PreVeil’s Security Paradigm

Much of the state of the art in information security focuses on building better and taller walls around enterprise IT systems to prevent attackers from getting the data.

The problem is that these walls are limited in their effectiveness and attackers inevitably succeed in breaching any server. The modern approach to security is based on a completely new paradigm: protecting data even when the traditional IT walls are breached. PreVeil is designed to do just that – it protects data even if servers are breached and admins or passwords compromised.

End-to-end Encryption

PreVeil secures all user data with end-to-end encryption which means that the information is only ever encrypted and decrypted on a user’s device.

The information stored on the server always remains encrypted; the server never sees plaintext data.  PreVeil encrypts each document or message with its own unique encryption key. Even file names and email subjects are encrypted. The decryption keys are never visible to the server. User information remains secure even if an attacker is able to steal it from the server because the information is encrypted and the server does not have access to the decryption keys.

Advanced Key Management

The PreVeil key management system enables sharing, storage and revocation of encrypted data from user devices while hiding the complexities of key management.

Each user is identified by their email address and assigned a public/private key pair.  The user’s public key is stored on the server and is accessible to other users. The private key however is stored only on the user’s devices. When a document or message is created, it is encrypted using a unique symmetric key. This symmetric key is then wrapped (encrypted) with the public key of each user that has access to the document.  When a user accesses the document, the PreVeil software retrieves the encrypted document as well as the encrypted symmetric key.  Their private key unwraps (decrypts) the document key, which is then used to decrypt the document itself.

Admin Security and Key Recovery with Approval Groups

Hijacked or rogue administrators are a significant security vulnerability because they have broad privileges to access an enterprise’s information. An attacker needs to only compromise a single administrator to bring down an entire organization.

With PreVeil’s Approval Groups™, trust is distributed among a set of individuals so that no single administrator can compromise the entire enterprise. Privileged activities requiring access to user keys, emails and files are enabled only after receiving cryptographic authorization from a pre-determined set of administrators.

When an Approval Group is set, the designated users’ keys are cryptographically fragmented using the Shamir Secret Sharing technique. Each member of the Approval Group is only granted access to a key fragment encrypted under their public key. Individual admins never can access all of the key fragments by themselves and neither can the attacker. Only when the required number of approvals are granted, the user keys can be cryptographically reconstructed.

No Additional Passwords

Password proliferation is a big problem for two reasons – ease of use and security.

In the PreVeil system, users don’t need to create nor remember any password. Instead, the system relies on strong cryptographic keys to confirm a user ‘s identity. PreVeil has no access to them. A user’s private key functions as a password except, unlike conventional passwords, it is a number with dozens of digits. Unlike password-based systems that can be accessed from any device, only devices authorized by the user have access to their key and data.