the journey to Beta
It all started in January 2018.
First we created a front-end view with React and began looking into our options regarding cryptography. In the end, together with MyFinancier’s development team, we went with a solution which required us to ask for help from an advisor in the field of cryptography. That’s the level of safety we wanted to achieve.
In order to avoid any information leaks into the database, all the encryption gets done on the front-end side of the browser, by the user’s computer. The technique we use is called Salted Challenge Response Authentication Mechanism or SCRAM for short. SCRAM is a password-based mutual authentication protocol designed to make an eavesdropping attack (i.e. man-in-the-middle) more difficult. It is a way where the client can prove to the server that they know a secret that is derived from the user’s password and the server can prove to the client that it knows the password without sending the password from the database itself.
We used AES-GCM to ensure that the encryption on all the user’s data would be rock-solid and the chances of a hacker breaking in would be essentially zero.
All of the user’s data is put into a protected container and then lastly sent to the database. Basically what the database sees is an encrypted safe and nothing more. When the user later wants to access their data, the database doesn’t know the user’s password but it knows how to make sure that the given password is correct.
The AES keys are 128-bit symmetric keys and it has been calculated that for a supercomputer which uses brute force attacks it would take around 1 billion years to crack the key. That’s the level of security we achieved together with MyFinancier for their web application.
We finished the project in November 2018.