Password management with Zero Knowledge
Many providers promise to keep your data secure, but not all of them list the concept of zero knowledge among the offered benefits. Why is zero knowledge so important and how does it affect the security of your data?
Basically, the zero-knowledge protocol is explained as the ability of one party (prover) to prove to the other party (verifier) that the prover possesses a certain secret, but this secret is not disclosed. In other words, the verifier can only find out the fact that the prover really has that secret and nothing more.
In the particular case of data storage, we can use the term “zero knowledge storage”. This means that only the end-user has access to their data, while the storage and transmission of data are encrypted. And, if storage is not done using a zero-knowledge approach, then you have probably realized by now that someone other than you can access your data.
Let's take a closer look at this process using our PassSecurium™ password manager as an example.
The data for each instance (for business editions) or each individual account is encrypted using the password you choose during registration. Users of the business version have access with their individual passwords, which decrypt only that part of the instance database to which this user has access rights.
At the initial login to the account, along with the main password, the user is prompted to protect the mobile application using an additional security code or biometrics, as well as to protect the browser version using two-factor authentication.
The user must enter their (known only to them) security code or biometric data in order for the application database to be decrypted. Synchronization of the application with the cloud is encrypted over HTTPS. After a timeout or exiting the application, the database is encrypted.
Only you know the decryption password. Despite the fact that our administrators are decent trustworthy people, even they don’t have access to either your data or your account password. Moreover, in the event of a leak as a result of a hacker attack on the server or at the request of the authorities, from us, as a provider, they can only receive encrypted data that cannot be decrypted with the current level of technology. To ensure this, we use the industry's gold standard: AES-256.
Also, in corporate and individual versions of our password manager, you can block access from individual devices or for individual users in order to prevent data leakage attributed to a device loss or possible unauthorized access by an intruder.
If the provider stores data according to zero knowledge concept, it may seem that such data can be stored anywhere, but we decided to go further in protecting our customers' data. We only use trusted Swiss (or German on demand) data centers and we also offer VPN access for the corporate instances of our PassSecurium™ password manager.
However, zero-knowledge storage also has some drawbacks.
Encryption can slow down the application, but it only happens when transferring a large amount of data. For a password manager, the latency due to encryption is almost invisible to users.
Most importantly, losing your personal account password for services with the zero-knowledge approach means losing your data. For this disastrous situation, providers must take care of a secure alternative recovery option (e.g. a printed on paper passphrase that should be kept in a safe place).
In the Corporate version of PassSecurium™, an administrator can restore access to a user who has lost their account password by creating a new one.
Zero-knowledge architecture places great responsibility on users for their own data, but offers the highest possible level of data protection. Using applications designed according to this principle, you don’t have to worry about the safety of keys, files and other sensitive information stored in them, since all this is stored and transmitted in encrypted form, and only you own the decryption key.
With PassSecurium ™ you can take corporate and personal passwords under full ultra-secure control!
When writing the article, the following additional sources were used:
https://en.wikipedia.org/wiki/Zero-knowledge_password_proof
https://www.cloudwards.net/what-exactly-is-zero-knowledge-in-the-cloud-and-how-does-it-work/
https://medium.com/@vixentael/zero-knowledge-architectures-for-mobile-applications-b00a231fda75
https://tresorit.com/blog/zero-knowledge-encryption/