timestripe encryption

Our lifetime goals is a sensitive information, no kidding.

We take security very seriously and responsibly and we make everything to make sure all your data are stored in a private cold place. Our servers are well-protected and since the day one we use encrypted connections, so that no third-party can peek into your private life. But sometimes you'd like to take it to the next level. Now it is possible.

When you enable encryption in Settings and enter your password, here's what happens next:

You
Browser
Server

You press the tumbler ONOFF to enable encryption and enter your password in form:

Nothing was sent through the web and the server doesn’t know anything yet

When You type in the password Browser generates unique encryption key.

Encryption Key is encoded in the key pic: an unique abstract picture consisting of dots and stripes. To generate the key pic Browser uses your password and a random salt — a sequence of bytes that obscures and protects your password. With different salt even the same password will generate different keys.

2.2 You download the key pic to your computer
2.1 Browser generates the key pic using the password and salt

Salt := 32 random bytes
Key := PBKDF2 (Password, Salt)

2.3 Browser stores the key in the local storage on your computer, so that you don’t need to enter the password everytime

There is no way to obtain the password from the key, so even if some jerk steals your laptop, he will not be able to learn your password.

And it’s safe to show your key pic publicly, because in order to see your goals you anyway need to log in with your Facebook or Google account.

Browser sends the salt to Server, so that the key can be re-generated from your password next time you log in.

Server stores in the database only the Salt, but not your password or Key pic, which are never transferred through the network.

The Salt is totally random, so there is no way to learn the password or key from it.

Then Browser generates the verification pair and sends it to the Server, so that it is possible to check if the password you enter next time is correct

Verification pair is two sequences of bytes or, as we call them, texts. The first is totally random and the second is just an encrypted version of the first.

4.1 Browser generates the Verification Pair

Text := 32 random bytes
Encrypted Text :=
      ENCRYPT (Text, Key)

4.2 Server saves the pair into the database

There is no way to learn the password or key from this pair

So if the encryption is when You add the goal, Browser gets the plain-text goal and encrypt it using the key.

Key may be fetched from the local strorage. If you use a different browser or clear the browser cache, the key is generated from the password you enter or from the key pic you select.

5.1 You add the goal
5.2 Browser encrypts the goal using the key

Salt := 32 random bytes
Encrypted Goal :=
  ENCRYPT (Goal, Key, Salt)

To encrypt the goal a new Goal Salt is generated so that even the same goals produce different encrypted result

Then Browser sends the Encrypted goal and the Goal Salt to the Server, which saves it into the database

Server get the Encrypted goal and Goal Salt, but not the plain-text

The Goal Salt is totally random, so there is again no way to learn the goal or the key

And next time You log in, the Browser first tries to obtain the Key from the local storage on your computer. And if it is not possible it asks the Server to send the key salt

7.1 Browser receives the Salt from the Server database and now it is ready to generate the key
7.2 To do that the browser asks you for your password or key pic
7.3 You enter your password
7.4 And then the browser can generate the decryption key using the salt in the same formula

Key := PBKDF2 (Password, Salt)


7.5 Or you can provide the key pic to the form
7.6 And the browser will finally have the encryption key
7.7 The browser get the verification pair from the server and uses it to check if the key is correct.
7.8 Then the browser get the encrypted goals from the server and using the key it can decrypt your goals

Dercrypted Goal :=
    DECRYPT(Encrypted Goal,
        Key, Salt)

At this moment the browser has decrypted goals in the session memory, which will be erased when you close the tab.


As you see, at no moment the server receives the plain-text goals and it doesn’t possess of complete information to decrypt them. All the sensitive information exists only in your browser until you close the tab.

The information stored on the server without your password or the key is useless. So if you forget the password and lose your key, it would render your data totally wasted to all human-kind. It will be just impossible to recover your goals, sorry, and you will have to reset. So please keep it safe.

FAQ


Whew, that's a lot!

Yeah, Security requires some effort.

You've published your algorithm! Now you will be hacked!

Nope. Security through obscurity is not a choice for a properly protected system. Modern encryption algorythms are designed so that it is impossible to break them even when they are revealed. And peer-review helps to make the protection even stronger.

If you find any flaw in our scheme, please contact us at admin@timestripe.com

You say "impossible', but what if some bad-ass just bruteforces my password?

Well, there is not way around it. But the encryption functions we use ensure that it will take many supercomputers and many years to decrypt your information. This is what is called “cryptographic impossibility”.

And this may be dangerous only in case the bad-ass first takes possession of your Facebook or Google Account, or obtains the database from our server, which is highly unlikely as well.

OK. But what if, say, some three-letter organisation asks you to decrypt my goals?

Well, we are unable to help, even if we really wanted to. Sorry.

2015  2016  2017  timestripe

We would be happy to hear from you. Don’t hesitate to send us your thoughts if you have any ideas or comments — info@timestripe.com