Trust Through Mathematical Proof
At Simple Money Tracker (SMT), we believe privacy is a fundamental human right, not a marketing gimmick. In traditional finance apps, your records are sent to a cloud database in plaintext, exposing you to corporate tracking, server leaks, and database compromises. SMT solves this by implementing a state-of-the-art Zero-Knowledge Vault architecture.
To demonstrate our commitment to total transparency, we are proud to introduce the SMT Cryptographic Labs Security Playground. Now live on our portal, this interactive sandbox lets you visualize, trigger, and inspect local encryption processes in real time—giving you a hands-on look at the exact mathematics keeping your financial data secure.
SHOW, Don’t Tell — SMT’s Core Philosophy
We don’t ask you to blindly trust our marketing claims. In a world full of vague security promises, SMT is the first personal finance application that actively shows you its client-side mathematical proofs. We co-locate the raw keys, random salts, initialization vectors, and ciphertexts in a real-time playground, proving that absolute security is visible and mathematically verifiable.
How SMT’s Local Double-Lock Architecture Operates
Rather than relying on a single, static master key, SMT leverages a local double-key architecture using the browser’s native Web Crypto API. This ensures high-performance client-side security without any data leaking to the server:
1. Key Encryption Key (KEK) Derivation: SMT stretches your local Master Password combined with a unique, randomized 16-byte Salt using the PBKDF2 standard. We enforce 600,000 SHA-256 iterations to render brute-forcing computationally impossible even for modern supercomputers.
2. Data Encryption Key (DEK) Generation: A randomized, high-entropy 256-bit AES key is generated directly in browser RAM to encrypt your actual data.
3. Double-Lock Protection (Key Wrapping): The generated DEK is encrypted using the KEK (AES-GCM). Only this encrypted DEK is stored on SMT servers. Your raw DEK never leaves your device’s local memory.
4. GCM Cryptographic Sealing: Your financial records (expenses, debts, contacts) are encrypted using the DEK with 256-bit AES-GCM. This produces a unique 12-byte Initialization Vector (IV), raw Ciphertext, and a 16-byte Authentication Tag (AT) to prevent any data tampering.
Guaranteed Local-Only Execution
Because all key derivation, AES encryption, and DEK wrapping processes execute strictly within your local browser, the SMT server remains completely zero-knowledge. We have zero access to your plaintext records, Master Password, or decrypted keys.
Self-Auditing SMT Encryption via GCHQ’s CyberChef
We do not expect you to take our word for it. In SMT Cryptographic Labs, we have integrated a dedicated "Independent Crosscheck" workflow that allows you to self-audit our security. You can export SMT’s generated ciphertext, IV, and DEK key and verify decryption on CyberChef—the neutral, government-grade client-side cryptographic utility developed by the British intelligence agency GCHQ.
This mathematically proves that SMT’s client-side cryptographic operations are perfectly aligned with global standards, and that your data can be decrypted entirely independently of SMT’s proprietary codebase. This is open-source security at its absolute finest.
- Step 1: Set up the Decryption Recipe on CyberChef using "From Base64" and "AES Decrypt" operations.
- Step 2: Copy and paste the Base64 Ciphertext from the SMT Sandbox into CyberChef Input.
- Step 3: Configure the Key, IV, and Auth Tag fields using the raw hex parameters generated by SMT (making sure format toggles are set to Hex, and mode is set to GCM).
- Step 4: Watch your original, unmodified Plaintext JSON successfully decode, confirming 100% local integrity.
Neutral Third-Party Crosscheck via GCHQ’s CyberChef
CyberChef is developed by GCHQ (Government Communications Headquarters, the UK’s premier signal intelligence agency). Because CyberChef is a completely neutral, globally respected open-source tool running entirely inside your local browser, using it to decrypt your payload mathematically proves that SMT cannot access your data. You don’t need to trust SMT—you only need to trust the neutral, military-grade math of GCHQ CyberChef.
Play and Inspect the Security Labs Today
The Security Playground is now fully integrated and accessible to all SMT users. We have equipped the sandbox with quick-load presets for Expenses, Debts, and Contacts, complete offline indicators, manual trigger toggles, and full-resolution visual setups for CyberChef.
We invite you to experiment with different Master Passwords, adjust PBKDF2 iteration rounds to analyze performance, and self-audit your payloads. SMT is proud to pioneer hands-on cryptography in personal finance, giving you absolute mathematical certainty that your private financial life stays private.
