Abstract
With the advent of cloud computing, a number of cloud providers have arisen to provide Storage-as-a-Service (SaaS) offerings to both regular consumers and business organizations. SaaS (different than Software-as-a-Service in this context) refers to an architectural model in which a cloud provider provides digital storage on their own infrastructure. Three models exist amongst SaaS providers for protecting the confidentiality of data stored in the cloud: 1) no encryption (data is stored in plain text), 2) server-side encryption (data is encrypted once uploaded), and 3) client-side encryption (data is encrypted prior to upload). Through a combination of a Network and Source Code Analysis, this paper seeks to identify weaknesses in the third model, as it claims to offer 100% user data confidentiality throughout all data transactions. The weaknesses we uncovered primarily center around the fact that the cloud providers we evaluated (Wuala, Tresorit, and Spider Oak) were each operating in a Certificate Authority capacity to facilitate data sharing. In this capacity, they assume the role of both certificate issuer and certificate authorizer as denoted in a Public-Key Infrastructure (PKI) scheme - which gives them the ability to view user data contradicting their claims of 100% data confidentiality. We have collated our analysis and findings in this paper and explore some potential solutions to address these weaknesses in these sharing methods. The solutions proposed are a combination of best practices associated with the use of PKI and other cryptographic primitives generally accepted for protecting the confidentiality of shared information.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bohn, R.: NIST Cloud Computing Program. Cloud Computing. National Institute of Standards and Technology (December 02, 2011), Web (February 06, 2014)
SearchStorage. Storage as a Service (SaaS). What Is Storage as a Service. SearchStorage (February 2009), Web (February 06, 2014)
Lacie. Wuala. Lacie (January 01, 2014), Web (February 06, 2014)
Spider Oak. 100% Private Online Backup, Sync & Sharing. SpiderOak (2014), Web (February 06, 2014)
Tresorit. Secure File Sync and Share. Tresorit (2014), Web (February 06, 2014)
Borgmann, M., Waidner, M.: On the Security of Cloud Storage Services. Fraunhofer-Verl., Stuttgart (2012) (print)
Mager, T., Biersack, E., Michiardi, P.: A Measurement Study of the Wuala On-line Storage Service. In: Peer to Peer IEEE International Conference Proceedings, pp. 237–248 (2012) (print)
Kholia, D., Wegrzyn, P.: Looking inside the (Drop) Box. In: 7th USENIX Workshop on Offensive Technologies (2013)
Hacker10. List of USA Cloud Storage Services with Client Side Encryption. Hacker 10 Security Hacker (September 12, 2013), Web (February 18, 2014)
Hacker10. List of Non USA Cloud Storage Services with Client Side Encryption. Hacker 10 Security Hacker (September 12, 2013), Web (February 18, 2014)
Tresorit. Tresorit: White Paper. Tresorit (2012), Web (February 18, 2014)
Wireshark Foundation. WireShark. Wireshark Foundation (1998), Web (February 18, 2014)
Telerik. Fiddler. The Free Web Debugging Proxy by Telerik. Telerik (2002), Web (February 18, 2014)
AndroChef Java Decompiler. AndroChef Java Decompiler, n.d. Web (February 18, 2014)
Bénony, V.: Hopper. Vincent Bénony, n.d. Web (February 18, 2014)
Synalysis. Synalyze It! Reverse Engineering and Binary File Analysis Made Easy. Synalysis (2010), Web (February 18, 2014)
Froomkin, A.M.: 1996 A. Michael Froomkin: The Essential Role of Trusted Third Parties in Electronic Commerce. N.p. (October 14, 1994), Web (February 18, 2014)
Microsoft. What Are CA Certificates? Technet Library. Microsoft Technet (March 3, 2003), Web (February 18, 2014)
IBM Lotus Domino and Notes Information Center. IBM Lotus Domino and Notes Information Center. N.p. (August 14, 2008), Web (February 18, 2014)
The IEEE P1363 Home Page. IEEE P1363 – Standard Specifications for Public Key Cryptography. N.p. (October 10, 2008), Web (February 18, 2014)
Kiss, J.: Snowden: Dropbox Is Hostile to Privacy, unlike ‘zero Knowledge’ Spideroak. Theguardian.com. Guardian News and Media (July 17, 2014), Web (August 13, 2014)
Butler, B.: Even the Most Secure Cloud Storage May Not Be so Secure, Study Finds. Network World. Network World Inc. (April 21, 2014), Web (August 13, 2014)
Fairless, A.: Comments on Study Citing Design Flaw That Puts Your Privacy at Risk - SpiderOak Blog. SpiderOak Blog. Spider Oak (April 22, 2014), Web (August 13, 2014)
Goldberg, I.: Off-the-Record Messaging. Off-the-Record Messaging. OTR Development Team (2012), Web (February 25, 2014)
Grolimund, D., Meisser, L., Schmid, S., Wattenhofer, R.: Cryptree: A Folder Tree Structure for Cryptographic File Systems. Reliable Database Systems. Computer Engineering and Networks Laboratory (October 4, 2006), Web (February 25, 2014)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Wilson, D.C., Ateniese, G. (2014). “To Share or not to Share” in Client-Side Encrypted Clouds. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds) Information Security. ISC 2014. Lecture Notes in Computer Science, vol 8783. Springer, Cham. https://doi.org/10.1007/978-3-319-13257-0_24
Download citation
DOI: https://doi.org/10.1007/978-3-319-13257-0_24
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13256-3
Online ISBN: 978-3-319-13257-0
eBook Packages: Computer ScienceComputer Science (R0)