Security FAQ

How can I be sure CryptoHeaven is secure?
Does anyone have access to my private keys?
How can I be sure the client software I run is authentic?
Do I have to do anything with my public key?
Can my private key remain on my local computer?
Do my Contacts know where I send my messages from?
How can I verify that I am sending messages to whom I think I am?
How does CryptoHeaven compare to web based security packages?

How can I be sure CryptoHeven is secure?

The source code for the CryptoHeaven is available free of charge to everyone. Security experts and other users can test the strength of our cryptographic system. The source code is available for download here.

Does anyone have access to my private keys?

Short answer: Nobody.

Long answer: The private portion of the user's key is encrypted with user's pass-code and stored on the local computer or sent to the server at user's discretion. When the encrypted private key resides on the server, user benefits from ability to access his account from anywhere in the world through the Internet.

The transformation algorithm applied to encrypt the private key is Rijndael. The user's pass-code is the entropy source for the 256 bit symmetric key which, together with the algorithm, transforms the private portion of the asymmetric key into a cypher text. The strength of the encryption depends on the strength of the user's pass-code. It is believed that all of the energy in the universe is not sufficient to successfully complete a brute-force attack on a cipher text generated with an AES symmetric cipher with 256 bit long symmetric encryption keys.

The user-name and passphrase with additional salt together create a unique user pass-code. This pass-code is only known to the user and never shared, stored, or send anywhere. When user forgets his user-name or passphrase, all of his data stored on the server becomes inaccessible forever, we have no ability to recover any portion of the data or the lost pass-code.

How can I be sure the client software I run is authentic?

To personally verify the authenticity of the downloaded software archive, you should check the SHA-256 message digest of the downloaded file. The Java™ command line utility for obtaining SHA-256 digests and expected codes for all released versions is available here.

Do I have to do anything with my public key?

CryptoHeaven manages public keys automatically and securely. User simply allows others to communicate with him through the use of "Contacts" within the CryptoHeaven system. The system takes care of the exchange of the public keys automatically.

Can my private key remain on my local computer?

When creating a new account, you have an option to store your encrypted private key on our servers, or to store it locally. The advantage of storing it on the server is that you can access your account from any other computer on the Internet. Regardless of where you decide to store your private key, it is encrypted. See "Does anyone have access to my private keys?" above for more information.

Do my Contacts know where I send my messages from?

No! Messages and other records do not contain IP or other information which can be used for physical or geographical tracking of the sender or recipient. We never log or associate IP addresses with user accounts.

How can I verify that I am sending messages to whom I think I am?

The following procedure is not necessary for secure communications. However, it can be used to make sure your contact address actually belongs to whom you think it does.

Clink on the outgoing contact name that you want to verify, select "Contact Properties." A dialog box will pop-up. Have a look at the name and number on the "Contact With" line.

Call, talk, or otherwise communicate with the other party to verify that the unique number following your recipient's name matches the unique user number you receive from the other party.

Once you verified your Contact once, you don't need to do it again in the future. The Contact will remain in your account indefinitely and cannot be removed or changed by anyone other then yourself or the person with whom you have the Contact with. Each user on the system is unique and distinguished by user ID, and although two people can have the same username, their accounts are never confused by the system.

How does CryptoHeaven compare to web based security packages?

CryptoHeaven offers a degree of security, non-repudiation and anonymity which far exceeds that of any web based system.

	HOME \| SECURITY \| DOWNLOAD \| SUPPORT \| BUSINESS CLIENTS \| ABOUT US
	Security FAQ How can I be sure CryptoHeaven is secure? Does anyone have access to my private keys? How can I be sure the client software I run is authentic? Do I have to do anything with my public key? Can my private key remain on my local computer? Do my Contacts know where I send my messages from? How can I verify that I am sending messages to whom I think I am? How does CryptoHeaven compare to web based security packages? How can I be sure CryptoHeven is secure? The source code for the CryptoHeaven is available free of charge to everyone. Security experts and other users can test the strength of our cryptographic system. The source code is available for download here. Does anyone have access to my private keys? Short answer: Nobody. Long answer: The private portion of the user's key is encrypted with user's pass-code and stored on the local computer or sent to the server at user's discretion. When the encrypted private key resides on the server, user benefits from ability to access his account from anywhere in the world through the Internet. The transformation algorithm applied to encrypt the private key is Rijndael. The user's pass-code is the entropy source for the 256 bit symmetric key which, together with the algorithm, transforms the private portion of the asymmetric key into a cypher text. The strength of the encryption depends on the strength of the user's pass-code. It is believed that all of the energy in the universe is not sufficient to successfully complete a brute-force attack on a cipher text generated with an AES symmetric cipher with 256 bit long symmetric encryption keys. The user-name and passphrase with additional salt together create a unique user pass-code. This pass-code is only known to the user and never shared, stored, or send anywhere. When user forgets his user-name or passphrase, all of his data stored on the server becomes inaccessible forever, we have no ability to recover any portion of the data or the lost pass-code. How can I be sure the client software I run is authentic? To personally verify the authenticity of the downloaded software archive, you should check the SHA-256 message digest of the downloaded file. The Java™ command line utility for obtaining SHA-256 digests and expected codes for all released versions is available here. Do I have to do anything with my public key? CryptoHeaven manages public keys automatically and securely. User simply allows others to communicate with him through the use of "Contacts" within the CryptoHeaven system. The system takes care of the exchange of the public keys automatically. Can my private key remain on my local computer? When creating a new account, you have an option to store your encrypted private key on our servers, or to store it locally. The advantage of storing it on the server is that you can access your account from any other computer on the Internet. Regardless of where you decide to store your private key, it is encrypted. See "Does anyone have access to my private keys?" above for more information. Do my Contacts know where I send my messages from? No! Messages and other records do not contain IP or other information which can be used for physical or geographical tracking of the sender or recipient. We never log or associate IP addresses with user accounts. How can I verify that I am sending messages to whom I think I am? The following procedure is not necessary for secure communications. However, it can be used to make sure your contact address actually belongs to whom you think it does. Clink on the outgoing contact name that you want to verify, select "Contact Properties." A dialog box will pop-up. Have a look at the name and number on the "Contact With" line. Call, talk, or otherwise communicate with the other party to verify that the unique number following your recipient's name matches the unique user number you receive from the other party. Once you verified your Contact once, you don't need to do it again in the future. The Contact will remain in your account indefinitely and cannot be removed or changed by anyone other then yourself or the person with whom you have the Contact with. Each user on the system is unique and distinguished by user ID, and although two people can have the same username, their accounts are never confused by the system. How does CryptoHeaven compare to web based security packages? CryptoHeaven offers a degree of security, non-repudiation and anonymity which far exceeds that of any web based system.