To achieve this goal homomorphic encryption IS NOT necessary at all

Only if you use the cloud for storage.

But what about when you want to use the cloud for computation?

according to the vendor file names and meta data are encrypted by AES on the client-side.

This may or may not be effective, depending on the mode AES is used in and any random numbers used once (hence "nonce") as padding / IV etc.

Over simplisticaly short messages become simple substitution ciphers with any block cipher in many of the standard modes if not implemented with care, which can be a significant problem as in effect information will leak.

Look at an old example where this happened, you have an old fashioned text menu system as beloved of TTY/VDU comand line systems. The menu requires a simple series of Y/N answers. The designer used a cipher chaining mode but alwaysed used the same IV and reset the chain on each transaction (ie press of the return key). So the Y and N always encoded the same under the same key.

Now if this menu format is known to an attacker (which is a reasonable assumption) it does not matter which key you encrypt the Y or N under you end up with two substitutions, which can easily be guessed which coresponds to Y and which N. So the attacker can work out fairly easily whhich menu option you are in...

So in a simple "code book" encryption system or one which has been designed by someone NOT familiar with the potential pit falls of chaining modes or using block ciphers as stream generators etc you could end up with a simple substitiution system or similar leaking information.

Also, with regards,

The AES key is in turn encrypted by the user's public key. So technically the vendor is not able to read the data

There are many issues with Public Key key generation [1][2] and use [3]. And like the use of modes for block ciphers encrypting a short (by comparison to the PubKey length) symetric key under a PubKey can have padding and other issues.

Thus even though the likes of SSL/TLS have known defects they are likely to be a lot more secure than an adhoc homebrew crypto system.

So you would need to check that any system used by the vendor was "standards compliant" or had been checked by some one suitably qualified (and they are less common than hens teeth) to check the protocols and methods in use.

[1] It has been shown repeatedly that most random number generators in use are realy not upto the job of producing anything sufficiently close to the unpredictability requirments for cryptography [4][5].

[2] Adam Young and Moti Yung showed how the original primes could be leaked in a PK in a way that is not possible to detect only knowing either the public or private key in a process they called Kleptography.

[3] Don Coppersmith one of the DES designers who originaly discovered differential cryptography (T-Attack) showed there are issues to do with RSA public keys that give rise to a class of attacks, http://en.m.wikipedia.org/wiki/...

[4] A known defect in the RNG in several embbeded products such as routers meant that one of the random numbers used to select one of the primes used to generate a PubKey for the device was of an extreamly limited range which opened up an associated key attack [5].

[5] One accademic paper showed how a short cut could be used to discover if a public key had a common prime with another pub key thus making the reward for factoring just one PubKey rather more significant [6].

[6] However the deffect in the RNG acts as a short cut in it's own right due to the limited numberr of candidates for on of the two primes. This has the effect of putting 1024bit RSA keys generated on these embeded devices very much in a factorable range.

That's a good point. However, according to the vendor file names and meta data are encrypted by AES on the client-side. The AES key is in turn encrypted by the user's public key. So technically, the vendor is not able to read the data.

The vendor argues that transport security (TLS) is not implemented as the files are encrypted on the client anyway

That means that only the file contents are encrypted, not the file name or other meta data.

Such meta data could provide an attacker with sufficient information to make meaningful deductions about waht is going on within an organisation as such this is generaly considered undesirable.

The vendor argues that transport security (TLS) is not implemented as the files are encrypted on the client anyway

That means that only the file contents are encrypted, not the file name or other meta data.

Such meta data could provide an attacker with sufficient information to make meaningful deductions about waht is going on within an organisation as such this is generaly considered undesirable.

One thing that they mention is that users have to believe that the JavaScript client-side implementation is secure - if they mess it up, either accidentally on on purpose (they also mention US court order to mess it up - is that even possible to happen?) the system breaks right there. Is there a way of assuring that such client-side encryption does not depend entirely on the good will of the service programmers?

One will be surprised how simple these solutions are nowadays. For widespread adoption, we just need awareness that alternatives are out there.

The theory is that if all the data is encrypted, its harder for the big media companies to shut it down (because it will be much harder for them to prove that the operators of the site had any knowledge of what their users are doing)

Years ago, I promoted using small, cheap computers as individual application nodes. Security enforcement would happen at many levels using trusted components.

