What CryptoHeaven does provide and where PGP lacks in in usability. Yes, you do have advanced users using PGP, but that's about it. Setting up PGP is very difficult, integration is not perfect. Generally, there are a LOT of usability problems with PGP.

In my opinion, CryptoHeaven is very, very usable to a computer novice who wishes to use encryption. I see many of my friends using CryptoHeaven now.... and I could never get them to use PGP.

Good Points:

Excellent privacy, encryption and security. 256-bit encryption for all messages.
CryptoHeaven offers several different functionalities, such as instant chat, file sharing and of course email. From what I'm aware this is not offered by any other service.
What's interesting is that you can upload your files and share a folder with someone else (entrusted person). This is probably the best feature, it makes it easy to work in groups.


Bad Points:

Software is more then just instant messaging, so the download is relatively large. But it can be as small as 1.8 MB, depending on the OS.

Looking at the CryptoHeaven source code (downloadable at the CH web site) I can confirm that all of the messages and files stored on the server are in an encrypted form.

Basically the administrators of the system have no way of knowing what is being stored on the servers because all root keys in the encryption chains end up on customer's PCs (always encrypted) or stored encrypted with customer's own passphrases which never leave their computers, nor are stored anywhere. As far as I can tell, this is a major difference between CryptoHeaven and most other online storage providers which only make the connectivity SSL secure, but not the data residing on the servers to which sys admins have access to.

The system looks to be one of a few which really delivers the level of security it claims leaving little unsaid. Although it seems possible to privately implement additional algorithms like ECC and use it to communicate with your buddies (because the code is freely available), the copyright forbids it, and there are good reasons for that too. What I would like to see is integration with PGP so that we can start sending and receiving secure mail with an already established PGP user base.

I have read somewhere that symmetric key length and hash length used are not equivalent in their cryptographic strength. This claim is irrelevant as the hash seems to be used "for display purpose only" and not in the security protocols. I have yet to see a non-encrypted hash of anything on the system, so this looks good too.

Interesting is that they cannot reset your password in case you loose it. My explanation for this is because your private key (if stored on the server) is encrypted with the hash of your password, so you must have your original password to be able to decrypt your private key. If they were to reset it, your private key would have to be re-crypted with the hash of your new password, but to do that you still need the old password to decrypt it in the first place. Cleaver.

Passwords are often the weakest links in security and to rectify that, YOU CAN STORE YOUR PRIVATE KEY LOCALLY (always encrypted). This is something that is not possible with systems like Hushmail and many others.

Perhaps ability to sign other's keys and revoke signatures would create additional web of trust, but, oh well, you can't have everything.

The functionality is great; someone wrote they are putting 'all the eggs in one basket', however it may be an attempt to do just that, there is still long way to go. Never less, it is a very usable and user-friendly product which is much more than just online storage!

I'd be interested in seeing a critical review and/or a comparison with PGP. The truly paranoid amongst us have been using absurdly long asymmetric keys for a while now.

>>  2048 to 4096 bit Asymmetric and 256 bit Symmetric Key Encryption

The hassle with symmetric keys is that since they must be known by both (or all parties) in the exchange, the opportunity for compromise is larger. AES (Rijndael) is well designed and has been heavily scrutinized. It's also significantly quicker than DES. The hassle with (large) asymmetric keys is that they take a long, long time to generate and break a lot of things. I generated some 8192 bit X509 certificates to test some in-house crypto interfaces but they blow away almost everything in town (Netscape's crypto library crashes, IE's hangs ...) except of course for the test subject!

Edited by author 12-05-2001 05:26 PM
Software description reads:

Secure Email and Secure Online File Sharing and Storage.

Intended for individuals in need of high security working in groups. It is the only secure online system integrating multi-user based security into email, instant messaging, file sharing and online file storage in one unique package. Provides real time communication for text and data transfers in a multi user secure environment. Premium accounts available. Try it for free and invite your friends to try it too.

For more details visit: http://www.cryptoheaven.com


Relevant news:

December 4, 2001 7:23 PM (ET)
The U.S. government has approved new 256-bit Encryption Standard

The U.S. government has standardized an AES (Advanced Encryption Standard) algorithm after four years of testing. The original encryption formula is developed by two Belgian scientists, Joan Daemen and Vincent Rijmen. Will the new standard pass the test of time? By comparison to the old standard, where government used triple DES with an effective symmetric strength of 112 bits, we are far ahead now. The 256 bit key space allows for over 1 followed by 77 zeros combinations. Several companies are already offering AES crypto toolkits and new products are emerging. For example a toolkit from Cryptix includes the new AES for some time now. Also, CryptoHeaven is already offering a data exchange platform with AES 256 bit security. Watch for more exciting new products as they are doomed to come to the computer near you! Read more on this at Yahoo or Reuters.