To ensure the security and privacy of your data, Oak Tree provides two forms of encryption for your data:
1. All your data on Oak Tree servers is pre-encrypted – by you – with one of three industry-standard encryption methodologies (your choice of AES, TripleDES [a/k/a DES3] or TwoFish) based on an encryption key that only you, the client, possess (Oak Tree will not accept retention, maintenance or even knowledge of any client encryption key). These encryption keys are 128-bit symmetric key encryptions and are used by the major banks, brokerage firms and insurance companies throughout the world as well as the U.S. Government (see note below). This encryption occurs on your computer equipment before your data is transmitted over the internet to our highly secure facility. This world-class security is reinforced by using your choice of two different encryption modes.
2. Once encrypted, you data is sent to the Oak Tree servers via Oak Tree transmission services utilizing industry standard Secure Sockets Layer methodology using a randomly generated 1024-bit RSA public key to further secure the actual transmission of your already-encrypted data. The strength of the encryption depends on the key size you use during the transmission process (usually preconfigured on your computer) but is highly secure even with the smallest allowable key. This protects your already-encrypted data transmission from any and all possible intrusions or hacking.
In addition, during the initial encryption and compression procedure on your computer/server, a random number (technically consisting of an initial vector, salt and iteration count) is randomly generated and applied to each file when it is encrypted.
Oak Tree uses the AES encryption method by default. The Advanced Encryption Standard (AES) feature allows added support for still further security with your choice of Cipher Block Chaining (CBC) or Electronic Cook Book (ECB) modes.
The U.S. National Institute of Standards and Technology (NIST) created AES, which is a Federal Information Processing Standard (FIPS) publication that describes an encryption method. AES is a privacy transform for Internet Protocol Security (IPSec) and Internet Key Exchange (IKE) and has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES: AES offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key, which AES has a variable key length – the algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key. (Oak Tree does not support the longer lengths, as they typically consume far more CPU time than most servers can make available for administrative functions.) A 128-bit key size has 2128 – or about 3.4 x 1038 – possible combinations. It is estimated that it would take 8.77 x 1017years on very large computers to test all possible combinations.
According to the U.S. National Security Agency – US Government, CNSS (NSA (National Security Agency) – Committee on National Security Systems: Policy No. 15, Fact Sheet No. 1 National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information; June, 2003:
“The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level.”
“Subject to policy and guidance for non-national security systems and information (e.g., FIPS 140-2), U.S. Government Departments and Agencies may wish to consider the use of security products that implement AES for IA applications where the protection of systems or information, although not classified, nevertheless, may be critical to the conduct of organizational missions. This would include critical infrastructure protection and homeland security activities as addressed in Executive Order 13231, Subject: Critical Infrastructure Protection in the Information Age (dated 16 October 2001), and Executive Order 13228, Subject: Homeland Security (dated 8 October 2001), respectively.”
Finally, each client user has the option of specifying an exclusive list of specific IP addresses from which their data may be accessible. This provides the added security of limiting locations that may access the Oak Tree servers. NOTE: You should be careful and thorough if using this option, as internal IP addresses will not function across the Internet, and any error in this regard might prevent proper access to your data. Be sure to consult a telecommunications expert before selecting this option.
While the remote possibility always exists that your data might be “physically” intercepted by expert hackers during its transmission, its “logical”, or data content is fully protected by this highest-level double-encryption, and will appear as indecipherable nonsense characters to anyone without your encryption key, which is required to decrypt your data. (For this reason, it is essential that you never lose your encryption key, but keep it in a secure location in your office or home.)
In addition, Oak Tree utilizes and maintains virus, spyware, malware and other intrusion prevention, detection and auto-removal software and other processes to ensure your data is highly secure and redundant. However, Oak Tree software does not scan your data for such intrusive software during its backup processes. Please keep in mind that certain data, in addition to programs, can harbor certain types of viruses. This includes Excel spreadsheets (.xls) and Word documents (.doc) embedded in macros. If these exist in your data, they will be encrypted and backed up along with your data.
Oak Tree further utilizes its own highly secure, state-of-the-art firewall with highly secure settings at its data center for further server protection. In addition, a CRC (Cyclical Redundancy Check) is performed on all data transmissions to ensure the completeness of the data being transmitted. This is a sort of “characters-transmitted” check-digit calculation performed by Oak Tree software on your (sending) server, and then again on our (receiving) server, as each small “piece” of encrypted data is transmitted. This ensures that all the “pieces” of encrypted data you sent from your server are exactly the same as the “pieces” of encrypted data we received at our server. In the event any one or more CRC’s don’t match, those “pieces are re-sent from you server to ours. If this re-transmission occurs too often, the connection is dropped and re-established, and the process starts over again. In the event of a persistent problem, our administrators will contact you directly.
Oak Tree’s physical facilities, in which it maintains its equipment, are highly secure, state-of-the-art technology environments. (See our website section for more details on our Data Center.)
Your encryption key is used to encrypt your files. It resides only on your computer (in an unreadable format) and is known only to you. It never appears in digital form in plain text format anywhere. It is never transmitted anywhere across the network. If this key is lost, your backup files can never be recovered. Although technically Oak Tree has access to all files you stored on our backup server (in encrypted mode), we have absolutely no knowledge of their contents, nor do we have any means of determining it.
Therefore: Please make certain you document your encryption key in a VERY SAFE PLACE where it will be well-protected and never lost. (It is maintained on your computer, but in pre-encrypted form – not plain text, and is indecipherable.) If you cannot enter your encryption key when you need to restore any of your data, you will NOT be able to recover your backup files and your data will remain irretrievable until and unless you enter your correct encryption key.