Keeper Password Manager & Digital Vault

Enterprise Keeper Password Manager & Digital Vault Contact Sales (312) 226-5544 sales@keepersecurity.com r 8.19.15

Enterprise Keeper is the world s most secure digital vault. Contact Sales (312) 226-5544 sales@keepersecurity.com 1

Problem 3 in 4 Americans have fallen or will fall victim to hacking 30K websites hacked per day 37% of breached companies were financial firms. $10B cost of changing employee passwords each year Employees Employees tend to use the same or easy-to-remember passwords on multiple sites for quick logins. Many times they also store their passwords on sticky notes at their desk or Excel spreadsheets which can both be easily hacked or stolen. They also often send confidential documents to co-workers using programs that utilize weak passwords. Employees also forget passwords and then must spend valuable time resetting their account. Businesses Businesses utilize numerous cloud applications that have login credentials. These major applications are increasingly vulnerable to hacking and phishing attacks. Businesses also allow employees to access insecure applications through BYOD policies which puts secure information and documents at risk. Keeper serves the growing global market 1.3B devices will have mobile security applications installed by 2018 BYOD market is expected to grow to $181 billion by 2017 2017 half of employers will require employees to buy their own devices Source: akuity 2

Keeper is a secure and easy-to-use password manager and digital vault. Contact Sales (312) 226-5544 sales@keepersecurity.com 3

Our Solution Keeper is a Zero-Knowledge Security Platform Keeper is the most secure password manager and digital vault in the world. Keeper is a zero-knowledge security platform. Zero-knowledge means that only the user has knowledge of and access to their Master Password and the encryption key that is used to encrypt and decrypt their information. The user s Keeper file, in the form of an encrypted binary, is stored in Keeper s Cloud Security Vault which is protected with 256-bit AES encryption. Keeper has no knowledge of or access to a user s master password and cannot decrypt the user s Keeper data. The method of encryption that Keeper uses is a well-known, trusted algorithm called Advanced Encryption Standard (AES) with a 256-bit key length. Additionally, Keeper offers Two-Factor Authentication (2FA) via SMS or Google Authenticator. 2FA is an approach to authentication requiring two or more of the three authentication factors: a knowledge factor, a possession factor and an inherence factor. The Keeper solution has been vetted and certified by the highest level security compliance organizations including SOC 2 (Type I and II), TRUSTe, McAfee, HIPAA, Trustwave and EU Safe Harbor. Keeper never stores or displays plaintext information - user data is always encrypted locally on the device, through the transport process to the Cloud Security Vault and at rest in the vault. Information on Keeper s Security Disclosures can be found at https://keepersecurity.com/security. Organize and Access Passwords Attach Files Sync Files Share Records Create Strong Passwords 256-bit AES Encryption Auto-Fill Passwords Secure Cloud Storage Biometric Authentication 24x7 Support 4

Enterprise Platform Wide Keeper Works Across All Major Platforms and Device Types Contact Sales (312) 226-5544 sales@keepersecurity.com 5

We Are Global Keeper Serves the World s Mobile Security Market Demographic Keeper is utilized by a wide demographic of consumers with the average user being between 18 and 60 years old. Everyone can find a use for Keeper, especially students, consumers, employees and trade professionals. Use Cases There are countless areas where the implementation of Keeper can be useful. The most common uses include email, online banking, online commerce, social media and secure file storage. + User Benefits Keeper provides numerous benefits to users including the ability to access websites quickly, simple password management, secure file storage, seamless sharing and world-class security. Market Size The global BYOD market is growing at an exponential rate and is expected to be $181 Billion by 2017. It is also expected that half of all employers will require their employees to buy their own device by 2017 and 1.3 billion devices will have mobile security applications installed on them by 2018. Published Keeper is readily accessible to users across the globe and is published in 18 languages. Global Keeper is implemented and sold in over 80 countries and uses their localized currency. 6

