oneSafe_EncryptionDigital security needs to take into account two factors: the technical factor and the human factor.

The technical factor is all about protecting your information using encryption; encryption of your stored data and encryption of your entry password. Any app that is serious about security must use the latest encryption techniques and the highest possible encryption standards.

The human factor is about designing an app that remains secure throughout its everyday use. For example, it’s no use having the toughest safe ever built if you accidentally leave the door open! You want a safe with a door that springs closed if you leave it open.

At oneSafe, we’re always thinking about both technical and human security factors. That’s why oneSafe not only incorporates the latest and most watertight encryption algorithms but also comes with a range of additional features, to help you maintain your desired level of security while using the app.


1. oneSafe uses the strongest encryption there is

All the data you store in oneSafe is encrypted locally on your iDevice using the strongest encryption algorithm available: AES 256, “Advanced Encryption Standard – 256 bits.”

About AES encryption, the US government states:

“The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.” CNSS Policy N.15

Feel free to have a look at the Wikipedia page for more details about this algorithm.

What does 256 bits mean?

256 bits means that the encryption key, converted into a number, would be something like as big as a billion, billion times the number of atoms in the universe! (Estimated to be between 1078 and 1082)
In other words, trying to hack the data using a brute force attack (i.e. testing all possible combinations) would be the same as:

  • Taking our whole universe, then putting a billion other universes of the same size beside it.
  • Then putting a billion of these billion-universes side by side.
  • Then trying each atom in this huge stack of universes one by one until you find the right one!

Even with the most sophisticated computer it would take billions of times the age of the universe!

Security in iCloud

During the synchronization process via iCloud, we also take extreme care of your data, sending only encrypted data to the cloud. For this reason, when you receive data created with one device on another device, you need to enter your first device’s oneSafe password to unlock the data.


2. oneSafe makes your entry password unhackable

Security PBKDF2The key to unlocking your app is a combination of:

• A random 256-bit string of characters generated when you first use oneSafe; and

• Your password – and we never, ever store your password anywhere. It’s only in your head. And it should remain only there. Please don’t write it down on a piece of paper!

If either one of these is missing, it is impossible to decode your data. This means that not even the lead developer of oneSafe could access your data, even if you lent him your device!

To authenticate your main entry password oneSafe uses a standard known as PBKDF2.

The way this works is that your password itself is never stored anywhere. Instead, oneSafe stores the output of a VERY complex calculation. This calculation uses what security experts call “salt” to spice this output and give it a unique “oneSafe” flavor. And it is repeated thousands of times. This to guarantee that:

• A hacker wouldn’t be able to use precomputed hash tables (known as Rainbow tables) to break in to your app; and

• A brute-force attack (trying a whole series of combinations) wouldn’t be possible as the thousands of iterations required for each attempt makes this a slow and unworkable process, even for the most powerful computers.

In other words, only you know your passcode.  It’s not stored anywhere outside your brain!


3. oneSafe makes it easy to manage your level of security

At oneSafe, we dedicate a large part of our R&D effort to providing features that will help you to manage the level of security you wish to maintain.  For example, oneSafe comes with:

• double protection categories to create “a safe within a safe”. You can choose the level of password strength for each category depending on how securely you want to protect the stored information.

• an auto-lock feature, customizable to lock your safe after a specified period of inactivity.

• a password generator to assist you in choosing strong, random passwords.

• a password change reminder to remind you to change your password frequently.

• a self-destruct option in case your device accidentally ends up in malicious hands. This feature will wipe out all your data after three unsuccessful attempts to log in to oneSafe.

• a decoy safe in case you have to open your safe in front of other people. You can show them information stored in your decoy safe, while keeping your real information safely locked away inside your real safe.

• a way to monitor break-in attempts by automatically taking a photo of anyone who tries to break into your safe using an incorrect password.


4. Certification and development process

Certifications

Bureau of Industry and SecurityoneSafe has been granted an “Encryption Registration Number” by the Bureau of Industry and Security of the US Department of Commerce.
We are currently working towards achieving compliance with FIPS-140-1 and FIPS-140-2 (Federal Information Processing Standards), a U.S. government computer security standard used to accredit cryptographic modules.