Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

concerned about Axcrypt requiring email and password


  • Please log in to reply
11 replies to this topic

#1 XML2005

XML2005

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:26 AM

Posted 21 June 2016 - 10:05 AM

I have been using an old version of Axcrypt for years and would like to update. But I have been wary of the newer versions of the program because they require an email address and password.

 

1) Will this information expose my Axcrypt passphrases and data to the people at Axantum? Or would my data be just as secure as before? That is, is Axcrypt still safe?

 

2) If it is safe, should I continue using the free version, or is there any added benefit to the paid program? (I already use a password manager that I like.)

 

3) If it is not safe, is AES Crypt a viable alternative? I'd prefer not to switch to Veracrypt, because my (paid) cloud backup provided can't do incremental backups from a hidden volume.

 

BTW, I'm not concerned about the Open Candy, because that's easily removed from the installer.

 

Thank you for your help.

 

 

 



BC AdBot (Login to Remove)

 


#2 Xecrets

Xecrets

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 22 June 2016 - 03:08 AM

Hello,

 

This is Svante, Lead Developer at AxCrypt - i.e. the author of both version 1 and version 2. Obviously I'm biased, but I also do know exactly what we do with your information.

 

1a) We require an e-mail address - but so does just about any Internet-based service on the planet. Your e-mail should not be considered a secret, because it's not. There is no way (without the password) to know the e-mail address of the person who encrypted a particular file, or who it is shared with. The main guiding principle behind AxCrypt 1 & 2 is that nothing is assumed to be secret, except your password. Not the source code, not the algorithms. We even assume an attacker has extensive access to both encrypted text and the original plaintext. What we store on the server, which relates to the password, is a small number of files encrypted with your password. The point being - we're already assuming an attacker has access to files encrypted with your password. A leak of stored data from the server does not change that assumption.

 

1b) We do have your password transiently on the server though, when we decrypt above-mentioned files, and it also travels over the internet encrypted with SSL. That's another assumption - that current standards for Internet-encryption such as SSL can be trusted. Yes, we do trust that. Also, mounting a successful attack against a specific server running SSL, even if there are flaws, require quite extensive resources typically requiring at least at the level of a national agency. We are based in Sweden, our source code is written in Sweden, or servers are running in Sweden. We would not be affected by a for example directives concerning requirements of key disclosures or backdoors made by government agencies in a large english-speaking union of states west of the atlantic ocean.  

 

2) Is it safe? In the end, that's a judgement call. There is no such thing as proven safe, only proven unsafe. What we try to do is to give full disclosure on what we do and what the assumptions are. We are open source, and with among the longest track records of *any* file encryption software. Personally, I trust AxCrypt. I use it. I might be wrong, but I have a fairly good insight into the tradeoffs made.

 

3) AESCrypt can certainly be an alternative, but it has less functionality than AxCrypt 1.x. Specifically it has no provision for automatic re-encryption, no secure delete. AxCrypt 2 has even more functionality and is much easier to use, and to share encrypted files with others should you wish to. AESCrypt is available on several platforms. We're working on fixing that for AxCrypt.

 

BTW, AxCrypt 2 is entirely devoid of any adware such as OpenCandy. It is an entirely clean download and install. Instead we added features on top of AxCrypt 1 that are available with the AxCrypt premium subscription.

 

Also, some people have made the assumption that because there is a commercial subscription, AxCrypt 2 is no longer open source. It still is. Get the source at https://bitbucket.org/axantum/axcrypt-net .

 

Svante



#3 XML2005

XML2005
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:26 AM

Posted 22 June 2016 - 06:23 PM

Thank you, Svante, for taking the time to respond. I have been using your application for years and enjoying it!

 

I was unclear about whether the password I supply with my email address is the same passphrase I use to encrypt, or just a registration password. And can I do my encrypting/decrypting while offline?

 

Thanks again for a great product.



#4 Xecrets

Xecrets

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 23 June 2016 - 02:12 AM

Hello,

 

You'll be using the same password for all AxCrypt-related access, via an app or the web. So, no, it's not 'just a registration password'. We don't want to add to the number of passwords you need, unnecessarily.

 

Yes, daily operations are done offline and does not require Internet. It's only the very first time you run and initialize AxCrypt on a new device (i.e. computer) that Internet is needed. This is in order to validate the subscription status and synchronize the keys held by the server to your local device.

 

The key sharing feature requires Internet access if it's the first time you share with a specific person on the device. This is in order to get the sharing key (public key) from the server for the intended recipient. That key is subsequently cached on the device.



#5 XML2005

XML2005
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:26 AM

Posted 23 June 2016 - 11:39 PM

Thank you, Svante, for this clarification.