Pricing (USD) Base Plan $750/yr + $48/user/yr Admin console Unlimited devices Provisioning Delegated Administration AD and LDAP Integration Policy engine and enforcement Shared folders Auditing and reporting BYOD Integration 24/7 Support Secure File Storage 1TB per Enterprise Account $18/user/yr 7

Customers Keeper is Used by Employees and Leading Fortune 1000 Companies 8

Strategic Partners Keeper has strong relationships with world-class mobile operators & OEM s. Pre-loaded on Android and Windows Devices 9

Differentiation Why Keeper is the Best. 1 The only unified product that offers a comprehensive digital vault for password management and secure file storage 2 Zero-knowledge security platform is highly differentiated from traditional cloud storage providers Encryption key remains with the user and encryption occurs at device level Only the user has full control over the encryption and decryption of their data Keeper cannot decrypt the user s stored data Password Management Keeper protects your employees against hackers with a secure and convenient password manager. All of your employee s passwords, logins, credit card numbers, bank accounts and other personal information are saved in a private digital vault that is encrypted and unbreakable. Keeper s password generator creates high-strength passwords for all websites and third party applications accessed by your employees, which is the best way to protect your company s sensitive login credentials. Secure File Storage With Secure File Storage, users can upload their most important files, photos and videos directly into their Keeper vault. Files can be encrypted and uploaded with the click of a button or using drag-and-drop. Sharing files is easy and secure with full end-to-end encryption from one vault to another. Public sharing links, which are customary with many cloud storage providers, are prohibited with Keeper s secure sharing architecture. Secure images can be taken from a camera-enabled mobile device and images always remain in the Keeper vault, never on the device s camera roll. Secure File Storage is a seamless add-on for all existing Keeper users. Secure File Sharing Without Compromising Security Customers also have the ability to securely share files with fellow Keeper users vault-to-vault, making Secure File Storage the best way to store and transfer sensitive information. Keeper Secure File Sharing builds on Secure File Storage with PKI encryption, enabling customers to share files with other Keeper users, securely and without ever requiring decryption of the file in the sharing process. Once a file has been encrypted and stored in the vault, the user has the ability to securely share the file with one or more Keeper users. Sharing is accomplished using PKI and Keeper uses the well-known RSA PKI to generate Public/Private keys for each user. 10

Appendix A Security & System Architecture 11

Technical Documentation Permissions Keeper s manifest contains the following permissions: Permission android.permission.access_network_state android.permission.access_wifi_state android.permission.read_phone_state android.permission.internet com.android.vending.billing android.permission.read_contacts android.permission.get_accounts android.permission.read_external_storage android.permission.write_external_storage android.permission.system_alert_window android.permission.receive_boot_completed com.android.browser.permission.read_history_bookmarks android.permission.get_tasks android.permission.write_settings android.permission.write_secure_settings android.permission.authenticate_accounts android.permission.manage_accounts Notes Network and Wi-Fi Access Network and Wi-Fi Access Network and Wi-Fi Access Network and Wi-Fi Access In-App Purchase Password Sharing Features User Signup Optimization Secure File Storage Features Secure File Storage Features Keeper FastFill (native apps) Keeper FastFill (native apps) Keeper FastFill (web apps) Keeper FastFill (native apps) Keeper FastFill (auto-enable) Keeper FastFill (auto-enable) Settings Accounts & Sync Settings Accounts & Sync 12

Technical Documentation Data Consumption Details Keeper accesses the network only for short bursts when the user logs in. Keeper does not access the network while the app is idle or in the background. Typical usage and domain endpoint information is listed below: Domain: keepersecurity.com Port: 443 Per Pull Amount: 3.7KB Out of Box Pull Frequency: 0 Signed-In Pull Frequency: 1 Frequency of Pull Options: None Monthly Data Amount: 110KB Domain: keeperapp.com Port: 443 Per Pull Amount (avg.): 13.6KB Out of Box Pull Frequency: 0 Signed-In Pull Frequency: Once per new record created Frequency of Pull Options: Sync can be turned off or on via Settings screen Monthly Data Amount: 1.5MB 13

