Jump to content
natv

Evernote - security concern

Recommended Posts

As an Evernote user who does sometimes store sensitive information in Evernote (by encrypting specific text), I would like a response from Evernote regarding this.

 

A high profile investor in the cryptocurrency space was recently hacked ($2M USD worth).

He mentioned that he did store his private keys in Evernote - but - that this information was encrypted.  

Based on his story, he claims that somehow someone with access to his email account was somehow able to reset his Evernote password (based on my understanding) and somehow gain access to his encrypted notes too:

" I thought I was safe storing my private keys on Evernote because I encrypted them but clearly that didn’t help. I did have 2FA on my Gmail with the authenticator app but that didn’t help because my recovery email address was my college email and there is no 2FA on that. Once the hackers had access to my Gmail, they basically had access to everything"
http://ianbalina.com/ian-balina-hacked-2-million-ama-live-stream-w-notes-april-24th-2018/

 

What I'm not clear on - is even if someone resets your Evernote password and accesses your notes, this shouldn't give them access to any encrypted information, because that is encrypted separately and as far as I know, even Evernote should not have the ability to even know your encryption password.

 

Am I correct, or does Evernote's systems store your encrypted password somehow?

I think this is important for everyone to know.

 

If the above person's story is inaccurate then it would be good for Evernote to confirm this, as otherwise, Evernote security looks quite bad here if something like this could really happen.

 

 

Share this post


Link to post
50 minutes ago, natv said:

What I'm not clear on - is even if someone resets your Evernote password and accesses your notes, this shouldn't give them access to any encrypted information, because that is encrypted separately and as far as I know, even Evernote should not have the ability to even know your encryption password.

Am I correct, or does Evernote's systems store your encrypted password somehow?

I think this is important for everyone to know.

While waiting for Evernote to respond, my understanding is

  1. Passwords are not stored unencrypted
  2. Access to an email password does not give access to your Evernote password (assuming they're different)
  3. Access to your account password does not give access to your encrypted text password (assuming they're different)

There is a risk when the same password is used everywhere.

Share this post


Link to post

From Evernote docs on encryption (https://help.evernote.com/hc/en-us/articles/208314128-What-type-of-encryption-does-Evernote-use-). I italicized the part where they talk about the encryption passphrase.

I don't believe that being able to get into an Evernote account gets you access to encrypted content in the notes; you need to also know the passphrase. It's possible, I suppose (and I found a web site that claims this), that encrypted content is stored unencrypted in your local database (I use the WIndows client), but I'd need to dig to be able to verify it. The same website also claims that the encrypted is stored internally as unencrypted so that it can be searched for, but that doesn't seem to hold true, so I'd take the former with a grain of salt If you export a note with encrypted content to Evernote format (.ENEX), the encrypted part is indeed exported as encrypted.

 

Quote

Encrypted text supported

If you are using an Evernote desktop client, such as Windows Desktop and Evernote for Mac, you can encrypt any text inside a note to add an extra level of protection to private information. In February 2014, Evernote made a conscious effort to improve the security of in-note encryption and began using AES (Advanced Encryption Standard) with a 128 bit key.  Prior to that time, Evernote used RC2 encryption with a 64 bit key, derived from a passphrase you chose.

Evernote derives your AES key from the passphrase you enter and does this using a well recognized method called PBKDF2 (Password Based Key Derivation Function 2). Your passphrase, along with a unique salt, runs through a HMAC/SHA-256 hashing function 50,000 times. The result is a 128 bit AES key. This key, along with an initialization vector, is used to encrypt your data in CBC (Cipher Block Chaining) mode.

Evernote never receives a copy of this key or your passphrase and doesn’t use any escrow mechanism to recover your encrypted data. This means that if you forget your passphrase, your data cannot be recovered.

 

Share this post


Link to post

Yeah we definitely need Evernote to address whether or not encrypted data is stored locally too. That's for posting that.

Share this post


Link to post
7 minutes ago, natv said:

Yeah we definitely need Evernote to address whether or not encrypted data is stored locally too.

I'm on a Mac and can view the raw storage for data.  

Encrypted data is stored in encrypted form.  I have to use the Evernote app to decrypt, and the password is required.

Share this post


Link to post
1 hour ago, DTLow said:

I'm on a Mac and can view the raw storage for data.  

Encrypted data is stored in encrypted form.  I have to use the Evernote app to decrypt, and the password is required.

On Windows, if you enter an encryption password different than one you have used you get the message below..  That implies to me that the encryption password is stored somewhere outside the note (may be stored within the encrypted part of the note as well for all I know). 

It would be good to know if EN is storing encryption passwords inside some EN encryption zone.  If not, then yeah, someone with enough time and knowledge could id your encryption passwords would be my guess.

ScreenClip.png.36e5388cdea0d80ec6fe5d109071309a.png

Share this post


Link to post
3 hours ago, CalS said:

That implies to me that the encryption password is stored somewhere outside the note

Yes, there must be storage for the comparison; also for the hint.

I'm trusting an encryption of the password is stored or some hash/checksum; I'm still searching for a reference to this.
The comparison should be stored-encrypted-password to entered-encrypted-password

  • Thanks 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...