All posts by pentestpartners

The cryptic cloud: Can cloud encryption operate effectively right now?

©iStock.com/Henrik5000

Encryption in the digital world is akin to a safe in the physical world. Data is locked away and can only be seen by those who have the correct key. Among other things, encryption is what provides an assurance of confidentiality in data security and it is fast gaining ground in the cloud. But is encrypted data therefore more secure? Not if your keys are transferred in the clear, duplicated or mismanaged.

Data that goes to the public cloud is usually transferred securely and files are not kept on public web servers, so the obvious security measures are there. But once it gets to the storage server, data is beyond the user’s reach or control. It may be stored unencrypted or not, it may be read by the service administrator or not. It may be delivered to influential third parties, such as governments or associated agencies, or not. It may be compromised if the servers are broken into or it may be accessed if the servers are physically hijacked.

Key holder is king

Any reasonable storage provider who offers encryption will store each of their customers’ data encrypted with their own unique encryption key. The deal is that the provider holds the data and the user holds the key – normally derived from the account’s password using some algorithm (PBKDF2 is a good example).

But here’s where things get tricky: usually encryption of stored data occurs on the provider’s servers, which means that during the process of encryption they must hold the encryption key. We, as the customer, have no choice but to trust the service provider.

In this encryption model, the provider will at certain moments hold its users encryption keys, which it requires to be able to encrypt and decrypt information. The user holds the key and the provider holds the encrypted data. Whenever the user needs to access his or her pool of data they must lend the key to the provider in a ‘security by proxy model’. This happens by logging in to the service.

Online storage providers should seek to offer assurances until encryption comes of age

Web application or compiled programs are no different. The password travels within the point-to-point encrypted tunnel (usually SSL/TLS) which means that it exists in a memory space in plain text at the client and at the server. The key has been copied.

So if the provider has other, less clear, less honest intentions or is coerced, they can keep copies of encryption keys and decrypt users data. Customers cannot do anything to mitigate this without additional mechanisms. For instance, a truecrypt volume would solve the problem – although, with this solution there are a number of down sides and a significant loss of flexibility, not to mention potential integrity issues, particularly when attempting to share files in the TC volume. If such tools are not used, the simple truth is that data held by online storage providers, encrypted or not, is simply held on trust.

Data security vs trust

Issues of trust aside, a discussion needs to take place about the merits of data security versus the implications of security by proxy.

If a user requires data security within online storage, then they should not use a security by proxy model. They must use a method that ensures that the provider never has sufficient information to decrypt or facilitate decryption of stored customer data. Can data security be implemented in such an encryption model that ensures that the provider never has sufficient information in its systems to decrypt it? Yes, naturally, there are protocols and methods for doing this and no doubt many more solutions are in the pipeline.

But as of today, such a model does not exist, as many providers are required to have access to surrender information to authorities.

The current cloud storage services which provide encryption or add on encryption services are of the ‘security by proxy’ model. Therefore in all cases users do not get assurance that the provider cannot access their data. The provider can, with little or no effort, access their customers’ data, if they want to.

It’s for this reason that data held in remote storage should always be assessed by the user to determine its value should it be compromised. (If the celebrities whose naked selfies were leaked online had paused for thought in this respect, the Celebgate fiasco could have been prevented.) In the meantime, online storage providers should seek to offer assurances until encryption comes of age.