Vaulteq
SECURITY WHITEPAPER
3-11-2016 VERSION 1
17-12-2016 VERSION 1.1
10-04-2017 VERSION 1.1.1
User Experience
Mobile Application
A. Fast and easy registration of new secure Vaults (accounts)
B. Build in Two Factor Authentication and tools to create secure passwords
Browser Extension
A. With Auto Fill login forms easily and manage the Vault directly from the Browser
B. Generate a secure password directly in the browser for new registrations
General Principles
Registration and Encryption
A. The Master password is only known by the user. It is never stored in its readable form
anywhere and never send over the internet.
B. The Device Key is unique for every browser and device. It is based on the unique identifier of
the device. In the browser it is based on a unique hash rendered from different parameters
combined which are unique to the device.
C. The Master Password is used to decrypt the Master Key. This key is generated locally during
account creation once on the users device using random input and PBKDF2 with 10000
rounds (user configurable). It is encrypted with the Master Password using AES256-GCM and
send to the Vaulteq server.
D. The Private Key and Private Count are randomly created on the server and send to the client
one-time and stored within the App.
create Master Key
send: email, hash & encrypted
reply: activation token
Client
Server
send: one-time activation token
reply: private key & count
Two Factor Authentication Protocol
A. The e-mail address is used as a user identifier.
B. A SHA256 is created from a derivate from the Master password and used as a password to
authenticate with the Vaulteq server.
C. The e-mail, password and Device Key (credentials) are send through HTTPS using SSL
AES256 with 2048 bits RSA.
D. A Passcode is generate by creating a AES256 of the username salted with an increased
Private Count and hashed into a numerical code. When checked the counter on the server is
also increased which makes each key unique and usable only one time.
send: unique device key
request: unauthorised Device Key, need passcode
Client
Server
create passcode
authorized: valid temporarily request token
Vault Encryption
A. The encrypted Master Key is retrieved using the Auth Token received during the
authentication.
B. The Master Key is decrypted using the Master Password.
C. The Vault is encrypted each change with a new unique AES256-GCM derivate key made with
a random salt from the Master Key using PBKDF2.
D. The newly encrypted vault is synced with Vaulteq through HTTPS.
request with token the encrypted master key
reply: encrypted master key
Client
decrypt master key
Server
encrypt vault
send: encrypted vault
Security
Detection & Protection
A. The Activity Overview quickly shows all information about login’s and device authentications
in the past. Information from Vaulteq about security news will also show up on this feed.
B. Multiple failed Login attempts will Lock the account after 5 attempts for 5 min and send an email to the user with information about the attempts.
C. Each authorised device can be managed from the Account panel. A device can be Untrusted
or Blocked from further access.
D. Each Token is valid for 24 hours (user configurable) after this time authentication is needed.
E. The Vault, Master Key and Password are only temporarily stored / decrypted in memory and
never persisted locally.
Attacks & Protection
A. Brute forcing logins are interrupted by a 5 minute interruption after 5 tries.
B. When a Brute force (or someone knows the password) has a success a trusted device key is
needed or a passcode.
C. Brute forcing the passcode is possible for a few tries. After 100 tries the Private Count is out of
sync on the server and the user will need to renegotiate a new Private Key & Count with the
Vaulteq server.
D. A MITM attack is made even harder by pinning the SSL certificate in the clients.
E. Even with a successful MITM attack the Master Password is never send and will be unknown.
F. Brute forcing the Encrypted Master Key after a successful MITM attack will need approximate
±10 years with a super computer (which will cost ~50.000 Euro a day electricity to run).
2^256 combinations with 33.86 petaflops:
TIANHE-2 (MILKYWAY-2) No1 Super Computer