Security analysis and peer reviews
Bringing trust and confidence into commercial cryptography
How secure is your system… really?
The problem with security products, especially those providing encryption, is that it’s impossible for users to verify that the system does what it says it does. Bad encryption looks just like good encryption, so how can one be confident in the product?
The marketing claims made by vendors are usually vague and littered with hyperbole, and unfortunately users are forced to blindly trust those claims. Moreover, there’s a fundamental flaw in the reasoning process – just because a vendor claims they use “AES-256”, it does not mean that the encryption is “military grade” or that the data is secure. That is akin to amateur tennis players claiming that because they use Wilson tennis racquets, they automatically play like Roger Federer.
The reality is that there are so many ways to implement encryption poorly. If a product uses AES-256 incorrectly, the security of the system would fall well short of being “consumer grade”.
The brand name of the vendor is also of little consequence. In the past, IBM and RSA, both billion dollar companies, have released fundamentally flawed products.
The Scram approach
At Scram, we took a different approach from the outset. We directly addressed the "snake oil" problem by engaging world experts to design our encrypted file system. This has been followed by rigorous design review by other noted cryptographers and cyber security specialists at the world's leading universities. Our experienced team of research engineers implemented the design and created a set of fuzz and stress tests with the assistance of The University of Melbourne.
Further to our rigorous R&D process, we are proud to be the first-ever vendor of a cryptographic file system to provide a security analysis and peer reviews of our work.
If security is important to you, we recommend that you read our security analysis and peer reviews.
ScramFS Security Analysis
This document summarises the ScramFS security properties, the main cryptographic mechanisms used to achieve those properties and the underlying security assumptions, and provides quantitative security estimates for typical attack scenarios and ScramFS parameters.
Author: Dr Ron Steinfeld
Review of the ScramFS secure file system
This is a review of the ScramFS secure file system architecture. The review focusses on the choice and usage of the low-level cryptographic primitives, and how these prmitives are used to provide the quantified security guarantees described in the security analysis.
This is the first of two peer reviews performed at the University of Melbourne.
Author: Dr Vanessa Teague
The University of Melbourne
Security review of the ScramFS public API
This peer review focusses on the overall security provided by the ScramFS. It is a companion to the earlier review performed by Vanessa Teague, and reviews the higher-level file system aspects of ScramFS. It pays particular attention to examining how ScramFS functions as a complete system, and the different levels of security it provides under both a "curious-but-honest" storage file system, as well as a "curious-and-malicious" storage file system.
This is the second of two peer reviews performed at the University of Melbourne.
Author: Dr Toby Murray
The University of Melbourne
A report on the ScramFS file system
This report is a high level review of the ScramFS secure file system. It examines the cryptographic aspects of ScramFS in both a classical and post-quantum world, in particular its encryption key derivation system and choice of ciphers.
Author: Jintai Ding,
Professor of Mathematics
The University of Cincinnati
Further peer reviews and testing
We are open and interested in submitting ScramFS for further peer reviews and testing on ScramFS, subject to signing a non-disclosure agreement with the reviewer.
We will only consider serious requests from suitably qualified cryptographers and information security professionals. Please contact us if you are interested in performing such a review.
We also plan to conduct a penetration test and implementation review on ScramFS and will be commencing a crowd funding campaign in the coming months.