Akord docs
  • Introduction
    • 👋About Akord
    • 🌇Akord–Arweave Sunsetting FAQs
    • Page
  • API & DEV TOOLS
    • 🕺Simple API upload
    • 🤓Learn
      • Akord protocol
        • Tags
        • Vault
          • Fields
          • Functions
            • vault:init
            • vault:update
            • vault:archive
            • vault:restore
        • Membership
          • Fields
          • Functions
            • membership:invite
            • membership:accept
            • membership:reject
            • membership:revoke
            • membership:change-role
            • membership:update
        • Node
          • Fields
          • Functions
            • node:create
            • node:update
            • node:move
            • node:revoke
            • node:restore
            • node:delete
      • Publishing a website
        • Troubleshooting website publishing
      • Technical Litepaper
      • End-to-end encryption
      • Bundling
    • 🏗️Build
      • REST API
        • Authentication
        • Rate limits
        • Timeouts
        • Webhooks
        • Examples
          • Simple uploads
          • Multipart uploads
      • SDK – AkordJS
        • Usage
        • Modules
          • Auth
          • Vault
          • Membership
          • Folder
          • Stack (file)
          • Manifest
          • Note
          • Memo (message)
          • Batch
        • Examples
      • CLI
        • Quick start
        • Login
        • Vaults
        • Files and stacks
        • Memos / messages
        • Folders
        • Memberships
      • Arweave Gateway – AKRD
  • App
    • 💻Product guides
      • Signing up
        • Akord Wallet
        • Recovery phrase explained
      • Akord Vaults
        • Vault types explained
        • Creating a vault
        • Vault info
      • File management
        • Uploading files
        • File info
        • Sort/filter, folders & batch actions
        • File versioning
      • Add manifest
      • Sharing files
      • Media gallery
      • Invites
      • Messaging
      • Notes
      • Timeline
      • Storage
        • Monitoring usage
        • Top ups
        • Blockchain transactions
      • Account
        • Reveal recovery phrase
        • Change password
        • Account deletion
Powered by GitBook
On this page
  • Why end-to-end encryption?
  • Symmetric encryption
  • Asymmetric encryption
  • Akord’s encryption
  • Cryptographic primitives
  • Hash function
  • Key derivation function
  • Symmetric encryption
  • Asymmetric encryption
  • Digital signatures

Was this helpful?

  1. API & DEV TOOLS
  2. Learn

End-to-end encryption

Last updated 1 year ago

Was this helpful?

Why end-to-end encryption?

Many service providers offer encryption in transit (HTTPS connection) and encryption at rest (data is stored encrypted on the servers). However, this does not prevent third parties from accessing sensitive user data. For example, company employees, selling data for advertising purposes or a server attacked by hackers.

End-to-end encryption ensures that the only ones who have the ability to decrypt the data are the sender and receiver. No is possible.

There are two types of end-to-end encryption: symmetric and asymmetric.

Symmetric encryption

The data is encrypted and decrypted with the same unique . So the encryption requires the knowledge of the key by the sender and the receiver. The challenge is to exchange this key securely while preventing it from falling into the hands of a third party.

Asymmetric encryption

With asymmetric encryption each participant has their own public & private key pair to communicate. The public key can be openly distributed, while the private key should be kept secret. The data is encrypted with the recipient’s public key, so that it can only be decrypted with their private key.

Although asymmetric encryption is considerably less efficient than symmetric encryption, its main advantage is that it does not require prior key agreement and thus the key exchange can be safely carried out through the network.

Akord’s encryption

In addition to encryption in transit and encryption at rest, all exchanged data on Akord is end-to-end encrypted. In other words, everything is encrypted locally, before it ever leaves your device.

We use industry standard algorithms to perform all cryptographic operations.

For performance, we use hybrid encryption, meaning that data is encrypted using a unique symmetric key, and then that key is encrypted with the recipient's public key using asymmetric encryption.

It also means that encrypted data can be stored in the cloud once, and access to it can be managed at the key re-encryption level.

Both the symmetric and asymmetric encryption we use apply authentication under the hood, so that data integrity is always ensured and cannot be tampered with.

Cryptographic primitives

Cryptographic primitives are well-established algorithms that are commonly used to build cryptographic protocols for security systems.

Hash function

  • algorithm: SHA-256

Key derivation function

Symmetric encryption

  • algorithm: AES256-GCM

Asymmetric encryption

  • algorithms:

    • key exchange: X25519

    • encryption: XSalsa20 stream cipher

    • authentication: Poly1305 MAC

Digital signatures

  • algorithm: Ed25519

We use for hashing the data, that is, generating a deterministic digest.

library:

To obtain a strong encryption key from a user password, we use the Password-Based Key Derivation Function 2 () by adding a random salt to the password and performing 150000 iterations of the SHA-256 hash function.

library:

algorithm: PBKDF2 with

Any data exchanged within the Akord system is encrypted using a unique, randomly generated symmetric key via with a random initialisation vector (IV) prepended to the encrypted data.

library:

We use asymmetric encryption for data access control, the symmetric keys used to encrypt the actual data are then encrypted with the recipient's public key by performing a (DH) key exchange on a elliptic curve.

An ephemeral key pair is generated to establish a key agreement. Once the symmetric key is agreed upon, the data is encrypted using stream cipher. A random, unique is also generated and used for authentication.

library:

All data is signed using the with the SHA-512 hash function and Curve25519 elliptic curve.

library:

🤓
SHA-256
WebCrypto API
PBKDF2
WebCrypto API
HMAC-SHA-256
AES256-GCM
WebCrypto API
Diffie
–
Hellman
Curve25519
XSalsa20
nonce
Poly1305 MAC
libsodium
Edwards-Curve Digital Signature Algorithm
(
EdDSA
)
libsodium
encryption backdoor
symmetric key