Technical Documentation Technical Architecture Keeper Security, Inc. ( KSI ) is passionate about protecting its customer s information with Keeper mobile and desktop security software. Millions of consumers and businesses trust Keeper to secure and access their passwords and private information. KSI does not have access to a customer s master password nor does KSI have access to the records stored in the Keeper vault. KSI cannot remotely access a customer s device nor can it decrypt the customer s vault. The only information that Keeper Security has access to is a user s email address, device type and subscription plan details (e.g. Keeper Backup). If a user s device is lost or stolen, KSI can assist in accessing an encrypted backup file to restore the user s vault once they have replaced their device. Information that is stored and accessed in Keeper is only accessible by the customer because it is instantly encrypted and decrypted on-the-fly on the device that is being used - even when using the Keeper Web App. The method of encryption that Keeper uses is a well-known, trusted algorithm called AES (Advanced Encryption Standard) with a 256-bit key length. Per the Committee on National Security Systems publication CNSSP-15, AES with 256-bit key-length is sufficiently secure to encrypt classified data up to TOP SECRET classification for the U.S. Government. In theory, it would take a 10.51 petaflop supercomputer approximately 3.31 x 1056 years to brute-force a 256-bit AES encrypted message The cipher keys used to encrypt and decrypt customer records are not stored or transmitted to Keeper s Cloud Security Vault. However, to provide syncing abilities between multiple devices, an encrypted version of this cipher key is stored in the Cloud Security Vault and provided to the devices on a user s account. This encrypted cipher key can only be decrypted on the device for subsequent use as a data cipher key. Data Protection Your Encrypted Data Your Vault Your Decrypted Data 01010 10010 01010 10010 Your Private Key 14

Technical Documentation Client Encryption Data is encrypted and decrypted on the user s device, not on the Cloud Security Vault. We call this Client Encryption because the client (i.g. iphone, Android Device, Web App, etc.) is doing all of the encryption work. The Cloud Security Vault stores a raw binary which is essentially useless to an intruder. Even if the data is captured when it s transmitted between the client device and Cloud Security Vault, it cannot be decrypted or utilized to attack or compromise the user s private data. Client Encryption Process Cloud Syncing Encryption Decryption Data At Rest Keeper uses PBKDF2 with HMAC-SHA256 to convert a password to a 256-bit encryption key with a minimum of 1,000 rounds. The key generated from the Master Password isn t used directly to encrypt user data, but is instead used to encrypt another key (the Data Key ). The Data Key is used for encrypting data and other keys, such as the RSA private key. Any key that is not generated directly from the user s Master Password is generated by a cryptographically secure random number generator on the user s device. For example, both the data key and the RSA key pair are generated on the device. Because the keys are generated on the device (not on Keeper s Cloud Security Vault), we have no visibility into the user s keys. All secret keys that must be stored (such as each user s RSA private key and the Data Key), are all encrypted prior to storage or transmission. The user s Master Password is required to decrypt any keys. Since Keeper s Cloud Security Vault does NOT have access to the user s Master Password, we cannot decrypt any of your keys or data. 15

