End-to-end encryption
The user data shared via Cool Maze is end-to-end encrypted (E2EE). This means the service provider and the cloud infrastructure vendor cannot access user data. Only the sender (a mobile device) and the receiver (a computer web browser) can see the plaintext data.
We achieve this privacy protection system via an AES-128 symmetric-key encryption algorithm. The secret passphrase is the same for both encryption and decryption. It is known by the sender and by the receiver, but is never sent to the server. The intermediate transport route nodes and cloud servers see only opaque encrypted data, and cannot do anything with it beyond delivering it to its destination.
This raises the interesting question of how the two ends of the communication agree on the passphrase, without leaking it to the server. Our ingenious solution is to have the target webpage generate a one-off passphrase, and encode it into the QR code. When the mobile device reads the QR code, it discovers the passphrase and uses it for encryption. When the target webpage receives an encrypted payload, it uses the same passphrase to decrypt it.