+10

That's just a minor nuisance since BoxCryptor supports all three of them, and on a variety of platforms. AES256, and free for personal use."

Cloudfogger is another alternative, also free for personal use.

"The Orange Book guys spent 20-odd years picking away at it in a much simpler environment (carefully-controlled, fixed-functionality mainframes) and found it was an unsolvable problem, so I don't see how the cloud guys are going to solve it now."

Good to see I'm not the only one looking for wisdom in all that old stuff. ;) They got pretty far back then. Combine old & new, you can do something like they set out to do. The problem? It will be HORRIBLY slow, minimalist, & practically unusable. Wait a second, aren't those the opposite of the adjectives used by cloud promoters?

Yes, reality has a harsh bite. Years ago, I promoted using small, cheap computers as individual application nodes. Security enforcement would happen at many levels using trusted components. Today, I still think that's the only way to do some of what cloud back-end does in a trustworthy fashion. It's just that the hardware & cloud provider incentives both make "secure, sharing of resources" an oxymoron.

Scrambls is a free solution at www.scrambls.com which matches the proposed architecture - the user controls the encryption keys, and they are always separate from the encrypted data held in the cloud.

"http://www.wave.com/buzz/pr/protect-content-cloud-scrambls-files"

Scrambls was has been available for about six months to allow private social media posting in Twitter, Facebook, etc. With this announcement Scrambls now supports encryption of files as well.

I hate Dropbox, Skydrive, Google Drive etc. for not supporting client side encryption.

That's just a minor nuisance since BoxCryptor supports all three of them, and on a variety of platforms. AES256, and free for personal use.

Still, it does not excuse at least giving the option of client side crypto built into the software. If I have sensitive data then chances are it's has no redundancy anyway. So why not let me designate a Secure folder and anything placed in it is scrambled with my key before being sent up.

But that said, I'm sure someone could write something akin to Dropbox where you copy files to another folder, and these are encrypted before being copied to the dropbox folder after they have been encrypted and vice versa. So I work with folder A monitored by a crypto app. The crypto app encrypts the files in folder A, and copies them to folder B which dropbox is monitoring. Dropbox syncs them to the cloud. If a file appears in the Dropbox folder then the crypto app copies and decrypts the plaintext back to A.

Explanation: ^H only deletes one character. ^W deletes a whole word.

In any case the issue will resolve itself in a couple of years when the pendulum swings back away from centralised mainframes^H^H^H^Hcloud services again, as it has every 5-10 years for some decades now. We've then got another 5-10 years before it swings back the other way again.

"So, when FadeVersion 'deletes' an archive... it simply destroys the key? Isn't that all 'shredders' do on encrypted drives?"

There's actually several ways COTS products might delete sensitive data: a file delete operation; a delete followed by overwriting; store encrypted, then loose the key. Many products and "erase your drive" tips talk about overwrite strategies, built-in erase features, etc. There are also drive with crypto built in whose technique is unverifiable for us. There have been theoretical and practical attacks on all of these.

The technique I've always recommended is to store the files strongly encrypted, make sure the key never touches the disk (partly user generated) & simply ditch the key to erase the data. It's much easier (and cheaper) to erase a key in RAM than to overwrite or destroy physical storage mediums (e.g. degausers, shredders, thermite). Additionally, getting rid of GB or TB of data is quite time consuming, unlike destroying 128-256bits of key material.

It's an architecture using a mixture of well connected notary peers and personal peers on plug computers to create a trustworthy network without trusting any component completely. Including yourself. Logical objects representing users, databases, websites etc. are replicated to a controlled per-object set of peers. Updates are fault tollerant. (As of todays implementations byzantine agreement from assigned peers is used.)

To point out the blindingly obvious: deduped "encryption" allows anyone to verify if you have stored a particular datum (for whatever size chunk is "encrypted"/deduped). It also strongly reminds me of CBC encryption (only worse).

$10 infinite storage only makes sense for anyone who's data is worth less than $10.

rsyncrypto http://rsyncrypto.lingnu.com. Open source. Does client side encryption which is rsync compatible.

I developed it for a cloud base backup service which never took off.

Shachar

Spideroak does not deduplicate across accounts while Wuala does (not sure about Bitcasa). But as "Alan Fairless" posted, doing so while preserving all security properties is not possible (with current techniques). If a cloud storage service can deduplicate a file I upload, it can also (and does) tell me when someone else is storing that file. It's relatively simple for me to use that property to tell me if someone using the service is storing ANY given file. That's not a security property you'd expect secure online storage to have.

