Encrypted Email and Online File Storage - Cryptoheaven

Adam: Kurzawa writes: "CryptoHeaven is a new online service offering secure services: secure free mail, secure file sharing, distribution and storage secure instant messaging, secure discussion lists, automatic key and contact management, no third party key holder, all services integrated into one user interface, accessible anywhere, anytime CryptoHeaven uses the AES symmetric cipher Rijndael with 256 bit symmetric key, public-key cryptography with 2048-4096 bit asymmetric keys (user selectable) and SHA-256 message digest function. Free and premium accounts are available. Source code is available for download free of charge."

Third Party Key Holder

[ehikory]

"...no third party key holder..."

Actually, according to the web page, they do offer to act as the third party keyholder:

"The private portion of the key is encrypted with user's pass-code and stored on the local computer or sent to the server at user's choice."

If the private key is not sent to the server, then what is the benefit over any other service that allows remote email & storage (assuming others actually send emcrypted email and the user stores encrypted files)?

Now, because their service agreement requires users not to store any illegal material, users cannot really store anything that is dangerous to governments. I don't know the details of Canadian law enough, but I would suspect that the RCMP (or other appropriate agency) would be able to collect
the secret key and therefore decrypted data if they really wanted. Can someone tell me otherwise?

Canadian Crypto service

[imrdkl]

The service and the product seem to be located and developed in Canada. I note that Canada is not a party to the CyberCrime Treaty which was discussed earlier.

Perhaps this is worth further investigation...

The user interface is written in Java, and requires a 1.3 or higher runtime installed. The Windows installer has an optional 1.3 runtime included. By virtue of the Java client-side implementation, your private key is never sent, or seen by the server unless you choose to upload it in encrypted form. If you do decide to upload your private key, thereafter you rely only on SSL, presumably, to protect the password for your encrypted private key stored remotely.

It's been awhile since I looked at Java's crypto. The 1.2 stuff was pretty lame, especially the keystore. But this implementation does at least seem to use RSA keys for Java, which means that the container may be better too.

I dunno if I'd ever advise anyone to allow their keys to be stored on the server, no matter how many reassurances they get. However, for someone who simply wishes to share private mail with someone else, it might be nice.

Things that remain unclear to me are:
1. Can encrypted mail be sent to someone who does not have an account, using a ordinary PGP public key, for example?
2. What protocol does the service use? Is it standard SMTP? (possibly with verification)
3. Where does the encryption/signing of the delivered email actually occur? Presumably always on the client. 4. The Service Agreement seems pretty, uh, tight. If you displease them in any way, all your rights, including access to your existing mail, is cutoff.

Anyone actually using this service?

Re:Canadian Crypto service

[leto]

Wrong: reread the cybercrime URL you posted:

Canada, Japan, South Africa and the United States, who took part in the drafting, also signed the treaty today.

So, this means they (or at least their goverment) promises to help do key escrow etc. So the government will ask the key from cryptoheaven if they have it. There is no point in giving them they key at all. They cannot secure it. In fact, they should refuse all keys for this very reason.