Behind the Curtain of Encrypted Cloud Storage
December 2, 2012
This site is no longer being maintained. Keep that in mind as you go through these pages.
Cloud everything has been one of the most discussed tech topics of 2012. There's been much written to fuel the increasing culture of always-online integration being woven into everything from social interaction to entertainment, to the contentious Windows 8. This round of tSc spectacle is a list of 22 different cloud storage providers which I'll weigh by their cryptographic implementations and account authentication for both the client software and browser login.
What I want to know is, how secure are they really? Who uses strong encryption methods? Who uses weak key derivation protocols? Who sends the account password or private key to their servers? Who can determine if specific files are on their servers, even if that user data is encrypted?
First, Some Dialogue
I want to open with a quote from a recent writing on the cloud's long-term forecast.
I believe that data defines the nature of its storage. [Source]
Such an eloquent ideal, is it not? As I wrote this article, I sorted through countless company websites, forums, knowledge bases, blogs and other sources. I was actually surprised at the amount of people who rely on cloud storage to contain highly sensitive data.
I'm not talking about collaborative group projects or syncing a music collection between locations. I mean people uploading scanned copies of bank account statements, birth certificates, tax returns and family photo collections, all to save some closet space or the footprint of an external hard drive. Or worse, for plain novelty.
Humans have general cognitive guidelines for what possessions are safe or unsafe in different locations. Should there be deviation from those patterns, mental alarms sound and you decide, for example, to stow your iPad under the front seat when leaving your car parked in an open lot.
With cloud data, that mental tripwire loses effectiveness. The cultural norm is to treat intangible information with little to no precaution compared to physical items while the technology involved resides outside most peoples' sphere of knowledge. Savvy individuals have numerous roll-your-own solutions for secure storage. They know what to look for and what to avoid, but they are a minority. The vast majority of security faux pas occur and are accepted simply because people don't know any better.
A Bitter Aftertaste
I've developed a problem with how the "secure" end of the cloud storage paradigm portrays itself. The attitude of most service providers is misleading and reduces tedious methods of information security to mere buzzwords and taglines which are illusory tools of inadequacy. Eventually I realized that there are only a few cloud storage services which could be classified as a real security product. The rest are items of convenience with a few extra steps taken to satisfy basic concerns, if even that.
The service providers don't make things easy to investigate either. This is my cardinal issue with everyone on this list, excluding only three providers. People should not have to mine forum pages, scour links from obscure blog comments or submit a deluge of support tickets just to piece together how a "secure" storage service is supposed to work.
Too often do company websites contain minimal information but maximum sales hyperbole and sensationalism, while support agents know nothing about even the basic crypto processes of the products. Pointing at HIPAA compliance does not suffice for explanations on key derivation and leasing Amazon server space does not excuse from naming an account authentication protocol. Then there's the nauseating salesmanship. Catch phrases like "Military Grade Encryption" and "Same Strength As Your Bank" are used to bolster the just-trust-us model while the opacity of software processes is justified by a cry to preserving security.
While I call for better documentation and transparency, I also believe it is unrealistic to expect casual users to fully grasp them. Paradox? No, because just as open source code can be audited by those capable, inferior cryptographic implementations can be identified for replacement with more secure means. Yes, the code base of the software isn't being examined, but if we know things like how random strings are generated, how keys are derived, where & how are they stored, then we can discern which services are mature from those which need improvement. In the end, everyone wins. The public (theoretically) gets a better product and the company becomes reputable for using secure practices.
Naivety aside, I was amazed at the lack of transparency in what is certainly a respectable chunk of the cloud service spectrum. Over one third of the companies examined did not respond to my inquiries and support tickets at all. A few companies were genuinely helpful and provided what I needed within their legal recommendations to do so. The remaining responses were a mixture of referring me back to the company's uninformative website, nebulous answers which revealed nothing helpful, or saying they'll send my questions to a developer but with no further response.
Consequentially, the data collected in the succeeding pages is not a complete comparison. It's based on the information I either received from these companies, or what was already public.
I only had two requirements for services to appear on this list. The first was the use of at least some form of at-rest encryption. Whether it was applied client or server side and who has control over the encryption keys, I did not discriminate by. The second requirement was that the service needed to be a company's free offering. (As a side note, JungleDisk and Tarsnap are two paid solutions which I frequently saw highly recommended for security and privacy. Since I chose to focus on free services, I didn't include either here but they're certainly capable options.)
The specific information I wanted fit into four areas: key generation & management, account authentication, web access and file encryption. I wanted as much info as possible about the crypto primitives to detail how the service works but I did not do any performance benchmarking. Everything was done in a 100% default installation of Windows 7 SP1 x64 and if something seemed slow or didn't work, I said so but didn't investigate further. I also didn't intend for this to be a comparison of user experiences but there were definitely times when it was unavoidable to...let's say, note my esteemed critique.
Prepare yourselves! For now we begin.Part I: Cloud Services A Through M
- On the Security of Cloud Storage Services. Borgmann, Hahn, Herfert, Kunz, Richter, Viebeg, Vowe. Fraunhofer Institute for Secure Information Technology, Germany. 2012.
- Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space Mulazzani, Schrittwieser, Leithner, Huber, Weippl. SBA Research, Austria. 2011.
- Side Channels in Cloud Services, The Case of Deduplication in Cloud Storage. Harnik, Pinkas, Shulman-Peleg. Bar Ilan University & IBM Haifa Research Lab, Israel. 2010.
- Eeyore picture by albinokraken.com.
- Say No to Danish Data Retention