Atomic Mail Security Whitepaper

Version 1.0
Last Updated: October 2024

‍

1. Introduction and System Design

‍

Atomic Mail is a secure, privacy-first email platform focused on protecting users' communications using advanced encryption technologies. Built with multi-layered security, Atomic Mail ensures that user data remains secure from unauthorized access. This whitepaper details the security architecture, encryption methods, data management practices implemented in Atomic Mail.

The core of Atomic Mail's security lies in client-side encryption processes and a zero-knowledge infrastructure, ensuring that even Atomic Mail cannot access users' messages or private keys.

‍

Why is it Blockchain-Level security?

The term “blockchain level” in Atomic Mail’s security architecture refers to the application of state-of-the-art cryptographic standards and key management protocols often used within blockchain ecosystems. These technologies are employed to provide unparalleled protection and confidentiality. 

‍

Atomic Mail incorporates the following key elements:

‍

BIP39 Seed Phrase for Account Recovery and Key Generation
Users are provided with a BIP39-compliant seed phrase, which serves as a secure foundation for generating and recovering their encryption keys. This industry-standard method is widely used within blockchain-based systems to ensure users retain control over their private keys. By utilizing a seed phrase, Atomic Mail allows users to securely back up and restore their keys, ensuring complete data ownership and reducing the risk of key loss.

‍

AES-256 and SHA-256 for Symmetric Encryption
To protect data in transit and at rest, Atomic Mail employs AES-256, one of the most secure and trusted encryption algorithms, for symmetric encryption. Additionally, SHA-256 is used for hashing sensitive data. AES-256 provides robust protection for email content, attachments, and other critical data, ensuring that only authorized parties with the correct decryption keys can access the information. SHA-256 ensures data integrity by creating a secure and irreversible hash of user passwords, protecting against unauthorized access.

‍

ECIES for Asymmetric Encryption between Atomic Mail Users
Atomic Mail uses the Elliptic Curve Integrated Encryption Scheme (ECIES) for secure communication between users within the Atomic Mail ecosystem. ECIES is a public-key encryption scheme that combines elliptic curve cryptography with integrated encryption, providing both confidentiality and authentication. This method offers superior security by generating unique encryption keys for each communication session between users, ensuring that emails and shared data are protected from unauthorized access or tampering.

By implementing these technologies, Atomic Mail achieves a level of security and data integrity standards seen in leading blockchain ecosystems, ensuring robust protection for user communications and key management.

‍

2. Data Protection and Privacy

‍

Data-at-Rest Encryption
All data stored on Atomic Mail’s servers, including email metadata and attachments, is encrypted using AES-256, ensuring that even in the event of a compromise, the data remains inaccessible.

‍

Data-in-Transit Encryption
All data in transit is encrypted using TLS 1.3, preventing interception during transmission and ensuring secure communication between users and Atomic Mail’s servers.

3. Key Management

Asymmetric Key Generation
Private keys are generated on the user’s device and never leave the user’s control. These keys are stored locally and are protected by a master password.

‍

Seed Phrase Backup
Users can generate a seed phrase to back up their private keys. This seed phrase can be used to recover encrypted data in case of device loss.

‍

Symmetric Encryption for External Communications
External communications use AES-256, with the key encrypted by a password known only to the sender and recipient.

‍

4.  Registration Process in Atomic Mail

‍

When a user, Alice, creates an account in Atomic Mail, the following steps are performed:

1. Password Creation: Alice sets her password, which forms the basis of securing her account.
2. Key Derivation (Scrypt): Alice’s password is processed using Scrypt to generate a cryptographic key resistant to brute-force attacks.
3. Seed Phrase Encryption (AES-256-CBC): Alice’s BIP39 seed phrase is encrypted with AES-256-CBC, using the key derived from her password.
4. Password Hashing (SHA-256): Alice’s password is hashed using SHA-256, ensuring that Atomic Mail never stores passwords in plaintext.

Neither Alice’s plaintext password nor her seed phrase is ever stored on Atomic Mail’s servers. Only Alice can decrypt her seed phrase and access her encrypted content.

‍

5. Login Process in Atomic Mail

‍

The login process is designed to secure Alice’s account and data as follows:

1. Authentication: Alice enters her username and password. The password is hashed with SHA-256 and sent with the username to the server for verification.
2. Encrypted Seed Phrase: Upon successful login, Alice receives her encrypted seed phrase, stored securely in the browser’s local storage.
3. Decryption: Alice’s password is used to decrypt the seed phrase locally, granting access to encrypted content.
4. Session Security: If the session is refreshed, the decryption keys are cleared, ensuring that the encrypted content remains inaccessible until the password is re-entered.
5. Two-Factor Authentication (2FA): Atomic Mail offers 2FA to enhance account security. Users can enable 2FA for an extra layer of protection during login, requiring a one-time code in addition to their password.

