How SKY ECC Stacks Up: Building a Solution Based on Zero-Trust

In our post looking at the the secure messaging landscape, we talked about the security continuum. All security, computer and otherwise, falls somewhere along the convenience vs security continuum. At the farthest end of the continuum, we put SKY ECC and other device-based solutions. These are very secure ways to communicate, but come with trade offs. Trade offs many people don’t mind because solutions like SKY ECC give them peace-of-mind. If you know your messages can’t be shared or leaked or intercepted, then you have peace-of-mind to talk about business dealings or communicate in places where there is internet surveillance. This follow on post looks at the fundamental difference between SKY ECC and other messaging solutions—trust—or rather zero-trust. We built SKY ECC based on a fundamental distrust of technology, and that distrust allows us to keep you and your messages more secure than everyone else.

What does “Zero-Trust Security” Mean?

Explaining how we approach zero-trust is best illustrated by recounting a discussion with someone buying SKY ECC devices for their organization:

Customer: “We would never buy iPhones. We don’t trust Apple not to share our data or have hidden backdoors in the software or devices.” Our response: “That’s good. We don’t trust them either, and here’s how we protect against those risks and potential threats.”

We are not saying Apple has backdoors in their hardware or software. What we are saying is when we built SKY ECC (on BlackBerry, Google, and Apple devices), we approached development with the premise: if the device were compromised, how would we protect SKY ECC and the messages?

This line of thinking goes all the way along the chain from the device, to the OS, to the network, and the app. At each place we said, if this were compromised, how would we protect the rest of the chain? This is why we:
  • Only use devices that meet our security standards.
  • Use mobile OSes that leverage chip-based security.
  • Encrypt all network traffic and prevent SKY ECC from connecting if the connection isn’t secure.
  • Ensure even if one of the layers of protection are penetrated, the other layers keep messages secure.

Zero-trust trickles down to how the SKY ECC app itself works, its features, and how you use it to stay secure online.

Many end-to-end encrypted (E2EE) apps start off with you entering your email address or phone number. With this information, and access to your contacts, the app finds people you might know. This makes it easier for to find people and people to find you. Sounds great on the surface, but this also means you have to trust the directory server. It means somewhere there is a list of personally identifiable information connected to that messaging account. As the WhatsApp breach taught us, one little piece of information can be used to compromise your privacy and the app that is supposed to be secure.

Using SKY ECC you can’t hunt for someone’s ID, add them to your contacts, and start messaging them (or vice-versa). Someone must provide you with their ECC ID—which is randomly generated so guessing it won’t help you—then you request to be added to their contacts, and only after the person approves the request can you start messaging with them. This is a point raised in our Signal vs. WhatsApp comparison. We don’t force you to trust our server to search for someone—beyond confirming the ID exists in the system—you get contact information directly from someone or through a mutually trusted third party. We engineered SKY ECC so we don’t tell you who to trust, you make that decision for yourself.

Why We Build From Zero-trust

Starting from “what if we can’t trust it…” gives us our edge. We think starting from zero-trust is the only way to ensure security. There is a saying, “just because you’re paranoid, doesn’t mean someone isn’t out to get you”, we don’t claim to be paranoid, but we do claim to be careful. We approach SKY ECC from zero trust because we’ve seen what happens when you don’t. Sure, the device you are installing the app onto seems fine, but what if it had been rooted and a key logger installed? Then it doesn’t matter how encrypted the message is, everything you type is going elsewhere without you knowing it. Or “we only need to encrypt the content of the message, the rest of the data isn’t a big deal”, but metadata is a big deal and can reveal a lot about you. We believe the best way to protect your security and privacy is to do more than encrypt messages. We believe you need to wrap the entire solution in concentric layers of protection.

How does SKY ECC use Zero-trust and Its Layers of Security?

Layers of securityPart of the zero-trust model we’ve employed for SKY ECC is the idea of concentric layers of protection. There is more detail on our SKY ECC security page, but in short the layers work out like this:

