Dekko’s key benefit is that anything shared on the platform cannot be decrypted using information on the servers, thanks to end-to-end encryption. The encryption and decryption process can only occur on the user’s device, and Dekko never requests that users pass their passwords over the network, either in open or in encrypted forms. That makes listening to traffic totally useless as no data allowing decryption is passed through the networks at any time.
Dekko uses recognised, efficient and proven encryption techniques, including AES and ECC. ECC is used for encrypting keys and signing all data. Dekko does not use Dual_EC_DRBG, thus eliminating a weak point in the standard ECC design.
Sending and Receiving on Dekko
Sending a message, file or folder is handled using the same encryption process. Anything sent on Dekko is encrypted using a different method to the last, which means that even if a decryption solution is somehow found for a single item, it cannot be applied to any other. All of this is done in the background users can always be confident that their communications are safe without ever having to think about anything other than logging in and sending a simple email.
Verified Send and Receive
Dekko always signs all outgoing messages using the sender’s digital signatures. This uniquely identifies the sender and confirms that the content of the message has not been altered in any way. This prevents any fake messages entering the system; Changing the digital signature is impossible as it requires both the sender’s and receiver’s keys, and they are never passed through the network in open form.
Dekko account registration is straightforward and fast; new users only need to provide a name, email address and password. An email address ownership verification is performed with the address provided, and once this is confirmed, account setup is complete. The password phrase required to decrypt user data is never sent to Dekko servers – only you can ever know your password, and your password is the key to all of your data. Even Dekko’s creators and administrators of data centres and servers have no way of reading user data.
Authentication and authorisation takes place on the server side, and key management happens on the client side. All the communications take place over TLS-protected channels only.
Several layers of encryption are used to protect users’ data and communications:
- Every document and message is protected by a new set of keys and encrypted using AES-256 symmetric encryption to prevent statistics attacks
- Time-stamping message to prevent replay attacks
- Padding messages with random data to prevent “sizing” attacks on encrypted data
- Keys for messages and documents are encrypted using the user’s master key (never available on the server).
- All outgoing messages/documents are signed using private keys to guarantee the identity of the sender and integrity of the message/document. All incoming messages/documents are validated against public keys of the sender.
- Master keys are protected using Elliptic curve cryptography (secp256r1ECC) and users password and salt.
- All network communications are done over TLS 1.2 encrypted channels.
Dekko uses established open source libraries for its actual code. This avoids any potential miss-coding issues. The libraries used are:
- The BouncyCastle cryptography library (open source). This is used in the Outlook plugin and mobile applications. https://bouncycastle.org/about.html
Dekko does not use the NSA-compromised Dual_EC_DRBG algorithm for generating cryptographically secure random numbers.