Notebox - Encrypted 4+

Superb

Really awesome app & excellent UI.

Very helpful to keep a running record of tasks, which is synchronised & securely shared readily accessible across all devices.

Functionality is brilliant & the design is minamlist, but with unparalleled style.

Would be appreciated to have further information & summarisation about the security architecture & its implementation in this application.

An independent & impartial security audit & some form of certification would be helpful & a description of what (if any) propietary or open source code is being implemented, especially with relation to D2D zero knowledge encryption.

Some further information & explanation about what specific "flavour" of D2D zero-knowledge encryption is being utilised & how that has been designed & is being applied would go further to enable users to understand & be further reassured.

I have no reason to questiont the motives or legitimacy of the developers, but some of the above might prove to be popular & attract further customers!

A future option of device 2FA with a Yubikey 5Ci (or similar product) would strengthen device authentication, authorisation & streamline accessibility.

All in all, this app is excellent & really appreciated.

Secure cloud based note sharing software is a godsend & it is at a reasonable price as well, which always makes the difference !

Highly recommended to one & all. Glad I found it, as it has suited my requirements perfectly.

P.s. If some of information available already please provide it at your leisure !

Developer Response ,

# Thank you for your review!

In Feb. 2022, Notebox will ship more remarkable improvements.
1. UX/UI improvements on editor especially user-selection and block handling.
2. Spreadsheet and Kanban board.
3. Encryption management.
1. Change Recovery Key (Password)
2. Change Encryption Key with device whitelist
3. Recover Encryption Key with other device
4. Optional iCloud Keychain usage to store Encryption Key


# About Notebox

Notebox aims to create a multi-platform encrypted storage that is flexible and collaborative with great UX under D2D Encryption.
Since no company has ever tried this,
It was a challenge and I wasn't even sure if it is possible.

Since there were several parts that were difficult to satisfy at the same time, rather than deciding on a specification and making a service, we have constructed a suitable specification and architecture while making a service.
So, rather than fund-raising or getting more users, I have been working hard to make my work more perfect.
As a result, Notebox is not informative!

However, Notebox has completed a core that satisfies all of the above.
Because we created a flexible data structure based on CRDT,
modifications are merged at the client-end device without server-side dependence. (not overwriting!)
And it is flexible enough to add tons of features.

As the merge does not go through the server, there is no need to look up the data on the server.
So, Notebox has no reason not to encrypt all data.


# About Encryption

cipher: ChaCha20-Poly1305
PK recovery layer: EPK, PK, Hash, Recovery Key(password)
Data Storage: Notebox Server, iCloud

1. Upon first sign-up, a random private key is generated on the user's device through Apple CryptoKit Library.
1. With this PK, files such as user images and all note data are encrypted.
2. And the encrypted data is only stored in your private iCloud.
2. Derive a Hash through the user's recovery key and generate an EPK by encrypting the private key of 1 with this Hash through ChaCha20-Poly1305.
1. Only the EPK generated in this way is stored in the Notebox Server, and the PK, Hash, and Password are not saved.
2. Upon re-login, try to restore the PK by applying the process of 2 to the EPK sent from the Notebox Server in the reverse order.
3. The current PK is also stored in the user's Private iCloud Keychain in accordance with the guidelines of Apple SignIn(Additional password after apple sign-in should not be required) and in response to user's password loss. However, after the above mentioned, the features to make iCloud Keychain optional and delete the pre-stored PK will be added through Encryption Management.

Because our encryption layer is completely modular, it will continue to evolve.
Currently, we are considering the use of XChaCha20-Poly1305-IETF and Argon2,
It seems to be applied only when it reaches a level that is sufficiently verified and reliable as Apple's officially provided CryptoKit Library and ChaCha20-Poly1305.

In addition, we are currently using the user's private iCloud for data storage,
however, there is a limitation on multi-platform and sync delay occurs for a few seconds,
the use of a separate storage is also being considered.
But all data is encrypted, so there would be only Pros without Cons.

## In summary

In Notebox
- Key generation, encryption and decryption
- Data creation, encryption, decryption, and merging
All of these are done on your device.
Since only Zero-Knowledge Encrypted Data exists outside the user's device,
Achieve D2D Zero-Knowledge Encryption.

1. Notebox server
@purpose: Restoring the key on sign-in
@data: The encryption key (EPK)
@security: Without the user's Recovery Key, the raw key cannot be derived.

2. Your device
@purpose: UX and speed
@data: The raw key and raw data
@security: If the device is not unlocked, it is encrypted at Apple's OS level.

3. Your Private iCloud
@purpose: Synchronization
@data: The encrypted data
@security: Without the Encryption Key, the raw data cannot be derived.

4. Your Private iCloud Keychain
@purpose: Recovery key loss and Apple-SignIn Guideline.
@data: The user's PK is stored and
@security: Unless an Apple admin hacks your personal iCloud Keychain, the raw key is not accessible.
@tobe: This will be optional and user can delete existing PK. (You may use with change Encryption Key feature.)


# Conclusion
Notebox wants to spread to users in a more perfect state.
Sufficient improvements will be made in this Q1.
From Q2, Notebox become more user-friendly and informative step by step.
Third-party audit, multi-platform, and collaboration are planned after funding, but even before that, we will post it on our website as scheduled.
We will also add more features like 2FA one by one.

Stay Tuned.