ELI5: The x.o.ware solution works by establishing a secure tunnel directly from your laptop using your XOkey to your XOnet at your house or office. The website you are accessing will think you are wherever your XOnet is.
Use your XOkey anytime you are using an open wireless access point to ensure a secure, private connection back to your trusted network at home or office.
x.o.ware’s Virtual Private Exonetwork (VPEx) works by pairing a key (XOkey) with a gateway (XOnet) at the hardware level. Your gateway is connected to a trusted network at work or at home. When you travel away from your trusted network and have to use an open wireless hotspot, the paired key and gateway work to create a virtual network that is authenticated by both a hardware key AND a password. It’s like your own VPN service that you control.
Need more? x.o.ware utilizes open source encryption software and protocols, in combination with low cost hardware and an extremely simple user interface, to expand the usefulness of traditional Virtual Private Network (VPN) technology.
VPEx was created to also provide secure access to the Internet from public networks and, ultimately, end-to-end encryption.
In addition to expanding the scope of a user’s trusted network (there is no longer just a LAN and the Internet,) x.o.ware also minimizes the dependency on unknown third parties for key management. That’s a big deal. Why?
Because VPEx reduces or eliminates the potential exposure of those encryption keys. It relies on exchanging keys between gateways and clients over a private, point-to-point physical interface – USB, with no computers in that path. This physical connection is critical to establishing secure relationships between two parties, and demands that the relationship is always between two hardware devices. As a result, a piece of hardware must always be connected to the computer (or phone or tablet) to create the secure connection, which demands a small, low cost but powerful, hardware platform.
VPEx is essentially a point-to-point connection. Its underlying protocol is IPSec, which usually defines how keys are managed and exchanged. However, because x.o. ware requires that keys are stored on hardware devices that must be present for all secure communications, there are no third party certificate authorities (CA) that issue or manage keys. Instead, the two end points manage the keys, as peers. When a client device wants to establish a secure relationship with a gateway (all encrypted communication sessions are set up or terminated by gateways), it creates the key pair and gives it directly to the gateway.
Before the two devices are used, a Secure Relationship must be established. The user does this, not by a manufacturer or service provider or certificate authority. The XOnet generates a 2048-bit RSA key pair for the relationship, and passes the encrypt and decrypt keys to it over the USB port.
After the relationship is established between devices, the keys are never permitted to leave them. There are no mechanisms in either device’s firmware to export keys, or read them out in any way. When it comes to keys, they are effectively write-only devices. The microprocessors in both products have crypto accelerators, which perform all of the encryption and decryption. As a result, the keys can never be extracted from either device. That’s the power of hardware encryption.
REALLY? OK. You can’t spoof it or even copy it; you need that unique piece of hardware to connect…Kinda like the key to your house. It’s as close to end-to-end encryption as we can get right now. Hardware doesn’t just encrypt, it authenticates that you have connected the XOkey to your computer, and know the password.
There are many ways to build the encrypted Internet, and most solutions rely primarily on software. We don’t agree with that approach. We believe a software-only solution has vulnerabilities that can be exploited by properly motivated people with knowledge of security holes in software, and there are always holes. Beyond less-than-perfect software, sometimes the security holes aren’t caused by software, but by negligence (leaving a server open) or criminal activity (breaking into a server) that provides an opening that even properly designed software cannot protect against. And then there are viruses and malware that take over a computer at the lowest levels, where security software cannot protect the computer. If your security software is running on a computer that becomes compromised by malware, the malware can trick the security software.
Also, most encrypted Internet schemes rely on third parties to provide certificates that the two parties who are communicating can trust. In theory, that’s not a bad idea, but in reality, those third parties often get compromised, which puts all of their clients at risk.
Many security experts believe that the best way to protect private information is to use end-to-end encryption, where data is encrypted before it leaves a computing device, and is decrypted only by the recipient’s computer.
We agree with those experts, and building an encrypted Internet was the primary motivation for starting x.o.ware.
Soon! That’s why we started the company. While securing Internet access from insecure locations is absolutely important, end-to-end is even more critical. We are working on this!
Our future plans for the XOkey will allow you to create Secure Relationships between XOkeys to enable end-to-end encryption. Having a hardware client device will make future end-to-end encryption more secure. 😉
No, the XOkey is only one endpoint. There must be an XOnet that your XOkey can connect to securely.
