30

There is a service called ProtonMail.

It encrypts email on the client side, stores encrypted message on their servers, and then the recipient decrypts it, also on the client side and the system "doesn't store keys".

My question is this: How does the decryption work?

I'm a bit confused. Do I have to send my decryption key to each recipient before he can read my messages?

techraf
  • 9,141
  • 11
  • 44
  • 62
Protty
  • 301
  • 1
  • 3
  • 3

6 Answers6

53

I am Jason, one of the ProtonMail developers.

Decryption uses a combination of asymmetric (RSA) and symmetric (AES) encryption.

For PM to PM emails, we use an implementation of PGP where we handle the key exchange. So we have all the public keys. As for the private keys, when you create an account, it is generated on your browser, then encrypted with your mailbox password (which we do not have access to). Then the encrypted private key is pushed to the server so we can push it back to you whenever you login. So do we store your private key, yes, but since it is the encrypted private key, we don't actually have access to your key.

For PM to Outside emails, encryption is optional. If you select to encrypt, we use symmetric encryption with a password that you set for that message. This password can be ANYTHING. It should NOT be your Mailbox password. You need to somehow communicate this password to the recipient.

We have a couple other tricks as well for getting around the horrible performance of RSA.

We will eventually write a whitepaper with full details that anybody can understand. But something like that is a week long project in itself. I apologize in advance if my answer only makes sense to crypto people.

Jason S.
  • 556
  • 3
  • 4
  • 2
    It would be a good idea to make it clear on your website that PM to PM emails and PM to Other emails use different cryptography. As it stands, it looks like both systems use the same encryption/decryption key but this answer suggests that PM to PM uses public key/private key. – Ladadadada May 23 '14 at 07:54
  • 4
    I think this is a pretty clever solution, but I do have my concerns. Even though you store the encrypted private key, you control the client form field where the password is entered. This might provide security against DB dumps, but doesn't do anything to stop rogue employees or agencies from accessing the private key. – David Houde Aug 08 '14 at 21:31
  • ProtonMail uses front end encryption so it's possible to verify it is not sending the key back in readable format. – user788171 Mar 05 '15 at 22:52
  • What this means though is that users are locked into the Protomail service, since you can't import PGP keys - you get convenient encrypted emailing for PM to PM, and cumbersome encrypted emailing with a passphrase for PM to anybody else, even if they'd have PGP in use, no? https://protonmail.com/support/knowledge-base/sending-a-message-using-pgppgp/ – kontur Mar 24 '16 at 13:02
  • Also, when using PM custom domain to PM custom domain, it's not clear to either sender or receiver that this message will in fact be encrypted. – kontur Mar 24 '16 at 13:03
  • is that whitepaper out yet? – Matthew Peters Aug 31 '16 at 12:48
  • Since your answer doesn't mention receiving emails from non-ProtonMail users, I assume this is completely impossible and I must use another service to receive those emails at all. Am I correct? – Brian Moths Jan 23 '17 at 16:19
12

I have substantially altered this answer after the answer from Jason and an email conversation. The original is still available in the edit history.

There are two different cases here: ProtonMail-to-ProtonMail and ProtonMail-to-Other mails.

For PM-to-PM emails, the system is in a position to handle public-key/private-key distribution. Since they wrote the code that generates the private keys and sends the public keys to the server and they know the recipient of the email before encrypting, they can encrypt with the recipient's public key and the recipient can decrypt with their private key. This can be transparent to the users of the system. They don't mention signing emails with your private key but this should also be equally possible and transparent.

PM-to-Other emails do not use asymmetric encryption. When creating an email to a recipient who is not using ProtonMail, you generate a new password that is used to derive a symmetric key that is used to encrypt the message. You then must convey this password to your recipient using different using a different, independently secure method. Emailing your recipient the decryption key and then the encrypted email is the same as not using encryption if your threat model includes an attacker that can intercept your email. (If your threat model doesn't include this ability, why do you even need encrypted mail?)

The mail your recipient actually receives in their mail client is not encrypted and is not your original message. It is simply a link to the ProtonMail website where they can use the password you already communicated to them to decrypt your message.

In both cases, the claim is that the encryption and decryption is done using Javascript in your browser and the centralised servers only ever see encrypted data.

If you have an independent, secure method of communication for the decryption password, why not just use that instead of ProtonMail?

One reason might be that your independent method is not as convenient. It might be visiting the recipient in person or phoning them up. Another potential reason is for advertising or promotional purposes. If you like ProtonMail and would like your contacts to use it, emailing them from ProtonMail would promote that.

But if you have a method you consider secure and convenient (OTR, Cryptocat, Skype, whatever you trust) then why not just use that?

I am cautious by nature and have reservations about this service, at least until it has had its trial by fire.

