How Shaheen Works
Our secure file sharing system uses advanced cryptography to ensure your files remain private and secure throughout the entire process.
Security Overview
Shaheen uses a combination of cryptographic techniques to provide end-to-end security for your files. Here's how the system works:
Client-Side Encryption
- All encryption happens in your browser before data is transmitted
- Private keys never leave your device
- Files are encrypted with a unique key for each transfer
- Even we cannot access your unencrypted files
Zero Knowledge Design
- We never store your encryption keys on our servers
- Metadata is minimized to protect your privacy
- Our servers only see encrypted data
- Access controls can be set
The Encryption Process
Shaheen uses the Diffie-Hellman key exchange protocol to establish secure keys between sender and recipient, followed by AES-256 encryption for the file data.
Step 1: Key Generation
What Happens:
- When you initiate file sharing, your browser generates a public-private key pair using the ECDH (Elliptic Curve Diffie-Hellman) algorithm
- The private key is stored securely in your browser's IndexedDB storage and never transmitted
- The public key is shared with the recipient through an email
Step 2: Key Exchange
What Happens:
- The recipient receives the sender's public key and generates their own public-private key pair
- The recipient's browser uses the sender's public key and their own private key to derive a shared secret
- The recipient sends their public key back to the sender, who derives the same shared secret using their private key
- This shared secret is never transmitted over the network, but is identical on both sides
Step 3: File Encryption & Transfer
What Happens:
- The shared secret is used to derive an AES-256 encryption key
- The file is encrypted in chunks directly in the browser using this key
- Only the encrypted file is uploaded to our servers and the cloud
- The recipient downloads the encrypted file and decrypts it in their browser using the same shared secret
How Keys Are Stored
Shaheen uses your browser's built-in secure storage mechanisms to protect your cryptographic keys.
IndexedDB Storage
All cryptographic keys are stored in your browser's IndexedDB, a secure client-side storage system:
Keys Store
- • Stores your private keys
- • Indexed by public key identifiers
- • Never synchronized to servers
- • Cleared when you clear browser data
IndexedDB Security
- • Same-Origin Policy Enforcement
- • Sandboxed Storage
- • Limited Exposure to Cross-Site Scripting
Security Note:
If you clear your browser data or switch browsers, you'll need to generate new keys. This is a security feature, as it ensures your keys are not accessible across different environments.
Server-Side Storage
Our servers and the cloud stores minimal information to facilitate secure file sharing:
What is Exposed
- • Encrypted file data
- • Public keys (not sensitive)
- • Access control parameters
- • Email addresses (can use anonymous ones)
What We Don't Store
- • Private keys
- • Established Encryption Keys
- • User Data (no login)
- • Unencrypted file contents
Zero Knowledge Design:
Our system is designed so that even if our servers were compromised, attackers would only have access to encrypted data that cannot be decrypted without the private keys stored only on your device.
Technical Details
For the technically inclined, here are the specific cryptographic algorithms and methods used in Shaheen:
Cryptographic Algorithms
- Key Exchange: ECDH (Elliptic Curve Diffie-Hellman) with P-256 curve
- File Encryption: AES-256-GCM (Galois/Counter Mode)
- Key Derivation: HKDF (HMAC-based Key Derivation Function)
Browser APIs Used
- Web Crypto API: For all cryptographic operations
- IndexedDB: For secure client-side storage of keys