Encryption method

[evernote-fan 34]

Hello!

AFAIK, EN uses RC2 encryption to encrypt text which is not very secure any more.

A post in 2008 said that the reason for this "weak" encryption is the fact that US Government doesn't allow the export of stronger encryption.

Do you have any news about this topic? Do you plan to support AES 256 encryption in the future?

evernote-fan

[jbenson2 2,147]

Evernote does not divulge their road map for major upgrades.

Here is the most recent answer from the Evernote Knowledgebase. (Date Created: 8/31/2011)

If you encrypt text within a note, we derive a 64-bit RC2 key from your passphrase and use this to encrypt the text. This is the longest symmetric key length permitted by US Export restrictions without going through a complex process to gain export approval.

We do not receive any copy of the key or your passphrase, or any escrow mechanism to recover your encrypted data. I.e., if you forget your passphrase, we can't recover your data.

User authentication (i.e. username + password) is always performed over SSL when you communicate with Evernote. This uses 1024-2048 bit RSA keys and a symmetric session key that's negotiated between your client/browser and our server.

The data in user notes is also transferred via SSL.

Several of the company's founders come from a strong encryption background (founders of CoreStreet, recently acquired by ActiveIdentity). For Evernote's consumer product,

the current encryption algorithms are chosen more for exportability

under the Commerce Department rather than strength, since our software permits the encryption of arbitrary user data with no escrow.

We'd be interested in offering something stronger in the future when we have the staffing

to fight the lengthy export battle

, but Premium users can currently use an external encryption solution to encrypt important files and then add these encrypted into Evernote.

https://support.ever...es-Evernote-use

[David33409 17]

Can't Evernote make the encryption stronger for US Users? i don't understand limiting the encryption to EVERYONE in the US because of "export restrictions".

[jjlucsy 0]

You could encrypt inside the encrypt, tho you'd need to make your own software to extract/embed.

[JTBurgess 3]

The recent NSA security leak (http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security) increased our collective awarness of the security of our data.

The leak is mostly about SSL, which uses public/private keys (http://www.digicert.com/ssl-cryptography.htm).

Public/Private key systems were thought to be unbreakable, and in fact, my understanding is that there is an NSA "back door".  They didn't really crack the encryption technology.

 

However, that doesn't mean other algorithms aren't also vulnerable, but  information about such technology was  just NOT leaked.

 

Evernote's claimed 64-bit US export limit is outdated.  It's no excuse for better encryption, and due the small key size, is certainly vulnerable.

Today, 256-bit AES is a world-wide standard, and AFAIK, is unbreakable (http://en.wikipedia.org/wiki/Advanced_Encryption_Standard).

It was designed in conjunction with the NSA, after all, and would they want their own data crackable?

And as stated above, the NSA had various vendors put in back-doors.

 

EVERNOTE, PLEASE purchase/license a reputable AES encryption software package and implement it.

We users will be much happier and safer if/when you do!

[Ruobin 1]

it seems to me that "evernote" simply doesn't want to implement a strong encryption. the argument for export restrictions is not acceptable. First: they store all data inside USA. So nothing gets exported. Second, if they use servers outside US then there is no export, as it is no transfer from US to another country.

Third: they could get a licence. Fourth: They probably will get forced by NSA to implement a backdoor.

I actually discuss with a lot of friends in Europe to leave/cancel all American services/cloud services as we have lost all trust in America to respect the rules keeping our privacy.

The problem is that European IT companies are too stupid to pick up the momentum and penetrate NOW into the market with good and secure services; or they got stopped by their American mother companies. It becomes more and more obvious that we have been very very naive to trust in the "Land of freedom".

 

 

However, I recommend to the useres here to use Open PGP to cut and paste the text is not so much more complicated than a direct encryption. There are also well working plug ins for IOS, Android and Windows-phones and PC available. The advantage is you can even encrypt your attachments, while evernote encryption is only for plain text.

[cwb 225]

Closing the loop on the thread the current release notes now indicate AES128.

[Rob van Vliet 43]

According to http://www.keylength.com/en/4/ that (AES128) should be sufficient until at least 2030.

[HiJack 0]

According to http://www.keylength.com/en/4/ that (AES128) should be sufficient until at least 2030.

 

However, I recommend to the useres here to use Open PGP to cut and paste the text is not so much more complicated than a direct encryption. There are also well working plug ins for IOS, Android and Windows-phones and PC available. The advantage is you can even encrypt your attachments, while evernote encryption is only for plain text.

Doesn't this kill the whole concept of EN? The whole point is to allow EN's technology to index and correlate the information that it reads in the notes, to make searching easier. How can it do that if you encrypt everything within the program?

 

According to http://www.keylength.com/en/4/ that (AES128) should be sufficient until at least 2030.

Quantum computing will cut the key strength of AES in half, and makes a joke of RSA-like assymetric encryption schemes. I'm guessing we'll have working quantum computers well before 2030. Everyone should be using AES-256, and SSL should make that the standard, but they don't (for a couple of reasons, that I think are unreasonable). We don't have Q-computers that can work for decryption right now (and I'm not wearing a tin hat thinking that the NSA has them before even basic research at universities can make it feasible), but the NSA could hold on to data long enough to be able to crack it when it IS available. That is the danger of these nearly unlimited-storage sites they are building. You don't need a building the size of the one in Utah to hold just phone-record meta-data.

[cwb 225]

I agree, there are better tools for strong encryption, and without the search that reduces Evernote to a transport storage mechanism. And there are better methods for that too.

Now even with Evernotes built in encryption you've still lost the search indexing. But that's balanced by the ability to just encrypt the bits of sensitive text rather than a whole note, leaving lots to search.

