Securely assessing encrypted cloud storage from multiple devices

Nguyen Hoang Long (hoang.l.nguyen@aalto.fi)

Supervisor : Prof. N. AsokanAdvisor : Sandeep Tamrakar

2

Motivation

• Cloud storage allows users to synchronize data across multiple devices.

• Privacy concern about data stored on cloud storage.

• Client-side encryption is an effective way of preserving data privacy.• State of the art: encryption keys derived from passwords

• People pick weak passwords; re-use passwords.• Strong keys: Key distribution • File updates require re-encrypting whole file communication overhead.

3

Goals

Design a multi-platform solution for secure remote storage and file synchronization that:

• automatically encrypts files with client-generated strong keys.• securely distributes keys across users’ devices without any

third party server.• works seamlessly with existing cloud storage services• offers consistent and minimal user interaction.• is efficient in file update and synchronization

4

Design & implementation

• OmniShare application• Works with Dropbox• Available on Android & Windows (PC)

https://se-sy.org/projects/omnishare/

5

Design & implementation

6

Key hierarchy

Auth. Encryption 128-bit AES-GCM

Key hierarchy Top: Root key (RK) Corresponds to directory

structure

Lock-box protects RK 2048-bit RSA public key

Directory Key

Root Key (RK)

Plaintext file Ciphertext fileFile Key

Device keypair

7

Key Distribution

Mobile device A

c

Encrypted content

Key distribution channel discovered automatically (using capability info stored on cloud server)

OOB channel

Encrypt with PKnew

Camera / Display: QR code display / key board: passcode

Authorized DeviceB

New DeviceA

8

Key distribution using QR code

Scan QR codeOOB channel

PKA Verify(PKA , H)

M1 = Enc(PKA , RK)

M2 = HMAC(KSesAuth , M1)M1 + M2

Verify (M1, M2, KSesAuth)

RK = Dec(SKA , M1)

H = hash(PKA)

KSesAuth ∈R{0,1}n

New Device A Authorized Device B

Local ChannelCloud storage

Channel

9

Key distribution using Passcode

New Device A Authorized Device B

P

Copy OOB channel

M = EncAE(Kses , RK)M

RK = DecAE(Kses , M)

Password-authenticated key agreement protocol (PAKE)

Kses

(Passcode)P

Kses

P

Local ChannelCloud storage

Channel

We implement using the Secure Remote Password protocol

10

Problem: Updating encrypted file

<< File size

≈ File size

P- =Updated file Original file

E- =Encrypted updated file

Encrypted original file

11

c

Encrypted Original file

Incremental synchronization

Updated file Original file Diff file

Encrypted diff file

decrypt

Diff file

+Original file Updated file

12

Implementation

13

Evaluation: Security Security evaluation using tool-supported formal

method (Scyther)

Key distribution using QR code

Key distribution using passcode

14

Evaluation: Performance

WA - QRP AA - QRP WA - SRP AW - SRP AA - SRP0

10

20

30

40

50

60

70

Avg

Protocol execution time(seconds)

WA: Windows - AndroidAA : Android - AndroidAW: Android – Windows

QRP: Key dist using QR codeSRP: Key dist using passcode

15

Evaluation: Usability

16

Conclusion

Advantages: Client-side encryption utility with high-entropy keys Multiple platforms Intuitive key distribution mechanism.

Limitation: Incremental synchronization is not robust

Error-prone Double local storage capacity Calculating diff requires reading both revision at the same time.

File conflicts

17

Thank you