  • Chip-based tamper protection that provides a cryptographic engine for the OS and disables the device if the OS is compromised.
  • OS-level protections leveraging hardware security to ensure the integrity of the OS and prevent rolling back security updates. These protections include using the newest settings for authorizing USB connections and preventing brute force device passcode attacks.
  • Networking protections that protect the connection regardless of connecting via mobile data or WiFi. When on mobile data, ECC devices connect to our secure network and only our network. We encrypt the traffic itself on top of being on our network, offering additional protection. When using WiFi, the network traffic is encrypted then passed through our secure gateway, which only allows approved devices through.
  • All SKY ECC devices are managed devices with options such as Bluetooth, free access to the internet, using USB for data exchange, and downloading apps from app stores disabled. For example because we restrict where a device can go on the internet (SKY ECC servers only), if a key logger somehow were installed, it couldn’t send the data from the device.
  • SKY ECC is installed within a secure container on the device as part of device management. The secure container is designed so only communications between the app and the server are allowed. You can’t copy or paste information from or into the app. The app can’t access files stored on the device, nor can other apps on the device access SKY ECC data.
  • To access the app you need to enter a password. A separate password is required to access your saved files in the Vault. SKY ECC is protected from brute force login attacks with a combination of limiting password attempts and CAPTCHA protections.
  • When SKY ECC sends messages the metadata and header information is encrypted separately from the message itself.
  • Messages and items saved in the Vault are encrypted with a 521 bit ECC algorithm that offers significantly stronger encryption than any of our competitors. Our competitors using Open Whisper for encryption use Curve25519 with a 128 bit key and systems using Curve448 use a 224 bit key. While still strong encryption, as you increase key size the strength of the encryption increases logarithmically. So 521 bits isn’t four times stronger than 128 bits, it’s many, many times stronger.

Each layer supports and strengthens the others, but aren’t wholly dependent on them. Compromising a SKY ECC device would require simultaneously breaking several of the layers, including the app itself, without triggering the device or app to lockdown and reset. Penetration tests carried out by BlackBerry Security couldn’t penetrate the app and found no vulnerabilities to exploit in their tests. We are confident in our approach to security and continue to strengthen each protective layer, enhancing SKY ECC security with each new version update.

How does SKY ECC compare to Other Apps

There are certain table stakes when it comes to secure messaging. These are givens:

  • messages are encrypted on the device and stay that way until they get to the recipient
  • messages aren’t stored on the server, and especially not unencrypted
  • your private encryption keys are generated on your device and stay there
  • your messages can’t be decrypted by us, not now, not ever

Our competitors worth mentioning meet these criteria, and some very well, but we believe we’ve gone the extra mile our competitors haven’t in protecting your messages and privacy. Some of our competitors in the device-based secure messaging solution sphere manufacture their own devices. This gives them control over hardware and features, but this also means those devices might not have the same cryptographic and tamper resistance mass-produced devices would. A few competitors have created their own secure variant of Android, which seems to improve security, until there is a patch needed. How long will it take for the patch to reach their users? Testing a mobile OS isn’t easy, getting a critical security patch out to customers quickly is a challenge even for large companies such as Google and Apple.

This brings us back to the question of why we use devices from Apple, BlackBerry, and Google in the first place. How can we trust them (we don’t really)? Why not our own hardware and software? Off the shelf devices and mobile OSes in wide use gives us another advantage: millions of eyes on security. Millions of people have iOS and Android devices. A lot of time and energy is put into trying to hack these devices. If a security hole is found, it becomes public knowledge quickly and it gets fixed—quickly. There is visibility into these devices from how they are made, to their specs, to their operating systems, to their core apps. We couldn’t practically subject a device or operating system we make to the same level of scrutiny as those made by Apple, Google, or BlackBerry.

What is spoofing prevention?

One of the common problems with many chat apps is users can be impersonated. From spoofing a phone number to bad passwords, it’s possible and it happens, but you can’t fake or spoof an ECC ID. ECC IDs are tied to one device at a time. You can’t have multiple ECC IDs on a single device, nor can an ECC ID be used on more than one device at a time. Switching devices means:

  • deactivating the ID
  • erasing all chats and items saved to your Vault
  • resetting the device back to factory settings
  • then getting the ID reactivated in the system on the new device.

A lot of steps with a lot of safeguards in place that prevent this from happening. Yes, we’ve had people try. They weren’t successful. If someone tries to impersonate you on SKY ECC you’ll know it because SKY ECC on your device will be disabled. That will raise a red flag for you—and an email to our 24/7 Support. Even if someone has managed to get your ECC ID set up on a different device, that device won’t have any of your previous chats, ongoing chats, or anything you saved to your vault. Your contacts will know something is wrong because if they try to continue a chat they’ve had with you, the messages won’t go through. The messages can’t go through, because the impersonating device has different encryption keys than you did. Unlike other solutions, if you’ve maintained control over your device, there is little to no way someone could impersonate you on SKY ECC without you knowing.

Zero-Trust Leads to More Trust

Trust, especially trust in security, is a hard-won thing. We built SKY ECC so you can trust it with your most sensitive data. We use the zero-trust approach to do the worrying and “what if…” for you. SKY ECC was born from a fundamental belief we have the right to communicate in private if we wish. And if you trust us as the tool to do that, your privacy becomes our number one priority. Our zero-trust model works to protect your privacy and communications, so you have peace-of-mind. So you can trust your messages stay private. That in a nutshell, is what makes SKY ECC different and how it stacks up.