PreVeil’s Security Paradigm

The problem is that these walls are limited in their effectiveness and attackers inevitably succeed in breaching any server. The modern approach to security is based on a completely new paradigm: protecting data even when the traditional IT walls are breached. PreVeil is designed to do just that – it protects data even if servers are breached and admins or passwords compromised.

The information stored on the server always remains encrypted; the server never sees plaintext data.  PreVeil encrypts each document or message with its own unique encryption key. Even file names and email subjects are encrypted. The decryption keys are never visible to the server. User information remains secure even if an attacker is able to steal it from the server because the information is encrypted and the server does not have access to the decryption keys.

Each user is identified by their email address and assigned a public/private key pair.  The user’s public key is stored on the server and is accessible to other users. The private key however is stored only on the user’s devices. When a document or message is created, it is encrypted using a unique symmetric key. This symmetric key is then wrapped (encrypted) with the public key of each user that has access to the document.  When a user accesses the document, the PreVeil software retrieves the encrypted document as well as the encrypted symmetric key.  Their private key unwraps (decrypts) the document key, which is then used to decrypt the document itself.

With PreVeil’s Approval Groups™, trust is distributed among a set of individuals so that no single administrator can compromise the entire enterprise. Privileged activities requiring access to user keys, emails and files are enabled only after receiving cryptographic authorization from a pre-determined set of administrators.

When an Approval Group is set, the designated users’ keys are cryptographically fragmented using the Shamir Secret Sharing technique. Each member of the Approval Group is only granted access to a key fragment encrypted under their public key. Individual admins never can access all of the key fragments by themselves and neither can the attacker. Only when the required number of approvals are granted, the user keys can be cryptographically reconstructed.

In the PreVeil system, users don’t need to create nor remember any password. Instead, the system relies on strong cryptographic keys to confirm a user ‘s identity. PreVeil has no access to them. A user’s private key functions as a password except, unlike conventional passwords, it is a number with dozens of digits. Unlike password-based systems that can be accessed from any device, only devices authorized by the user have access to their key and data.