Cubeitz Unified Data Management Solution (UDMS)
Let us explains why we created Cubeitz UDMS, its next-generation multi-level encryption, and demonstrate how Cubeitz can scale from a single user right up to an Enterprise solution hosted within the Cubeitz Cloud or within a company’s network, and how simple it has become to securely store and share data with the worlds most advanced UDMS all designed explicitly to meet these needs.
The reason we created Cubeitz
The widespread use of computers and electronic devices, combined with the online nature of our everyday lives means that we are sharing more information electronically than ever before.
The world has moved rapidly towards cloud computing where your private data is held on internet-based computers and transferred over a global public network, managed by anonymous individuals who have been providing the space for you to share your personal files. Most people with a phone or tablet use some form of online backup to store information in the cloud and even our interactions with government departments require us to share information electronically.
Set against this backdrop, we have the inevitable challenges. Whether it be from hackers, insider access or genuine employee error introducing a vulnerability into the workspace, confidential information vital to your business, occupation or your personal home files are at risk.
The security industry is continuously playing catch-up (or as we call it ‘Patch-Up’), where hackers find vulnerabilities in computers or technical infrastructure they may obtain information up until the security vendors’ Patch-Up’ and seal that known hole.
Cubeitz has been developed to allow you to regain control of your data. It is not designed to replace or change the solutions you are already using but work with them, ensuring any information you store or share is encrypted and protected.
So why isn’t everything encrypted already?
The encryption problem.
The answer to this is time and cost. Before the arrival of Cubeitz adding encryption to existing technology was not a simple solution. Encryption is a complex process, and when implemented most effectively, it requires experience in ensuring it works efficiently.
Currently, encryption software is typically employed to protect corporate or business-sensitive data by organisations with the budgets and teams to manage their security. However, many users are locked into systems and technologies which frustrate them and decrease productivity, generally due to their complexity or non-intuitive design.
As a result, many personnel who should be utilising encryption to protect critical or sensitive information may attempt to use other methods, or, bypass the use of encryption altogether.
An example of the shortcuts currently being used to bypass encryption is the continued growth of cloud-based file-sharing tools such as Dropbox and WeTransfer. Such tools leave confidential files unencrypted not only locally, but also potentially allow external parties to gain access to if they manage to reach external servers.
Encryption technology such as AES 256 is in widespread use and is considered sufficient for day-to-day commercial activity, although banks and other specialist users employ enhanced encryption strength. With powerful encryption, the generation of specific keys is required and is a difficult task which does not allow easy data sharing or portability, mainly if the encryption method is via specialist hardware.
What is encryption?
To generalise, encryption is measured in ‘bits’ and additionally, the type of encryption used has a significant outcome on its value. Most companies and security vendors use the Advanced Encryption Standard formulas and encode data in either 128 or 256 bits. This for many years, has been regarded as secure. Recently there have been concerns raised questioning these encryption formulas.
The industry is now looking at 1024 and even 2048 bits of encryption as a standard for encrypting information. This, of course, affords additional security; however, the disadvantages of larger encryption keys are a significant decrease in the speed of encryption.
Example: A music file encrypted with 128bits can be encrypted and decrypted in under a second. With a 2048bit encryption key, this can take over 60 seconds. With multiple or large files, encryption becomes a hindrance to the computing experience.
Anything which frustrates users risks misuse. This necessitates a technology that does not slow down data encryption, and also, increases the bit strength from 256 to over 3000 times higher at 1,000,000 bits. This increased level of encryption is becoming increasingly important as the sophistication of those trying to gain access to the data we store increases. There are now several challenges to the standard approaches to encryption which are raising these concerns:
• Malicious software
• Data and physical theft
• Hacking tools/network sniffing/man in the middle attacks
• Crypto breaking, Crypto Key guessing.
• Vulnerable components
• Bad security design transparent, efficient and usable user experience.
The Cubeitz Unified Data Management Solution (UDMS)
Cubeitz is designed to deliver a transparent, efficient and intuitive user experience that hides all complexity, references, and management of the cryptographic process using a highly intuitive and easy to use interface. The Cubeitz approach to both cryptography and the human interface is to make it as user friendly as possible.