The problem until the current windows beta is that is was broken against not just the NSA but anyone with:

-desire

-access to your data

- a working copy of google

- a PC

That hole seems fixed (which makes wild optimistic assumptions on _how_ Evernote implemented it).

Yes it's still not an NSA solution, but we weren't really expecting that from Evernote were we?

[HiJack 0]

I agree, there are better tools for strong encryption, and without the search that reduces Evernote to a transport storage mechanism. And there are better methods for that too.

Now even with Evernotes built in encryption you've still lost the search indexing. But that's balanced by the ability to just encrypt the bits of sensitive text rather than a whole note, leaving lots to search.

The problem until the current windows beta is that is was broken against not just the NSA but anyone with:

-desire

-access to your data

- a working copy of google

- a PC

That hole seems fixed (which makes wild optimistic assumptions on _how_ Evernote implemented it).

Yes it's still not an NSA solution, but we weren't really expecting that from Evernote were we?

What exploit are you referring to?

 

While I agree that I am not too concerned about the NSA in this matter, I am concerned about what happens to the data if either a) a malicious employee decided to steal data, or EN's servers are hacked and the data is there for the taking. We know that the connection is encrypted, and I'm betting that their user DB is seperated from the content DB (given their latest breach), but since they don't operate a zero-knowledge system there will always be doubt (in my mind).

[cwb 225]

What exploit are you referring to?

Perhaps it's only that it's so long ago...

 

We start with the list of broken block ciphers:

 

 

http://en.wikipedia.org/wiki/Category:Broken_block_ciphers

and click through to RC2:

 

"RC2 is vulnerable to a related-key attack using 2³⁴ chosen plaintexts (Kelsey et al., 1997)."

 

And just a few short weeks ago a sentence like:

"The development of RC2 was sponsored by Lotus, who were seeking a custom cipher that, after evaluation by the NSA, could be exported as part of their Lotus Notes software. The NSA suggested a couple of changes, which Rivest incorporated. After further negotiations, the cipher was approved for export in 1989."

 

Wouldn't have carried the moment of pause that it does on the other side of,  RSA (Ron Rivest, is the "R" in RSA) accepting $10M to set an NSA compromised random number generator as the default in the BSafe encryption toolkit.

 

But back to RC2.

 

In 1997, PCWorld wrote:

 

RC2 Encryption: Not a Tough Nut to Crack by Brian McWilliams, PC World News Radio

September 26, 1997

 

Next week a screen saver that cracks encrypted e-mail messages will be released by author and encryption expert Bruce Schneier.

Schneier claims his Win95 screensaver is user friendly, acts in the background to decrypt e-mail encrypted with 40-bit RC2, the default algorithm used in many e-mail packages. He claims it does so in 30 days on a Pentium 166 machine, even faster if you allow the application to tap the resources of other PCs on a LAN.

Schneier, creator of the Blowfish encryption algorithm, says ""Anybody who wants to break the 40-bit RC2 keys already has one of these. This is not a hard thing to write--it just illustrates how weak these encryption keys are."

 

And you can still download his screen saver today:

https://www.schneier.com/smime.html

 

tangentially in the neighborhood, harder versions have been cracked.

 

RC4 was also I believe first cracked in 1997, has 5 or so known weaknesses.  Some implementations using it have been trivially cracked like WEP.  Edward Snowden suggests the NSA can break RC4 in TLS/SSL and Bruce Schneier agrees it seems more than plausible. (So here's hoping the AES source code attribution in Evernote clients before they used it for note encryption was for the SSL, rather than RC4)

 

Distributed.net has brute forced RC5- 56bit (1997), RC5- 64bit (2002)

 

I'm betting that their user DB is seperated from the content DB

yep.

IFAIK it's always been separate (user database servers in the lower left):

 

But yes, you have to fit the solution to the risk model.

Me, I'm fine with what I've put in EN, and the low likelihood of interception.

I'm generally happy with the changes brought about in the last 6 months.

 

In truth, now, the data is safer on Evernote's servers than it is on the average users Windows PC at home.

That endpoint is far less guarded and secure, prone to theft, or prying from semi-trusted insiders, or vulnerable to screen scraping by malware.

[HiJack 0]

Regardless of the encryption model used in the SSL communication, it could still be "cracked". I'm not sure if you fully read and understood what has been published, but basically it comes down to the following. All SSL/TLS relies on trusted asynchronous transmission of certificates. The "root" certificates from Certificate Authorities, such as Verisign, are highly guarded. These root CAs are required for global communications on the public internet. The problem is that a certain government agency has a department thin it that has made it its mission to actively compromise these root CAs, and either steal the root certificates, or broker a deal that gives them access. Since it is classified, we will never know who that agency is in bed with, or who that agency has hacked. What's worse, it that it has worked to undermine the trust of the entire internet, not just from an American perspective, but internationally. Why? Because what if there was a leak from that department to, say, China. Then, there you go, China can now read the internet's traffic. All they have to do is move all the internet's traffic through their firewall, as it has done so before (well, we suspect it wasn't a "glitch" in the BGP routing).

[cwb 225]

I have. But I wasn't going to beat a recently dead horse to death re-covering well hashed ground.

But this is a different vector than originally discussed.

There are multiple methods here.

 

1.

• Archive SSL data through
  • upstream fiber taps
  • BGP routing
  • replacing hardware orders with compromised copies from the ANT Catalog
• Obtain expired SSL private keys, to decrypt data after the fact

2.

• Coerce/obtain a current SSL private key, and decrypt data real-time through methods above

3.

• The method I mentioned, which would not require having the private key, where RC4 is used as the cipher. (E. Snowdens assertion, not mine)