Aviva Zacks of Safety Detective had the opportunity to sit down with Raluca Ada Popa, CTO and co-founder of PreVeil and Computer Security Professor at UC Berkeley. She learned that end-to-end encryption does not have to come at the expense of usability.
Safety Detective: How did you get into cybersecurity and what do you love about it?
Raluca Ada Popa: I started doing research as an undergraduate at MIT and I liked both the real aspect of building systems and the elegance and depth of mathematical theory. Security marries both of them. As part of our security work, we design secure protocols via cryptography, which requires theoretical and principled thinking. At the same time, we are also building real systems, and the blend of these two aspects is what I love. On top of that, better security is something the world really needs.
That’s why I got excited about security. I started taking security classes and cryptography classes as early as my undergraduate at MIT and I loved them. I then started doing research in the area very early on, in my second year of undergraduate studies.
SD: What services does PreVeil offer to its customer?
RAP: PreVeil provides end-to-end encryption for file sharing and email, namely, for the common collaboration tools that people use today. You can imagine using file sharing like in Dropbox or email, but without having to worry about the cloud providers seeing your private data or a hacker hacking into the cloud provider or into an administrator’s account.
For example, in the case of a recent attack on Deloitte, the administrator was a central point of attack because the admin had access to a lot of data. In general, in academia, we know that it’s unsafe to have a central point of attack. In PreVeil, no single administrator has access to all the users’ accounts. We are implementing a notion called decentralized trust. Trust is split into multiple entities. You have to attack multiple different people in order to steal all the data, which is harder to accomplish than when targeting only one person.
SD: What industries does PreVeil focus on servicing?
SD: Tell me about PreVeil’s free software.
RAP: Our software is available to individuals on the PreVeil website for free, and it’s also available on the app stores for both Android and iPhone. Anyone can download it and use it, so they can benefit from end-to-end encrypted file sharing and secure messaging. We also have a business version that we sell to the enterprise. This version has the compliance and admin-management features that are needed in a corporate setting.
SD: Tell me how PreVeil reconciles the dichotomy of making the software easy to use while providing end-to-end encryption.
RAP: To explain PreVeil’s techniques, let me first explain how the dichotomy manifests itself. If a user loses their decryption key, with regular end-to-end encryption, they would lose access to their data. Other solutions back up the key at the server, which compromises the point of end-to-end encryption because it’s not just the ends that can decrypt, but the server can decrypt as well.
If there is an attack on the server, the attackers can obtain the key, so they will be able to decrypt the data. This tension is challenging, yet PreVeil manages to reconcile it with the following technique.
Users can break their key into smaller key shards that they can give to other colleagues in their company. When the user loses their key, the colleagues can help the user reconstruct their key.
This is nice because if the user loses their key, they can regain access to their data. Also, none of these colleagues alone could use their shard of the key to attain access to your data. Through this mechanism, we managed to split the trust and keep the system usable because users are not losing their data.
More generally, one of the primary goals of PreVeil is to make encryption very easy to use and to eliminate the barriers to having such security for enterprise messaging.
PreVeil works on all the major platforms so it can be run on Windows, OS X, Android, or iPhone. It also integrates with commonly used email clients like Apple Mail or Microsoft, and very soon, Gmail as well. For file sharing, we integrate with File Explorer and Mac Finder.
SD: What are some of the cyberthreats that people should be concerned about today?
RAP: I think one very common cyberthreat is hacks on the server, where a hacker manages to exfiltrate millions of records. The reason is that software is very complex, and there are always going to be bugs an attacker can exploit.
At PreVeil, we have a very different approach. We assume that attacks on the server will eventually succeed, and we keep the data encrypted on the server without making the decryption key available on the server.
PreVeil also protects against phishing attacks. In the case of phishing attacks, the victim user believes that an email is coming from a friend or someone they know. The victim user could click on a link in the attack email, visit a fake website, and introduce sensitive data into that website thinking it is a legitimate website.
Another attack that has been in the news and has impacted a lot of sensitive records, was simply attacking administrators—going after one person that can give access to all the data. Even if that administrator is well-versed in security, at the end of the day they can make mistakes. Further, password breakers today have become very effective. In general, it’s dangerous to have one central point of attack.
SD: How do you see cybersecurity developing in the next five years?
RAP: I believe we have been seeing a lot of progress in the effectiveness of security mechanisms as well as their adoption. At the same time, it is important to make security mechanisms user-friendly because if they’re not easy to use, they will be used incorrectly and will not provide the security they are designed for. This has been one of the main challenges PreVeil has been tackling—to make end-to-end encryption easy to use.
Of course, not all security problems will go away in the next five years (and likely never)—but such improvements significantly reduce the impact of some common types of attackers.