Frequently asked questions
What's the authentication method used in zkBox?
The authentication to the zkBox storage is performed using the SRP algorithm. By its nature, the SRP authentication doesn't disclose anything about the user's password, but only the fact that the user knows it.
Which encryption algorithms are used in zkBox?
All the user data that is sent to the zkBox server is encrypted using the AES-256 algorithm. The encryption key is derived from the user's password and it's never sent out from user's machine. In this way we're never able to see what kind of data our users are storing. In addition to this, all the information exchanged with the zkBox server is always traveling over a secure HTTPS connection.
Is zkBox completely anonymous?
In zkBox, we're never asking for any personal info like email address, name or other information that will require you to expose anything about your identity. A digest of your login name (so we don't know your login, but only some funny characters derived from it) along with the tokens for the SRP authentication is the only information that we need to authenticate you into the system. Moreover, all the identifiers generated by the system are not sequential, so an eventual attacker will not able to learn the behavior of a given user by observing the traffic (assuming he/she will be able to get into the SSL channel).
From a user's perspective, we can say "Yes, zkBox is completely anonymous and it's not possible to tie an existing user account with a real user", but (there is a "but" here), for performance reasons, the objects stored in zkBox are allowing to specify an extra information called "object type" which is not encrypted when send or stored at the server. This is necessary to allow applications to make more complex queries and ask for a specific class of objects. However, using objects with type is dependent for each application, so if an attacker manages to gain access to the data (either by breaking in into the system or being able to sniff the encrypted network traffic) will be able to gain only some quantitative information about the types of objects stored, but not gaining any access to user's data (because of the encryption with their own encryption keys).
Of course, if you'll like to get in touch with us there will be some sort of details exposed to us, like your email; there are also anonymous alternatives to this.
How fast is zkBox?
The hosted version of zkBox is using Amazon SimpleDB and Amazon S3 as backend providers for storing the system's data. For every request that you're sending to the zkBox servers, none, one or more additional commands will be made internally to the Amazon web services in order to fulfill your request.
We're trying to increase performance here by hosting the zkBox instances in the Amazon cloud, so roundtrips to the backend services are shorter. Moreover, the instances are heavily caching results, so often there is not necessary to request data from the backend services. zkBox is faster than if you're making your own multiple requests from outside of the Amazon network to their services because the zkBox is doing this from inside.
The overhead added by the zkBox instances is minimal as there are only doing few processing, but the response time is highly dependent on the response time of the Amazon's backend services which sometimes can be as fast as 100 milliseconds and other times can last a second or more. This drawback is paid for having the solution highly scalable and with a reliable storage infrastructure provided by Amazon.
If you're running your own zkBox installation and you're using SQL Server as backend, depending on the size of your data, you can have the system running pretty fast as all the infrastructure will be located within your premises, so the latency induced by web service calls will be diminished.