Mailock encryption Q&A

We've created the following Q&As to provide a bit more information on the technical side of encryption, if you have any further queries please drop us a message, we'll be happy to answer any questions you have.

 

What form of encryption does Mailock use?

 

Beyond Encryption use Advanced Encryption Standard (AES) symmetric block cyphers on all messages.

 

What is the key length in bits, is this configurable?

 

We use AES-256 (i.e., a key length of 256 bits); this is not configurable.

 

Are keys per email or per installation?

 

Multiple keys are used in each message encryption process and are generated on a per-message basis.

 

For Mailock Enterprise, we (securely) provide a unique API-key, installed on the Gateway appliance, which is the authentication token used by the Gateway in all interactions with the core system (over TLS).

 

What happens when/if this encryption scheme is cracked?

 

AES-256 encryption is the standard chosen by the US government to encrypt classified information, so we are confident in the security of the algorithm. Our implementation of the algorithm code is also regularly reviewed by Nettitude, a Lloyds registered security testing organisation, please click here for more information about Nettitude.

 

The message encryption is only one factor to consider though; with Mailock the encrypted files are not made available to the recipient until they have proven that they are allowed to read the message. Compare this approach with systems where the encrypted files are included as attachments to the notification message and are immediately available for any cracking attempt.

 

Someone would need to be able to complete the following before Mailock releases the encrypted message files:

 

  • Know the message ID and key from the notification email
  • Be able to authenticate with Mailock (Mailock account, Unipass account etc.)
  • Pass any challenges associated with the message (email verification, Unipass, challenge Q&A or SMS code)

 

A user’s interaction with the website or API is encrypted with TLS over HTTP.