Yes, it is easy, and you can actually connect many XOnets to many XOnets while also connecting to it remotely with XOkeys. You just have to register the remote XOnet with the local one, and exchange keys.
Yes. However, we haven’t designed in a limit to the number of gateways, so if you try to register it with thousands of XOnets, YMMV.
Lots. We haven’t designed in a limit to the number of XOkeys that can be registered on one XOnet. However, the more important limit is the number of XOkeys that are simultaneously connected to your XOnet. They will all be sharing the bandwidth of the XOnets internet connection, and its encryption power.
A little, around 10-15%. However, this speed will be limited by the speed of the slowest connection, which would usually be the speed of your home Internet connection or the network that you are connecting from. Open WiFi networks are usually not very fast, so they can be the limiting factor.
The x.o.ware solution will also increase latency, as data must first be encrypted, and sent to the XOnet, which decrypts it and forwards it to the intended web server. However, for most Internet access, the difference may not be noticeable, but you might not want to play any Internet-based games.
No. When the XOkey is registered with an XOnet, they exchange keys over the USB interface. So from your laptop to your XOnet at home, your data looks like noise. You’re protected!
The NSA, with their relationships with ISPs, can get access to your Internet connection at home, so they can see the data as it travels from there, since it isn’t being encrypted by x.o.ware at that point.
To keep your data private when it leaves your home, you need end-to-end encryption.
Android devices can connect to the XOnet without an XOkey, using the free StrongSwan VPN Client app in Google’s Play store. Unfortunately, we do not yet have support for iOS. If you have experience with IPSec and iOS (or know someone who does), please contact us about helping us get there.
We initially used OpenSSL, but the performance was not up to our standards. The throughput was too low, even for what passes as broadband in many parts of the U.S. The switch was painful, adding months to our schedule, but connection speeds are important.
Go to the XOkey page in the User Interface for any XONet it is registered with, and either disable or delete the XOkey.
Since there is no mechanism for reading information from the XOkey, you will have to register a new XOkey with any XOnet you want to connect to.
In an office environment, a VPN gateway would have a static IP address, so any client device that wanted to connect to it would just connect to that address. However, since the XOnet is designed for individuals and small businesses that usually have a dynamic address, in those cases it has to be assigned a hostname, which can be used to look up its temporarily assigned IP address. The XOnet tells a server called the Dynamic Domain Name Service (DDNS) when its address changes, so it can keep track of it. While you can use any DDNS service, x.o. ware provides one for free, and the XOnet is automatically registered with it during manufacturing (or when you force a reset to factory defaults).
Each XOnet is assigned a hostname with a randomly generated 16-digit hex number, meaning it’s unlikely to ever be duplicated on this planet. When an XOkey registers with an XOnet, it is given the XOnet’s host name. When you are away from home and want to connect to the XOnet, the XOkey will look up the IP address of the XOnet on our DDNS server, which keeps track of dynamic addresses for the XOnet. Use of this service is optional.
If you have a typical home network and a router, it shouldn’t take more than 5 minutes. If you have a more complex network (like where you manually assign addresses to devices on your network), it might take 10 minutes, but you will enjoy doing it because you’ll know you’re updating your system to be more secured!
Before an XOkey can connect with the XOnet, it must be registered. This is a very simple process, and starts with plugging the XOkey into the USB port on the front of the XOnet, and navigating to the UI of the XOnet with a browser. About fifteen seconds after the XOkey was plugged in, a message on the XOnet’s UI will ask you if you want to register the XOkey (or you can just go to the XOkey management page). When you say yes, it will ask you for a name for the XOkey, a real name for the pair (that particular XOkey and that XOnet), and a password. Once you have provided that information, the XOnet writes an RSA key and its Internet address to the XOkey.
When the XOkey wants to connect to the XOnet, it goes to a DDNS server (pre-configured to use ours, but you can change that) and looks up the IP address of your XOnet. It then tries to connect to that address, and uses STUN and Rendezvous servers that we also host (again, you can host these on your own) to find a port that your router will forward to your XOnet.
Since many routers block lots of ports, we had to develop a dynamic solution, similar to how other peer-to-peer communications (like VoIP phone apps) connect. However, unlike some of them, no user data ever passes through our servers. We only assist in connecting the two devices.
Yes, the CPU in it will make the enclosure warm to the touch.