Technical Documentation Data In Transit To prevent unauthorized vault access, Keeper s Cloud Security Vault must authenticate each user when transmitting data. Authentication is performed by comparing a PBKDF2-generated hash of the Master Password. The user s device uses PBKDF2 to generate the hash from the Master Password and the server compares the hash to a stored hash. By using the PBKDF2 hash instead of the Master Password itself, the Cloud Security Vault authenticates the user without requiring the Master Password. PBKDF2 is also used for generating encryption data keys, but the authentication hash is not used for data encryption. KSI supports 256-bit and 128-bit SSL to encrypt all data transport between the client application and KSI s cloud-based storage. This is the same level of encryption trusted by millions of individuals and businesses everyday for web transactions requiring security, such as online banking, online shopping, trading stocks, accessing medical information and filing tax returns. KSI deploys SSL/TLS certificates signed by Digicert using the SHA2 algorithm, the most secure signature algorithm currently offered by commercial certificate authorities. SHA2 is significantly more secure than the more widely used SHA1, which could be exploited due to mathematical weakness identified in the algorithm. SHA2 helps protect against the issuance of counterfeit certificates that could be used by an attacker to impersonate a website. KSI also supports Certificate Transparency (CT), a new initiative by Google to create a publicly auditable record of certificates signed by certificate authorities. CT helps guard against issuance of certificates by unauthorized entities. CT is currently supported in the latest versions of the Chrome web browser. More information about Certificate Transparency can be found at: http://www.certificate-transparency.org/ KSI utilizes Transport Layer Security (TLS) (versions 1.0, 1.1, and 1.2) to securely transfer encrypted customer data between the client and the Keeper servers. KSI also supports Perfect Forward Secrecy (PFS) key exchanges using Diffie-Hellman (DHE) enabled cipher-suites. KSI currently supports the following cipher suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 16

Enter this verification code when prompted to login. ************** Enterprise Technical Documentation Two-Factor Authentication To protect against unauthorized access to a customer s account, Keeper also offers Two-Factor Authentication. Two-factor authentication is an approach to authentication requiring two or more of the three authentication factors: a knowledge factor, a possession factor, and an inherence factor. Keeper uses something you know (your password) and something you have (the phone in your possession) to provide users extra security in the event your master password or device is compromised. To do this, we generate TOTPs (Time-based One-Time Passwords). Keeper generates a 10-byte secret key using a cryptographically secure random number generator. This code is valid for about a minute, and is sent to the user by SMS. When using the Google Authenticator application on your mobile device, the Keeper server internally generates a QR code containing your secret key, and it is never communicated to a third party. Each time a user deactivates, then reactivates Two-Factor Authentication, a new secret key is generated. Two-Factor Authentication Process Keeper Supports SMS & Google Authenticator Enter this verification code when prompted to login. MASTER PW ************** ENTER CODE Login with Master Password Receive Two-Factor Code Authenticate Accepted 17

Technical Documentation Sharing of Records Keeper uses PBKDF2 with HMAC-SHA256 to convert a password to a 256-bit encryption key with a minimum of 1,000 rounds. The key generated from the Master Password isn t used directly to encrypt user data, but is instead used to encrypt another key (the Data Key ). The Data Key is used for encrypting data and other keys, such as the RSA private key. Any key that isn t generated directly from the user s Master Password is generated by a cryptographically secure random number generator on the user s device. For example, both the data key and the RSA key pair are generated on the device. Because the keys are generated on the device (not on Keeper s Cloud Security Vault), we have no visibility into the user s keys. Secure Sharing Process with RSA Encryption User 1 User 2 PW User 1 Creates a Private Keeper Record Record Gets Encrypted with 256-bit AES User 1 Shares Keeper Record with User 2 User 2 Receives Shared Record User 2 Opens and Accesses the Record 18

Appendix B Device Screenshots 19

Mobile iphone 20

Enterprise Mobile Android Contact Sales (312) 226-5544 sales@keepersecurity.com 21

Enterprise Mobile Windows Phone Contact Sales (312) 226-5544 sales@keepersecurity.com 22

Enterprise Desktop Mac Contact Sales (312) 226-5544 sales@keepersecurity.com 23

Enterprise Desktop Windows Contact Sales (312) 226-5544 sales@keepersecurity.com 24

Tablet ipad 25

Enterprise Tablet Android Contact Sales (312) 226-5544 sales@keepersecurity.com 26

Enterprise Tablet Windows Surface Contact Sales (312) 226-5544 sales@keepersecurity.com 27

Browser Extension 28

Admin Console 29

Enterprise Bridge Active Directory / LDAP Integration 30

Contact (312) 226-5544 sales@keepersecurity.com 31