MailSuite Security

MailSuite users who want to synchronise their tagged messages on multiple computers will need to use SmallCube’s new Tag Syncing Service. MailSuite uses end-to-end encryption on all stored data. This means that data is encrypted before it is sent to the server and can only be decrypted on the user’s devices using the same Tag Syncing Service profile. SmallCubed does not have access to the keys that are used to encrypt/decrypt the data.

When a user creates a profile for the Tag Syncing Service in MailSuite, they provide a contact email and a password. The contact email should be one that they alone control and that they do not share with any other person. The password is used to encrypt a public/private key pair and should be strong.

MailSuite collects the contact email and password and provides the user with a randomly generated Recovery Code. This Recovery Code should be stored in a safe place as it is the only means to recover tag data if the user forgets their password. This key is never saved to the Smallcube’s server, though it is saved to the user’s Keychain.

MailSuite creates a public/private key pair on the user’s computer and encrypts it twice, once with the user’s password and again with the Recovery Code. The encrypted private keys are stored on the server to be downloaded and unencrypted on the user’s other computers. (See Setting up multiple devices)

MailSuite then adds each of the user’s email accounts to their profile. For each email account, a symmetrical encryption key (data_key) is created on the local computer. This data_key is then asymmetrically encrypted (encrypted_data_key) using the user’s public key (defined above). The encrypted_data_key is then sent to the sync server with a hash of the account email to be stored for access from the user’s other machines.

The data_key value is retrieved and decrypted from the server each session. This key would be used to encrypt/decrypt on the client so that the back end database only ever has encrypted data.

Setting Up Multiple Devices

The user adds MailSuite to the new device and logs-in to the sync server with their contact email and password to verify that they are authorised to access the profile. MailSuite initiates the download of the encrypted private key for the profile and decrypts it locally using the user’s password.

Once the profile private key is decrypted on the local computer each of the account encrypted keys are downloaded to the local machine and unencrypted with the profile private key. Once the account keys are in place, the encrypted data is downloaded by the local machine and decrypted so that tagging information for each message is accessible.

Data Collection and Storage

For every tagged message we will store the following:

1) account identifier - a one-way hash of identifying account information

2) a unique message id - a one-way hash of message header information (the To, From, Subject, MessageId, Date, CC, and X-smallcubed-ID) to provide enough information to identify the message uniquely

3) tagging information associated with the message encrypted with the account data_key

The sync server only ever stores encrypted or hashed data.

Sample server record

"id": "68ezKsyj9LDA/0560qwTB907VKSvqzz",
    "data": {
      "ED": "RcgEk/+QfeK6k3I5XhGaFrR97FKEUGCatWAn6XdiRFs=",
      "MT": 1537420430,
      "PI": "08136532-2207-4cf2-987e-6f70f6c0cbc6",
      "SN": 24667
   }

   id = Record Identifier
   ED = Encrypted Data
   MT = Modification Timestamp
   PI = Profile Identifier
   SN = Serial Number