This is accomplished by a unique framework of distributed keys and encryption, providing the user with an environment where data and critical applications operate within a Cubeitz protected environment. The Cubeitz framework is based around one million bits of encryption that secures local and remote data from access by unauthorised users. It does this by the controlled delivery of a unique encryption key that is never stored in, or accessed by, remote cloud vendors, therefore making the data totally secure.
Cubeitz is designed so that keys and data can be separately managed while continuing to allow the use of accessible cloud-based storage and sharing functions. For example, Cubeitz users can store data in Dropbox and Cubeitz can manage the keys, making the data unintelligible to anyone accessing it without the correct key.
Local storage and third-party clouds Cubeitz separates the data from the cryptographic keys, allowing data at rest to be stored anywhere the user wishes to do so, including shared locations. In other words, Cubeitz protected data can be stored anywhere, including cloud storage, external hard drives, flash keys, local drives, etc. without compromising security.
Cubeitz works with data at the file level. This means that when encrypted data is stored in external cloud products, those products can treat the encrypted data as separate files. This enables them to synchronise changes more efficiently. Cubeitz currently supports Cubeitz own cloud and the following cloud providers: Dropbox, Box, Google Drive, iCloud, OneDrive, Office365, plus the ability for users to specify their file location for cloud syncing technology.
No single cloud or storage vendor is used to store the two components necessary to break the encryption (the data and the key). Both are stored separately, and, in the Cubeitz architecture, that means that the key and the cloud are entirely separate entities, so no external organisation has any access to all the elements to reconstruct or access confidential information.
The flexibility of Cubeitz means that as a user, you can store and secure your data across multiple locations with those fully integrated listed below:
• Local and removable hard drives
• Flash drives and memory cards
• File sharing – Dropbox, Box
• Cloud drives – iCloud, Google Drive, Amazon Drive, One Drive, Alibaba Cloud
• Document management – Office 365
The underlying technology of Cubeitz utilises multi-level encryption. Data imported into Cubeitz and the encryption key generated is divided into multiple packets, the order of these packets randomised, each packet then has its layer of encryption added before an additional layer of encryption is applied overall. Half of the encryption key is then sent to the Cubeitz server for secure storage via an encrypted communication tunnel.
The keys are delivered in a secure process to our customers and stored in a way that obfuscates any relationship between the user and the user’s data. Secure data stored inside Cubeitz can never be decrypted without a user’s authentication.
Every business or personal file you share has its own unique encryption key. Everything is byte-level compiled on the server. The executable server is secure in its own virtual disk encrypted environment, making it impossible to reverse engineer our source-code. This makes us far more secure because of the way it decrypts the data and communicates locally.
Written in a byte-level compiled language and optimised for performance, so it runs as fast as possible on the processor (most languages that go through several levels of interpretation before they are executed and have their virtual environments which slow them down). The source code is compiled at the lowest possible place for maximum performance. The Cubeitz code has been compiled in an efficient manner and the executable heavily encrypted so it cannot be viewed or tampered with. All the references internally to the executable are not visible, making it significantly more secure than other technology – ‘Security through obscurity’.
Cubeitz security features:
In our experience people tend to prefer the path of least resistance, therefore we provide an easy, convenient way to sign in and access data from authorised devices whilst reducing risk from phishing and password attacks.
Today we use two-factor authentication to verify authorised users, this will soon be enhanced with text, application and biometric along with automated in-flight identity management.
Transport Layer Security:
TLS protocol provides privacy and data integrity across communicating applications, it does this by using public-key cryptography before sharing data between, for example, a client web browser and a server.
A form of data masking where data is purposely scrambled to prevent unauthorized access to sensitive materials. This form of encryption results in unintelligible or confusing data.
The packet carrying capacity of our payloads are purposefully limited, the frequency are random, and the armoured method of data packet transmission varies.
We use open-source crypto_box functions. These functions use X25519, which is an ECDH algorithm over Curve25519. It also uses XSalsa20 and Poly1305 for symmetric encryption.
