor. Boxcryptor makes it possible for everyone to use cloud storage services securely.
What challenges do you think startups have to face?
Having started as a startup ourselves and still being a small, agile company, we are aware that compared to established companies, many processes in startups run differently: work processes are often less routine, often founders must improvise. Due to the rather low number of employees, there is usually no designated specialist in the field of IT security. This makes it even more important that someone takes care of the issue right from the start and that important company data is protected from the very beginning.
Why should startups think about encryption to protect sensitive data?
Data security plays just as big a role for startups as it does for larger companies. The topic of data protection is a very important one. Personal data have to be adequately protected. That is why many companies increasingly rely on the use of encryption. Moreover, as a startup, the founders want to protect their ideas, business models, and IP. Encryption is elementary to make sure that the important data of the company is protected right from the beginning.
How startups can use the software Boxcryptor to encrypt their data?
Boxcryptor encrypts your sensitive data on Microsoft Teams, OneDrive, Dropbox, Google Drive, and many other cloud storage providers. The software combines the user-friendliness of the best cloud services with the world’s highest security standards. Encrypt your data directly on your device before syncing it to the cloud. End-to-end encryption with zero-knowledge standard guarantees that only you or people authorized by you can access your data.
We give startups a helping hand
Currently, Secomba GmbH has grown into a successful company with more than 30 employees, and we are happy to be able to celebrate our 10th anniversary in May 2021. As we would like to help other startups in protecting their sensitive data, we have special offers on Boxcryptor for all startups. If you are interested, please contact us at [email protected]