Some cloud storage providers who hope to be on the leading edge of cloud security adopt a “zero-knowledge” policy in which vendors say it is impossible for customer data to be snooped on. But a recent study by computer scientists at Johns Hopkins University is questioning just how secure those zero knowledge tactics are.
Zero knowledge cloud services usually work by storing customer data in an encrypted fashion and only giving customers the keys to unencrypt it, rather than the vendor having access to those keys. But the researchers found that if data is shared within a cloud service, those keys could be vulnerable to an attack allowing vendors to peer into customer data if they wanted to. The study casts doubt over these zero-knowledge clouds and reinforces advice from experts that end users should be fully aware of how vendors handle their data.
Zero knowledge cloud vendors examined by the researchers – in this case Spider Oak, Wuala and Tresorit – typically use a method where data is encrypted when it is stored in the cloud and only unencrypted when the user downloads it again from the cloud. This model is secure. But, the researchers warn that if data is shared in the cloud, meaning that it is sent via the cloud service without the user downloading it on to their system, then vendors have an opportunity to view it. “Whenever data is shared with another recipient through the cloud storage service, the providers are able to access their customers’ files and other data,” lead author Duane Wilson, a doctoral student in the Information Security Institute at the Department of Computer Science at Johns Hopkins University, was quoted as saying in a review of the report. View the full PDF of the report here.
It’s common for these vendors to rely on a middle-man service which verifies users before providing keys to unencrypt the data. The researchers found that providers sometimes provide their own verification. This presents an opportunity for vendors to potentially issue fake credentials that would unencrypt the data and allow providers to view the information. It’s similar to a traditional “man in the middle” security attack.
The researchers say they found no evidence of customer data being compromised, nor have they identified any suspicious behavior by vendors, but the researchers said it could be a vulnerability. “Although we have no evidence that any secure cloud storage provider is accessing their customers’ private information, we wanted to get the word out that this could easily occur,” said Giuseppe Ateniese, an associate professor who supervised the research. “It’s like discovering that your neighbors left their door unlocked. Maybe no one has stolen anything from the house yet, but don’t you think they’d like to know that it would be simple for thieves to get inside?”
Representatives at Spider Oak, one of the vendors mentioned in the report who market having a “zero knowledge” service, said they agree with some aspects of the study’s finding. Spider Oak encourages customers to use a desktop application to transfer files instead of doing so through the company’s web portal. Using Spider Oak’s desktop application will ensure end users are verified to unencrypt the data, eliminating the opportunity for the vendor to compromise the data. Upon signing into Spider Oak’s service users are required to check a box indicating that they understand that to achieve true zero knowledge that a desktop application must be used.
SpiderOak says it hopes to allow collaboration services around its cloud platform, meaning data would be transferred within its cloud. To enable this functionality Spider Oak says it plans to use a combination of RSA secure identifications along with a key and encryption platform. It also hopes to provide users a way to securely verify the identity of whoever is viewing the files. Some vendors, like encrypted communication provider Silent Circle, use a voice recognition tool to provide this functionality, and Spider Oak says they are investigating similarly “elegant” ways to verify that data is only shared with people approved by its owner.