We use open-source crypto_aead_xchacha20poly1305_ietf(). As its name suggests, it uses the XChaCha20 algorithm with a 256-bits key size, a 192-bits nonce, and a 128-bits MAC size.
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. We use open-source crypto_sign functions with Ed25519 keys.
For general-purpose hashing, we use open source crypto_generichash function, which uses the BLAKE2b hash algorithm. Server-side we use Argon2 by Golang’s x/crypto that is salted with a 32-bits randomly generated salt.
We utilise a set of functions to generate unpredictable data, suitable for creating secret keys. We use the random generator provided by the Sodium library.
• We have distributed our architecture to force a separation between encrypted data, identity management, Cryptographic materials and Key Management.
• All network traffic is AES 256 encrypted, and the Cube file is encrypted with another overall level of AES 256.
• All decryption keys themselves are encrypted both on the server and inside the cube file.
• All encryption keys are split and stored in multiple locations.
• Multiple encryption keys are used to access different field data.
• Decryption key pieces are distributed across multiple locations, meaning that penetration of the server or the file cube will not compromise the data.
• Decryption keys are randomly spliced, meaning that penetration of both the server and the file cube will not compromise the data.
• Enhanced Key length increases security – decryption keys are usually very long, over 100 characters each.
• The file data is split into multiple parts, and random passwords are used for each part.
• Random data is inserted into the encryption at various points to lessen the chance of brute-force decryption techniques.
• The file and folder names are obfuscated and visible only within Cubeitz, preventing hackers from knowing which files or folders contain valuable data.
• All data is compressed before encrypting not only to save space but also to reduce the chance of finding binary patterns for matching common letters or words.
Cubeitz – The process
Although we use industry standards we have built a process and wrapper around these standard technologies to create a unique solution in how we protect data, and that process fundamentally involves the following five steps:
• As data is imported into Cubeitz, an encryption key is generated.
• Half of the encryption key is then itself encrypted and sent to the Cubeitz server (Cubeitz Cloud products) for secure storage via a secure encrypted communication tunnel.
• The actual data/file imported into Cubeitz and the remaining half of the encryption key is then divided into over 7000 individual packets.
• The parts of the key are then hidden within each of the packets of data, and each packet is then individually encrypted using AES256.
• The order of the packets is then randomised before an additional layer of encryption is applied overall.
The process means any hacker attempting to access data encrypted in Cubeitz would have to attempt to decrypt the outer layer, decrypt over 7000 individual packets of data, find the parts of the key hidden inside, work out the correct order of the randomised packets, obtain half of the key hidden on the Cubeitz server (which is encrypted and obfuscated to hide all relationships between the key and the user data) and try to marry them together. Also, for the record, this is only the part of the processes we reveal.
The keys are delivered in a highly secure process to our customers and stored in a way that obfuscates any relationship between the user and the user’s data. Even if Hackers were to compromise both the data location and our servers, any references to the relationship are hidden, rendering access completely useless without the users’ authorisation and password.
Cubeitz – Flexibility
Data storage – we are agnostic and independent from the data storage location selected. We protect data on any local drive, removable or flash drives and cloud locations. We are developing technology partnerships with a number of cloud storage providers, allowing us deeper integration.
API’s – the core engine behind Cubeitz that processes the data and creates the encryption and security is the same across all variants of the solution. This engine has an open set of APIs or businesses and partners who are looking to integrate the power of Cubeitz into their existing applications and business processes.
You are in control of how you use Cubeitz
Multi-level user access – Cubeitz has been developed to support multiple and complex organisational structures as we appreciate clients will want to use Cubeitz in different ways. The user management within Cubeitz is granular and allows you to manage who can access files, folders, or whom you share information with. Restricted access to files/folders, restrict or deny the opportunity to share and download. This can be altered to suit the operational requirements/demand. Thus access to and action within are monitored ensuring accountability.
We are agnostic and independent from the data storage location you select.
Tiered approach – as the Cubeitz platform is built on a single-engine, we can use the same powerful encryption and security through all of our market offerings. This also means that as your needs and demands change you can easily increase the number of users, volumes of storage or level of integration with our platform. This can equally be reduced in the same way, so you are in control of how you use Cubeitz and not paying for services you no longer use.