#6 XML2005

XML2005
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:26 AM

Posted 28 June 2016 - 10:54 PM

I've been testing Axcrypt 2.1.1399 (I'd still been using Version 1.7.3156.0 on Windows 10!) and am unclear as to how to get back some of the old functionality. Perhaps Svante or someone else can advise me on that.

 

1) Is there a way to have different passphrases or keyfiles for different folders?

 

2) How can I use a private Axcrypt passphrase/keyfile offline? Whenever I close my Internet connection, the  application asks me to log in again, which requires me to reopen the connection and to use the same password I'd shared with Axcrypt before. This seems to indicate to me that this password is not private, and that I cannot use multiple passwords.

 

Thank you for your help.



#7 Xecrets

Xecrets

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 29 June 2016 - 02:07 AM

Hello,

 

This is Svante from AxCrypt.

 

I'll be happy to respond here, but I'd like to also mention that we have both public forums at http://www.axcrypt.net/, and also we have priority Premium support available when signed in on the web.

 

Anyway...

 

1) No, we do not support the scenario with different passphrases for different files. That's not how it's supposed to be used. Here's why: http://www.axcrypt.net/blog/use-of-different-passwords/ .

 

2) There should be no problem using AxCrypt offline. I personally just now tested the scenario described: Sign in, turn off internet connection. No prompt to sign in. Work as usual. I then triggered a sign out by enabling the screen saver. AxCrypt signed out as it should, and there was no problem signing in again, while still offline. If you can give further details on how you get into a situation where an Internet connnection is required (after the initial installation on the device), I'd appreciate it. Our product-specific forums mentioned above might be a better place though.

 

Regards,

 

Svante



#8 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 29 June 2016 - 04:46 AM

Do you have keys and passwords on your servers?


Yes, but encrypted with your password which we do not store. There is no essential change in the security compared to previous versions. You must still use a strong password, and keep it secret.

The only thing that must be secret with AxCrypt is your password. Nothing else, not the software, not the secured files, not the secured account keys or anything else. As long as your password is both strong and secret, your secured files remain secure. Even if our server would be compromised, the permanently stored sensitive data stored there is encrypted with your password, which we do not store.

So essentially... "the AxCrypt server" has access to the ("master") password but we have to trust that "the AxCrypt server" doesn't store it?

 

Greets!  :wink:


Edited by GNULINUX, 29 June 2016 - 04:48 AM.


#9 Xecrets

Xecrets

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 29 June 2016 - 05:13 AM

Hello,

 

AxCrypt, or any software where you enter a password, has access to that password and you have to trust that software. In our case, part of that software resides on a server.

 

Yes, we do have temporary access to your password when you sign in. Yes, you have to trust that we don't store it, except as mentioned.

 

The same reasoning essentially applies to any encryption software, with or without online components. It's almost trivial for any encryption software to embed your password in the encrypted file content. In many enterprise level encryption softwares this is a feature called 'key recovery', which can be implemented in many ways. We do not do this, we cannot recover your password if you lose it.

 

We're aware that this might be off-putting to some, depending on what security model you believe in. Many operate under the assumption that "I trust my PC, but not your server", and in this case we're not compatible. However, we believe this to be a largely faulty assumption. You should probably not trust your PC, it's a very exposed piece of equiment in most cases, and the most likely place to find malware and it's also usually not kept behind a good physical perimeter.

 

In the future we might devise an authentication scheme for the server that does not require the actual transmission of the password, such as is normally done. This is however both non-trivial, and not our highest priority. Another option is to provide a mode of operation where no server authentication is required all, which of course is best liked by some but it causes usability issues that we believe are more important to avoid for the absolute majority of our users.

 

We're very open with exactly what we do and what we have, and don't have and don't do, so you can make a personal decision based on that.



#10 XML2005

XML2005
  • Topic Starter

  • Members
  • 129 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:26 AM

Posted 29 June 2016 - 09:29 AM

Thank you, GNULinux & Svante.

 

Does anyone know of any problem with continuing to use the unsupported Version 1.7.3156.0 on Windows 10?



#11 Xecrets

Xecrets

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 29 June 2016 - 10:02 AM

As far as we're aware, there are no issues on Windows 10 with 1.7.3156 (or later, we might do a maintenance release as we've updated the tooling and such just to keep up to date).

 

Also, it's not unsupported - it's just not actively maintained. It is supported on Windows 10. We just might not update it if required for Windows Next, and if you find a bug we might not fix it but rather suggest you use version 2.

 

If there's a relevant security issue found, we will certainly update version 1.7 as well. The likelyhood is small though, since it's been out there for a long time now, and it's been reviewed formally several times, and there have been countless persons peering at the source code for many years.


Edited by Xecrets, 29 June 2016 - 10:05 AM.


#12 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 29 June 2016 - 11:07 AM

Xecrets, thanks for your honest answers!  :thumbup2:

 

Greets!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users