Our infographic visualizes the technology behind ZKA.
Zero-Knowledge Auth (ZKA) is our new protocol that ensures the highest level of anonymity for our VPN. Most VPN providers are not private at all because they store a lot of information about you, like your name and address, your payment information, and logs about your internet traffic.
There are trustworthy VPN companies who promise not to log your usage of their services. They mostly live up to their promise and do not collect data about you. However, we still put the trust into their hands. If they are subject to a data breach, personal information might still be leaked. And the company itself technically has the power to find out what sites you visit.
ZKA revolutionizes the entire process from registration up to the usage of the VPN. There is no longer the need to share personal information. When you connect to the VPN, you don’t even need an anonymized account number to log in. Continue reading below for a detailed explanation.
ZKA Registration
The first step in using SnowHaze VPN anonymously is to generate a cryptograaphic key pair (Read more about cryptography here). First a secret code is generated by performing random calculation on your device. This ensures that this code is strong. We call it Master Secret and it is the basis for all the following operation.
A key pair (private key and public key) is then derived from your Master Secret. The Master Secret acts as starting point such that the keys derived from it are always the same. Since you are the only one knowing your Master Secret, only you can derive your key pair. The public key is sent to the server, where it is stored as a new database entry. The server only knows the public key and will associate all information like payments and validity to your public key.
The server does not know about your Master Secret, which is why it has to be safely stored. If you loose your Master Secret, it’s impossible to recover your subscription.
Users not wanting to loose the Master Secret have the possibility to register with email and password, like most of us are used to from other accounts. In this case, your Master Secret is encrypted with your password and safely stored on the server. The server cannot see it, since it is stored in an encrypted form. Your email is also not visible for the server because it was hashed (Read more about hashing here). The server never sees neither your Master Secret nor your email nor your password. When logging in, you request the encrypted version of your Master Secret from the server, and decrypt it on your device. Now the Master Secret can be used to derive the key pair and sign in.
Note that at any point you can add email and password to your registration or unlink your email and password from your registration.
ZKA Payment
The next step is to activate your registration by adding a payment. You choose a subscription option and pay either by credit card, or anonymously using cryptocurrencies or cash. Your successful payment is sent to the server along with your public key. The server can then credit your public key. From now on, you are allowed to connect to the VPN server. In order to connect with a VPN server, you must prove that you have the right to access it. This happens using tokens.
ZKA Token Generation
The server regularly (e.g. once a week) generates login tokens. All the newly generated tokens are randomly grouped into boxes and every box is assigned to a user. The server doesn’t know which user gets which tokens, neither which tokens are together in a box. When you want to use the VPN for the first time, your device first requests the box containing the tokens and stores it on your device. After that the new box containing new tokens is regularly updated (e.g. once a week).
ZKA VPN Connection
Before connecting to a VPN server, your device randomly picks a token out of the box and sends it to the server. The server let’s you connect if the token is valid. The only information that is exchanged with the server is the token. Remember that the tokens were randomly put into the boxes, which were randomly distributed among the users. The server only knows the public key of a user, and simply sends the box of tokens to the user that requests it using the corresponding private key. There is nothing tracing back to the public key when you connect to the server.
ZKA VPN Usage
Since you have a valid token, the server let’s you connect. Your internet traffic is now encrypted and rerouted over the VPN server. The IP address that websites see is the one from the VPN server. This hides your true IP address protects your location. The server records nothing about your traffic and cannot tie two separate connections to a user. Enjoy the first truly anonymous VPN service.
ZKA Verification
If you are still reading this, we obviously got you interested. As a clever mind your might ask yourself “Sounds good, but how do I know that what you describe is the same as what runs on the server?”. Good question, we thought you might wonder. You can actually verify this yourself.
There is a dedicated process in an enclave of the server, which is in charge of generating and distributing the tokens. This technology by Intel called Software Guard Extensions (SGX) provides a guarantee that the code running in this enclave was not altered. Since all the code is open source, you can check that the fingerprint of the enclave is the same as the one for the code. This gives you the proof that we are running the very same code on our production servers.
Visit our Github page for the verification script and more details https://github.com/snowhaze/zka-sgx
Related Posts
Download SnowHaze