You don't need to worry about an employee leaking your data or a hack of our system because we have a certificate

Read Jerry's comment on the original article. He point's out that the argument doesn't make sense as cloud is being used to process data; not just store it.

Bitcasa, Spideroak, and I believe Wuala already do this.

The article is on the site called NextGov and directed at government customers so I think the points about encryption and data mining, given the context, don't make much sense, at least to US federal customers and their contractors.

Government customers aren't using free cloud services and the cloud services they use certainly aren't allowed to mine the data. If you are a US federal customer or contractor you have to comply with FISMA. The feds are spending billions on cloud services at the moment and not just from any old cloud service provider. They have to have a federal ATO, be on the GSA's IaaS BPA, or be in the process of getting a FedRAMP provisional ATO. And FIPS 140-2 support is a requirement. And they have continuous monitoring. These type of customers do use Amazon, but they are on Amazon's GovCloud (https://aws.amazon.com/govcloud-us/) or using Apptis, not your regular AWS.

And author is from the Chertoff Group. Makes one wonder what their interest is? See https://www.schneier.com/blog/archives/2010/11/tsa_backscatter.html. "Michael Chertoff, former Department of Homeland Security secretary, has been touting the full-body scanners, while at the same time maintaining a financial interest in the company that makes them."

"FadeVersion follows the standard version-controlled backup design, which eliminates the storage of redundant data across different versions of backups. On top of this, FadeVersion applies cryptographic protection to data backups. Specifically, it enables fine-grained assured deletion, that is, cloud clients can assuredly delete particular backup versions or files on the cloud and make them permanently inaccessible to anyone, while other versions that share the common data of the deleted versions or files will remain unaffected. "

http://www.cse.cuhk.edu.hk/~pclee/www/pubs/...

Academics have also been producing designs to allow trusted computations on untrusted OS's & hypervisors via TPM. An issue I see with that is, assuming there's really a TPM on the machine (wink), the cloud providers are likely to use vTPM's instead of TPM's. There's price/performance motivations for this. A vTPM's security != a hardware TPM's security, though, good as it might be. Particularly, the security assumptions & models TPM-based designs are using might differ from the cloud provider's implementation, thus invalidating security proofs or claims.

http://domino.research.ibm.com/library/...

Check out ownCloud. private cloud on your own home server/inteligent-nas. Not sure if it fits your requirements.

You'll be surprised how many home-cloud solutions are out there, problem is obviously marketing. And lack of finance usually make those solutions pretty specific.
For mediastreaming over the web you already got several. (eg. plex)
Commercial alternative to ownCloud is for example Tonido.

Candidate solutions aside, I do think the ultimate service lies in a hybrid, where you have both encrypted and unencrypted files/services.
My requirement for a homecloud would be syncing with devices, and secure incremental backups to off-site locations (eg. friends using the same solution) or sharing specific folders with them (eg. personal dropbox).

I really have no trouble with parties like google aggregating data from me along with thousands of other users and selling those anonymous aggregated statistics to whatever company they like. After all, I'm getting a nice service in return. I'm more concerned with any unauthorized (by me) party gaining access to my specific data. Obviously I'm pointing at governments and hackers.

"Convergent Encryption" / server-side de-duplication of encrypted data are incompatible with zero-knowledge privacy guarantees. SpiderOak blogged in detail about how it leaks information. https://spideroak.com/blog/20100827150530-why-spideroak-doesnt-de-duplicate-data-across-users-and-why-it-should-worry-you-if-we-did

Only put your crap in the "cloud", not your data. In other words, treat the "cloud" like the sewer: one way out, away, never to be seen again.

Or, just wait until they provide "private cloud" services, USING YOUR OWN PC AS THE STORAGE MEDIUM, and charge you for it. hee hee hee.

http://eprint.iacr.org/2012/631

Essentially, it uses a hash of the message as the encryption key. Two identical messages will end up with the same key and therefore the same ciphertext.

Encryption is no panacea: you still need to trust whoever is manipulating your data, it just avoids the need to rely on trust in your storage/transmission.

Bruce > You can add https://spideroak.com/ to your list of cloud providers trying to help.