AxCrypt's poor implementation puts your information at risk

[Danny]

I highly suggest anyone using this application take a second look at its implementation and decide if this application is still for you.

First, whether free or paid, you’re required to create an account. The password you use to access your account is the same password used as a “Master File Key”. This is used when using a password only to encrypt a file.
Next, AxCrypt has you create a public/private key pair, which they encrypt and store on AxCrypts’ servers.
This allows the convenience of being able to change your passwords, and conduct password recovery for when you forget your password.

Here’s the problem:
NIST SP 800-57 PART 1 REV. 5 (available at https://doi.org/10.6028/NIST.SP.800-57pt1r5) – Chapter 6, section 6.1.1, paragraph e and subsequent Table 5, show that private key assurance is demonstrated by possession.
AxCrypt not only possesses the private key, they also posses the Master File Key. Although it is claimed that these are encrypted, there are still issues here.

1. Your private key, encrypted or not, is NOT under your control or possession.
2. Your Master File Key is also not under your control or possession (same as above).
3. This method of operation reeks in familiarity to CryptoAG, an encryption provider that was operated by The BND & CIA from 1970 until 2018.
4. Additionally, this site is a particularly juicy target, ala Piriform (Ccleaner hack), and Solarwinds.

While the code itself is open source, well investigated and reviewed, its implementation is poor, ill thought out, and opens every customer to unnecessary risk of compromise.
Further, simply having access to the metadata can show which accounts are communicating with each other, even if the contents of those communications remains obscured.

This tool has a wonderful looking front end, but there’s no way I would recommend its use if you’re serious about encryption and protection of your private data.

[Author]

Posts