[AxCrypt SupportModerator]

Earlier this week we released AxCrypt Mobile for Android.

Now we have released AxCrypt Mobile for iOS.

https://itunes.apple.com/us/app/axcrypt/id1157695909?mt=8

Thank you for your support.

Enjoy!

[AxCrypt SupportModerator]

Stephen,

First – you’re partially correct on how an old password can be used to decrypt a file after the key pair is regenerated or otherwise lost. The other thing is that when a file is encrypted, the file master key is also encrypted symmetrically with the password in effect at that time. So, you can always decrypt a file, even without the key pair, if you know the password in effect at the time of encryption. This is a measure to reduce the risk of data loss. The most common cause of data loss in Windows is loss of the key pair associated with the Encrypting File System, EFS. We don’t want AxCrypt to have the same problem.

Second – When a Premium user sends an AES-256 to a free user, that free user can open it (if (s)he has the password / keypair). If (s)he updates the file causing it to be re-encrypted, it’ll be encrypted with AES-128.

In summary: Premium: Decrypts all. Encrypts with AES-256. Free: Decrypts all. Encrypts with AES-128.

[AxCrypt SupportModerator]

Hello Stephen,

Well – I can’t say you didn’t do your homework ;-) I’ll try to respond, but to be honest, it’s a little hard to determine exactly what the questions are. But I’ll try. All answers assume that AxCrypt is used in online mode. (There are some variations to the theme in offline mode.) For followups, can you perhaps be careful to distinguish background info and assertions, from the actual questions? I try to answer, but it’s easy to miss something when the questions are not clearly separated and stated.

Q: Is the encryption password the same as the web sign in password?

A: Yes, when signed in to AxCrypt, all *encryption* is done using that password which is also the same as the web sign in. See below for details.

Q: What does password reset do?

A: It creates a new key pair, and encrypts the private key with the new password. The old key pair is kept around, should you ever change back to the original password.

Q: Can a hacker change the password to your files?

A: No. A hacker with control over your email can *reset* the password to the server (see above). This does not change anything or let the hacker open your encrypted files. Once you have regained control over your email, you can reset the password back to the original.

Q: Can a trial user open/encrypt/modify files key shared with them after the trial expires?

A: Yes. New encryption operations will use AES-128, but otherwise it all keeps on working.

Q: Can you change your password and also invalidate the old one for all old files?

A: No, not really. It’s complicated. See below for a technical explanation of how file encryption works.

—

How does file encryption with AxCrypt 2 and AxCrypt ID work?

An AxCrypt ID is a public key pair, using RSA-4096. The public key is used for encryption, and is non-secret. The private key is used for decryption, and is kept encrypted using your sign in / web password.

When a file is encrypted, the following operations take place:

1) A random 128 or 256-bit key is generated. We call this the file master key (or session key).

2) The file content is encrypted using this master key, and the encrypted data is stored in the .axx file.

3) The file master key is ‘wrapped’, i.e. iteratively encrypted using AES and a key derived from your sign in password. This wrapped file master key is also stored in the .axx file, as headers and trailers.

4) The file master key is also encrypted using your AxCrypt ID public key. This encrypted file master key is also stored in the .axx file, as headers and trailers.

5) (optional) The file master key is also encrypted using key sharing recipients’ AxCrypt ID public keys. These encrypted file master keys are also stored in the .axx file, as headers and trailers.

When you change your password, your private key is decrypted using the old password, and then encrypted again using your new password.

When you sign in, the password is verified by attempting to decrypt your private key.

When you decrypt a file, we first try to decrypt the file master key using your private key (decrypted since you’re signed in). If this works, we decrypt the file contents using the now decrypted file master key.

If that does not work, we try to use the sign in password to decrypt the iteratively wrapped encrypted file master key as described above. If this works, we decrypt the file contents using the now decrypted file master key.

If this does not work – we prompt you for a different password.