6. Sending Emails (Atomic Encryption)

When Alice sends an encrypted email to other Atomic Mail users, the following steps occur:

1. Alice Composes the Email and Selects Recipients: Alice writes an email and selects recipients, such as Bob, who are also Atomic Mail users. She then chooses the "Atomic Encryption" method to ensure end-to-end encrypted communication within the Atomic Mail ecosystem.
2. Local Encryption of the Email Content Using AES-256: Before sending, a random secret key is generated on Alice’s device. This secret key is used to encrypt the content of the email using the AES-256 encryption algorithm. The email content is now fully encrypted with this secret key.
3. Individual Encryption for Each Recipient: For each recipient, a unique encrypted copy of the email is created. The secret key (used to encrypt the email) is itself encrypted using the public key of each recipient. Public keys are generated according to the Ethereum (0x...) standard, and encryption is performed using the Elliptic Curve Integrated Encryption Scheme (ECIES).
   This ensures that each recipient has their own unique, encrypted copy of the email, which can only be decrypted using their private key.
4. Encrypted Email is Sent via SMTP: The fully encrypted email, along with the individually encrypted secret keys, is sent via SMTP. Each recipient receives their own encrypted version of the email, which is inaccessible to anyone else.
5. Decryption by the Recipient: When Bob receives the email, he uses his private key to decrypt the shared secret key that was created specifically for this group of recipients. Once he decrypts the secret key, he uses it to decrypt the content of the email using AES-256.

7. Sending Password-Encrypted Emails (for External Recipients)

When Alice creates the email and selects "Password Encryption":

1. Alice Writes the Email: Alice writes an email and selects the "Password Encryption" option for added security, sets Password, Password Hint and Expiration Date. The email is now ready to be sent with password protection.
2. Local Encryption of the Email Content Using AES-256-CBC: On Alice’s device, locally and without any data exposure to external servers, the content of the email is encrypted using the AES-256-CBC encryption algorithm. The encryption key is derived from the password set by Alice for this email, which is further secured by processing through a key derivation function (KDF Scrypt) to make brute-force attacks more difficult.
3. Storing the Encrypted Content in the Decryption Service: When the email is sent, the email content is already encrypted and is stored securely in Atomic Mail’s Decryption Service. The content remains inaccessible to anyone, including Atomic Mail, until the recipient retrieves it or the set Expiration Date passes. No one has access to the actual content during storage.
4. Recipient Receives a Unique Link to the Decryption Service: The recipient receives the email via SMTP, but instead of the email content, they get a unique link to the Atomic Mail Decryption Service. This ensures that the email content itself is never exposed or compromised during transmission.
5. Recipient Decrypts the Content Locally on Their Device: When the recipient clicks on the link, they are directed to the Decryption Service, where they enter the password provided by Alice. The content is then decrypted using AES-256-CBC locally on the recipient’s device. At no point does Atomic Mail have access to the email’s plaintext content, ensuring full confidentiality.

‍

8. Privacy and Compliance

‍

8.1 GDPR Compliance
Atomic Mail adheres to GDPR by allowing users to delete their accounts, export their data, and minimize the collection of personal information.

‍

8.2 Zero-Knowledge Policy
Atomic Mail operates under a zero-knowledge policy, meaning that we never have access to the contents of user communications or private keys. All encryption and decryption happen on the client side.

‍

9. Incident Response and Monitoring

‍

9.1 Security Audits
Atomic Mail undergoes regular security audits by third-party organizations to identify and resolve vulnerabilities, ensuring compliance with the highest security standards.

‍

9.2 Bug Bounty Program
Atomic Mail incentivizes security researchers to identify and report vulnerabilities through a Bug Bounty Program, ensuring that any issues are promptly addressed.

‍

10. Conclusion

Atomic Mail is committed to delivering a highly secure and privacy-centric email platform. Through advanced encryption methods, blockchain integration, and a zero-knowledge infrastructure, we provide robust protection for users' data. Regular monitoring and compliance with international security standards further reinforce the reliability of Atomic Mail as a secure communication platform.

For more information, contact us at [email protected].