NEWS FROM THE LAB - Tuesday, December 3, 2013

Good Passwords are KEY Posted by Sean @ 15:47 GMT

Today marks the official launch date of F-Secure KEY. (Our new password assistant application.)

But we're guessing that it hardly feels like an especially busy day for product manager Juha Torkkel. He's been in full gear ever since Mikko Tweeted about KEY's "soft" launch one week ago.

Which then didn't turn out to be so soft. Juha was immediately peppered with questions about KEY's encryption.

And so he produced a quick FAQ for our community knowledge base.

Here's the FAQ as it currently exists:

F-Secure KEY data encryption (in a nutshell)

  •  F-Secure KEY uses the Advanced Encryption Standard (AES-256) algorithm in the CCM mode (CTR with CBC MAC) for encryption to protect your sensitive data. The security of the AES was carefully analyzed by many crypto experts prior to selecting it as a recommended algorithm for modern data encryption.

  •  The encryption key is derived from your master password using the Password-Based Key Derivation Function 2 (PBKDF2) algorithm specified in Public-Key Cryptography Standards (PKCS) #5. In PBKDF2, we use Hash-based Message Authentication Code (HMAC) SHA256, random salts and 20,000 of iterations. This makes it much more difficult to recover the keys through exhaustive search or dictionary attacks even for weak passwords.

  •  Each password record is individually encrypted using a unique and strong random encryption key. The record-specific keys are encrypted using a master encryption key which is derived from your master password using the PBKDF2 algorithm.

  •  Your master password and the master encryption key are never stored anywhere. The encryption keys live only when you use the product. There is no way to recover your password or data if you forget the master password.

  •  When we developed F-Secure KEY, our guiding design principle was: "We don't need to know who you are. We just hope you like the product." Consequently, all the F-Secure KEY users are fully anonymous. We don't track you in any way, even when you synchronize your data across devices.

  •  The F-Secure KEY servers are owned and operated by F-Secure within the European Union in compliance with Finnish law and applicable EU rules.


And here's an additional Q&A:

Can F-Secure Key decrypt my information?

Question: You state that my information is encrypted. What encryption do you use, and are you able to decrypt my information and hand it over to a third party?

Answer: We use AES-256 encryption in CCM (counter with CBC-MAC) mode. We have no way of decrypting any information that you have saved. In addition, anyone using F-Secure Key is anonymous to F-Secure, so we have no way of identifying an individual user's data. So we never see any of your information at any stage, and therefore we can't decrypt it or hand it over to a third party.

Both the choice of encryption and anonymity of users were conscious decisions made to improve the security of the product and protect the privacy of people using it.


One password to rule them all.

A young woman holding what appears to be an Ikea coffee cup in one hand and a smartphone in the other.

Just another day in Finland.


KEY is free for individual device use — an optional paid sync service across devices is available.

Application download links can be found here: F-Secure KEY.