[AxCrypt SupportModerator]

Hello Sander,

From what we can see you did indeed receive the verification code, since your account is verified.

You received the verification email about 20 minutes after you initially registered, because this is a requirement from your email provider. They use a spam-limiting function called ‘greylisting’, which means that at the first connection attempt the email is refused, but it will be accepted at a later time. So, when we retried a little later, the mail was accepted and you received it to your inbox.

This is why there was a certain amount of delay. You should be aware of this behavior with your email provider, and I’m sure that if you think about you’ll recall that sometimes emails are delayed. Your providers’ greylisting procedure is the likely cause in more cases than this.

 

[AxCrypt SupportModerator]

Hello,

I am very sorry to hear that you apparently are the victim of a hacker ransom attack against your files.

However, please understand that AxCrypt is just a tool that is used by millions of legitimate users for good purposes. We are very sad that a hacker has choosen AxCrypt as the tool to perform the ransom attacks that appear to plague mostly Turkey, and apparently in your case Ukraine.

Unfortunately in this case, AxCrypt is based on strong encryption, and it is generally not possible to crack the encryption.

What you must do is contact your local police, and have them follow the money and Internet trail to the hacker. Since others appear to be in the same situation, you may want to contact media in order to make this problem more widely known, and also gain the possibility of a group action of all the victims against the hacker.

We cannot help, we are in no way involved, and there is no way to open the files without the passphrase used.

Please read http://blog.axantum.com/2012/07/axcrypt-used-for-ransom-attacks.html for a longer discussion of what I know about this affair. This has been going on for a long time…

AxCrypt is a legitimate tool that a malicious hacker has choosen to use in order to commit his crimes. Neither AxCrypt nor we are the problem. The hacker, and the conditions that led the hacker to succeed is the problem.

[AxCrypt SupportModerator]

Hi,

We’ll evaluate the sign in / sign out options for the mobile apps as we go along, but right now we’re depending to a large degree on the inherent security of the device encryption capabilities since there are so many aspects of a mobile phone we can’t control without rooting it and doing all kinds of bad stuff. Even if we did sign out, without device encryption, there will be at least some information available for a persistent attacker that has physical access to your phone.

So – ensure that you are using device encryption and a pin or Touch ID or equivalent to unlock your phone. This applies regardless if you use AxCrypt Mobile or not!

[AxCrypt SupportModerator]

Hello Robin,

It is indeed a Premium-feature. Sorry, but if it’s any consolation every dollar that is paid for AxCrypt Premium goes into design and development of new features and platforms – the income goes right back into the software.

– You can explicitly sign out of the app. It remains signed in with essentially the same reasoning we have for the desktop app. See http://www.axcrypt.net/blog/leaving-computer-axcrypt/ for a longer dicussion about this. Briefly – use pin codes or Touch ID to lock your phone.

– We could do a partial finger print integration, and we may in the future, assuming that one signs in at least once in order for us to store the password in the phone but there are some fundamental differences between biometric identity credentials and the secret that is required for encryption. Also here, I’ve made a longer argument: http://www.axcrypt.net/blog/encryption-and-biometrics/ .

[AxCrypt SupportModerator]

Hi Julian and George,

As mentioned, yes we did remove that function because it promotes insecure user behavior, and also very seldom actually works. No major email provider will allow you to send .exe-files as attachments. A longer discussion is found here http://www.axcrypt.net/blog/avoid-self-decrypting-files/ .

However, if you for whatever reason cannot ask the recipient to download AxCrypt by including the link to the download page in the email with the encrypted attachment, why not just send the user two files? The encrypted attachment and the portable version of AxCrypt 2 (yes, it’s an executable, so it’s just as likely to fail as a “self-decrypting” archive).

[AxCrypt SupportModerator]

Sorry John, but I can’t help you out here… It’s all there in the source code, but we cannot provide help from AxCrypt.

Maybe someone in the community would like to jump in?

