After our last blog post many of you asked for more details about the Cubby Locks feature. It’s challenging to explain Cubby Locks in a way that’s technically accurate yet still easy to consume. However, since Cubby Locks is a unique and powerful feature that helps set Cubby apart from similar services, we encourage you to take the time to understand what Cubby Locks is and what it isn’t.
The first key idea is to understand that data on the cloud in a locked cubby is encrypted and can only be decrypted by your Cubby password. With most similar services, a password is used to simply keep you in or out. That is, a password is used to determine if you have the right to access the service and your data. With most other services, your data on the cloud is not encrypted or encrypted with a key which is stored somewhere along the data. This means it can be exposed to a rogue employee of the storage service provider, or anyone who manages to bypass the password-protection layer or gain access due to an error in the application.
Cubby Locks utilizes some heavy-duty math to keep your data protected. Even a rogue employee or someone who manages to bypass password-protection would find your data useless without your exact password. And just to clarify a very important point: “Data” throughout this post refers to files at rest in the cloud. Cubby Locks does not provide data encryption on your devices; it’s up to you to secure those. And to get another item out of the way: Data in flight (that is, being transferred between your devices and the cloud) is always transmitted over SSL/TLS with all cubbies, regardless of Cubby Locks.
First let’s look at how a standard cubby works – one that does not take advantage of Cubby Locks. In our data centers all files in all cubbies are stored in encrypted form using the AES-256 symmetric encryption algorithm. The key used for this is the Cubby Data Key (CDK) and is randomly generated for each new cubby. CDKs are stored in our database alongside with other properties of the cubby. When you log in to cubby.com, the web application fetches the CDK from the database and uses it for encrypting and decrypting your data when you upload or download files from your cubby. Like with most other services, your password gets you in to the web site but is not adding any extra encryption.
During your first login to Cubby a series of events happen. First we generate a symmetric key called the User Symmetric Key (USK). We encrypt the USK with your password and store it in an encrypted form (AES-256) in our database. Second, we generate a 4096-bit RSA key pair called the User RSA Key (URK). We encrypt the private part of the URK with the USK and store it. The public part of the URK is, as its name implies, stored in plain text. Both USK and URK are specific to and generated for the user account. If you are not familiar with asymmetric encryption, here’s the shortest possible introduction to asymmetric crypto: Anything encrypted with the public key can only be decrypted with the private key and vice versa.
Still with us? Now, let’s take a closer look at Cubby Locks. When you lock a cubby we encrypt the CDK with the public part of the URK, store it in this form and delete the plaintext CDK from the database. Remember that this CDK can only be decrypted with the private part of the URK. That’s all. Simple, right? Here is the chain of encryption at this point:
- Your password –> USK –> URK –> CDK –> access Cubby data.
The items on the left side of any arrow are the key for the encryption, while the items on the right side of any arrow is data to be encrypted. So the arrow means “right side is encrypted with left side.”
What does this all mean? Every item in this chain is stored only in encrypted format in our database except for the password, which is not stored at all by us. In order to do anything with data one needs to unlock this chain, and that can’t be done without your password. That’s why we prompt you for your password so often, and this is why no one, not even a LogMeIn employee or a hacker, can read your data without knowledge of your password.
Finally, let’s discuss the so-called Recovery Key (RK). In practical terms, you use the Recovery Key when you forget your password and must reset it to something new. As discussed above, there is no way to access cloud data in a locked cubby without your password. Without the Recovery Key, the situation would be this: “Forget your password – lose your data on the cloud.” That is, if you were to forget your password and reset it through the standard “email me a password reset link” mechanism, your locked cubbies would be deleted from the cloud and you would be forced to re-synchronize all your data. To users a chance of avoiding this, we generated a Recovery Key for your account when you access a locked cubby for the very first time; the Recovery Key is a cryptographically random 32-character alphanumeric string. We then encrypt the USK with this Recovery Key using AES-256. (Remember, cubby.com at this point has your plaintext USK since you have just provided your password). So now we have two copies of the USK in the database, one encrypted with your password and the other encrypted with the Recovery Key. When you go through the forget password process and enter your Recovery Key, we use it to decrypt the USK, which is then re-encrypted with your newly created password. This way you can keep your data synchronized with the cloud even if it was in a locked cubby. There is only one Recovery Key per user, so we strongly encourage you to print it and keep it safe. The Recovery Key is stored in the database encrypted with the URK, so it’s only available for you to view online after you enter your password.
- Recovery Key –> USK –> URK –> CDK –> access Cubby data.
- Your password –> USK –> URK –> Encrypted Recovery Key –> Recovery Key.
We should also clarify that there is a case when a Recovery Key will be generated for you even if you don’t lock a cubby yourself. Namely, a Recovery Key will be generated for you when you are invited to a locked cubby or are the member of a cubby that gets locked by its owner.
In many cases there is a balance between security and ease of use. The more secure you want to keep your data the more complex the process gets. With Cubby Locks you get a solution that’s among the strongest security measures on the market, yet still provides a smooth user experience and ease-of-access to your data.
Thanks for sticking through this. We hope we managed to meet the challenge of making Cubby Locks clear. We’ll be glad to clarify if you have any questions. Don’t hesitate let us know what you think or what you find unclear.
— Sandor Palfy
Fellow, Development & Security