  1. There is no way of revoking or changing a mailbox password. If your mailbox password ever does leak, your only recourse is to close your account an create a new one. Presumably, this will be much like getting a new email address is now, meaning lots of email will be delivered to your old address after you have closed it and nobody will know your new address. I expect you would also lose access all of your old email. There's no cryptographic reason why your recipients would lose access to the email you have sent them but the system may delete all email when the sender is deleted since it's all stored on their servers.
  2. For non-ProtonMail users who receive lots of encrypted email from ProtonMail users, they will have to store the decryption password for every email somewhere and a mapping between them. Every individual email will require looking up and typing in a new password. I would assert this is not usable.
  3. Making claims is easy. Ladar Levison said that Lavabit stored no keys so he could not be compelled to disclose them. This turned out to be false. The design of ProtonMail looks significantly better but claims of "Even we can't read your mail" are still suspect until proven.
  4. They omit important details from their FAQ/instructions. For instance, when claiming to be able to delete emails at a certain time, they don't mention that a user can copy that email into another program before it is deleted and the copy won't be deleted. They also omit the detail that you must find your own secure method of distributing the decryption password for PM-to-Other emails.
  5. The expiry time feature references SnapChat which infamously doesn't actually delete the images but rather just stops listing them within the app.
  6. Some smart people also have reservations about it.
  7. The only metadata mentioned are IP addresses and access times. Metadata such as To: and From: addresses must be stored on their servers in an accessible format (i.e. plain text or with encryption keys available) to enable the email to be delivered to the right person. IP addresses and access times can obviously still be captured and stored by attackers.
  8. The system cannot be used if you are offline. No catching up on your email during a flight or on the Underground. You don't have a copy of your email if the service shuts down.
  9. Your private key is stored on the ProtonMail servers, encrypted with AES256 using your mailbox password. This is likely so that you can use ProtonMail on a different computer and they can just push your private key to that computer for you to decrypt with your mailbox password. This is a compromise of security for usability/convenience. It's also in contradiction to the security page on the website which says that they are not sent to the server.
  10. Jason's answer mentions "tricks" for improving the performance of RSA. Seemingly benign changes have been made before to crypto code that have completely compromised its security.

It's definitely not NSA-proof but all the buzz about it uses that exact phrase to claim it is. Their own blog post on threat models says that it's not NSA-proof.

It may be useful for you, but not if you're trying to organise a revolution.

Ladadadada
  • 5,163
  • 1
  • 24
  • 41
  • Nice answer. Just saw this on TED Talk. I don't see anything new here over Hushmail which has been doing this since 2007: http://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_privacy – jammykam Mar 07 '15 at 20:22
  • 1
    Regarding issue #1: with ProtonMail Beta Version >= 1.07, your Mailbox Password can be changed by you if you know the old one. – Razvan Socol May 14 '15 at 05:44
  • A perfectly legitimate trick for improving RSA performance is allowing use of Diffie-Helman. I imagined that this was the trick he was speaking about but just didn't want to write a book on a stackoverflow page. Am I mistaken? – user14717 Jul 30 '15 at 02:20
2

"ProtonMail's segregated authentication and decryption system means logging into a ProtonMail account that requires two passwords. The first password is used to authenticate the user and retrieve the correct account. After that, encrypted data is sent to the user. The second password is a decryption password which is never sent to us. [The second password is] used to decrypt the user’s data in the browser so we never have access to the decrypted data, or the decryption password. For this reason, we are also unable to do password recovery. If you forget your decryption password, we cannot recover your data."

As a commentary to this, I would say that this would still be vulnerable to a NSA-vs-Lavabit style SSL key compromise. If you can get their SSL key, you an impersonate ProtonMail and use javascript to steal both the first and second pasword of all users. This can break the entire encryption protocol.

So this way it won't be the "The Only Email System The NSA Can't Access": http://www.forbes.com/sites/hollieslade/2014/05/19/the-only-email-system-the-nsa-cant-access/

Jasyth
  • 21
  • 1
0

Under the "Security" tab of their page they state:

We support sending encrypted communication to non-ProtonMail users via symmetric encryption. When you send an encrypted message to a non-ProtonMail user, they receive a link which loads the encrypted message onto their browser which they can decrypt using a decryption passphrase that you have shared with them.

Looks like you have to share the decryption passphrase with the receiver first.

JSmyth
  • 258
  • 2
  • 9
0

ProtonMail's segregated authentication and decryption system means logging into a ProtonMail account that requires two passwords. The first password is used to authenticate the user and retrieve the correct account. After that, encrypted data is sent to the user. The second password is a decryption password which is never sent to us. It is used to decrypt the user’s data in the browser so we never have access to the decrypted data, or the decryption password. For this reason, we are also unable to do password recovery. If you forget your decryption password, we cannot recover your data.

Source

So it appears that a password is used to authenticate you, and a second password (which is the decryption key) is used to recover your data and display it in your browser (through HTTPS). Your second password/decryption key isn't stored in their servers, and all decryption is done locally in your system. They can't decrypt what they don't have keys to. That doesn't mean a keylogger on your system can't get the info necessary to decrypt your data, though.

As for sending secure email to non-Proton users:

Even your communication with non-ProtonMail users is secure.

We support sending encrypted communication to non-ProtonMail users via symmetric encryption. When you send an encrypted message to a non-ProtonMail user, they receive a link which loads the encrypted message onto their browser which they can decrypt using a decryption passphrase that you have shared with them. You can also send unencrypted messages to Gmail, Yahoo, Outlook and others, just like regular email.

As a personal opinion, it does look very secure. If their servers were ever seized, it appears that they wouldn't be able to do anything to unlock the data. The weakest link is the end-users, the passwords they use, and whether their passwords get compromised or not (though it looks like even if ProtonMail's password database for the first password was hacked, all the attackers would have is encrypted data, as no database is used to store the second password).

technica.scholaris
  • 86
  • 4
0

i'm guessing they use PGP key, with one public key and one private key. They store your public key, and your private key encrypted using your password (you have to trust them to store only the encrypted private key). They have your public key, so they can encrypt any incoming mail. If you want to read your mail, once you are identified, they send you (this is transparent) the private key encrypted using your password that is decripted with your password, and you can then use this private key to decipher your emails. If this is it, seems pretty good to me.

nightrow
  • 9
  • 1