Svante

[AxCrypt SupportModerator]

Hello Derrick,

I am assuming the following:

– You are using AxCrypt 2.
– You have shared the file key with the recipient, by adding the recipient’s email address to the list of users the file is shared with.
– You have sent the encrypted file to the recipient somehow, perhaps via email or by sharing via a cloud storage provider.

The recipient then needs to have AxCrypt 2 installed on his/her computer and has a verified AxCrypt ID account and has set his/her password.

The recipient then double-clicks on the file, signs in to AxCrypt if required, and the file opens.

[AxCrypt SupportModerator]

Hi Shawn,

That’s the beauty of AxCrypt ID account which is based on public key technology.

When you change (not reset) your password for your AxCrypt ID account, *all* files previously encrypted with that AxCrypt ID account will automagically open with the new changed password.

—

Technically, this works because your AxCrypt ID is associated with a public key pair. Each file is encrypted with a random and unique file key. This file key is in turn encrypted and placed in the encrypted file. The file key is encrypted both with the original password using a symmetric encryption key wrap, but also with your AxCrypt ID public key.

When you change (not reset) your password for your AxCrypt ID account, essentially what happens is that you re-encrypt your private key of the key pair with the new password.

So, when opening a file when signed to your AxCrypt ID the following happens:

– Your private key of the AxCrypt ID is decrypted using your sign in password.
– The encrypted file key is located in the .axx AxCrypt encrypted file, and decrypted using the private key.
– The decrypted file key is used to decrypt the actual file contents.

[AxCrypt SupportModerator]

Hi Bruce,

In addition to the correct summary by Barry (thanks), I’d like to point that that 1.7.2976 and 1.7.3156 are essentially identical, with the major difference being a few updates to underlying libraries, and the removal of the Open Candy wrapper in the installer. 1.7.3156 is an entirely clean download. You should always prefer that over 1.7.2976.

[AxCrypt SupportModerator]

Hi Emily (and thanks to Barry for jumping in),

I’d just like to confirm what Barry’s saying – the key sharing feature in AxCrypt 2 should improve usability for your scenario, provided the group of users having access to a given file is not too large. But then again, if it’s say 50 persons – just how much security to do you imagine you’ll be getting with a “secret” password shared with 50 people?

The whole point of AxCrypt 2 key sharing is that you *can* share encrypted files with others *without* sharing any passwords. You do not need to give out your password. You just add the authorized viewers to the list of users to share the file key with.

If you try it out, I think you’ll like what you see and find that it’s actually a great improvement over AxCrypt 1 for your situation.

[AxCrypt SupportModerator]

Hello Bruce,

1. Yes, but why would you want to run 1.7.2976?

2. Not with different passwords, but each user can have his or her own password, and share the key the to file and open it with their own passwords.

3. Not at this time, IIRC. Shredding is a premium feature. This may change soon,

[AxCrypt SupportModerator]

Hello Mark,

I’m guessing that the error message mentions something like “GUID Mismatch” also.

When AxCrypt tries to open or decrypt a file, the first thing it does is check the first 16 bytes of the file content for a “magic sequence of values”, sometimes called a GUID. Each and every file that is encrypted with AxCrypt starts with the same 16 bytes.

This check fails for two known reasons:

1) The file is damaged. This kind of damage is known to occur when the file is encrypted with AxCrypt 1.x, and resides on removable media such as a USB drive, and that media is removed from the computer too quickly without using the “Safe Removal” feature of Windows. In this case, the file may not be completely written, and the first part of the file is lost. This does not typically happen with AxCrypt 2, because we’ve improved the structure of the file in this case to avoid this risk. That’s one of the major reasons AxCrypt 2-files are not quite identical to AxCrypt 1-files.

2) The file is in fact not an AxCrypt file. This typically happens when a user manually renames some file to end with .axx . This causes the file to be associated with AxCrypt, but when AxCrypt tries to open it once again the first thing it does is check those first 16 bytes. If the file then is not an AxCrypt file, you get that message.

[Author]

Posts